updated 01:05 pm EST, Fri December 4, 2009
Undermines Apple position on jailbreaking
Factory-standard iPhones may be as vulnerable to security threats as jailbroken ones, says a Swiss iPhone developer, Nicolas Seriot. In newly-published research, the developer comments that a concept app called SpyPhone is capable of browsing web histories and GPS positions, as well as reading and editing Address Book contents. Crucially the vulnerability does not require exposing iPhone firmware by jailbreaking it.
A real-world attack would require the app to slip by Apple's approval process, which is partly geared towards catching malicious code. Seriot notes however that this is not inconceivable, as a coder could delay the activation of spyware functions, or simply use payload encryption. No exploits or third-party APIs would allegedly be needed.
Seriot argues that as a defense users should have to authorize Address Book access, and that iPhones themselves could stand to adopt firewalls. The latter would force Apple to cope with deteriorated performance.
Apple has traditionally fought against the freedom to jailbreak iPhones, primarily on the basis that it can open people to greater security risks. Several worms have in fact attacked jailbroken units. Others note that it is still relatively easy to guard liberated devices, and that Apple may be as concerned about retaining App Store profits as a safe user experience.