An End To Exploit-Based Development On The iPhone? - InformationWeek
Software // Information Management
05:29 PM
Connect Directly

An End To Exploit-Based Development On The iPhone?

Apple CEO Steve Jobs explains the SDK shipping in February will help third-party partners and protect iPhone users from malicious programs.

With the upcoming introduction of an Apple-sanctioned iPhone software development kit in February, mobile application developers will no longer have to exploit a vulnerability to write iPhone applications.

Until then, determined developers may continue looking to the work of security research H.D. Moore, who has written a recent series of blog posts about cracking the iPhone.

Moore, director of security at BreakingPoint Systems and creator of the Metasploit vulnerability testing tool, has published details about the exploit that third-party developers have been using to put applications on the iPhone against Apple's wishes.

"Using a security vulnerability to enable third-party development is nothing new, but in the case of iPhone, this can be a problem," Moore said in a blog post last week.

The problem is that the flaw isn't merely useful for iPhone developers who just can't wait for Apple to open the iPhone up; it's potentially useful for hackers.

In a statement Wednesday on the Apple Web site, Apple CEO Steve Jobs made it clear that Apple is concerned about iPhone vulnerabilities.

"Some claim that viruses and malware are not a problem on mobile phones -- this is simply not true," said Jobs. "There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous. And since the iPhone is the most advanced phone ever, it will be a highly visible target."

The exploit described by Moore takes advantage of a programming flaw in libtiff, the open-source TIFF image-rendering library. It has been tested on several iPhone applications that incorporate libtiff: MobileMail, MobileSafari, and the iTunes Music Store, under firmware versions 1.02 and 1.1.1.

As Secunia explained in a recent security advisory, "The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari Web browser."

People who use their iPhones to read e-mail or surf the Web could thus be targeted by hackers.

The vulnerability also affects Apple's iPod Touch.

Secunia rates the vulnerability as "highly critical," or 4 on a 5-point scale.

"We are working on an advanced system which will offer developers broad access to natively program the iPhone's amazing software platform while at the same time protecting users from malicious programs," said Jobs. "We think a few months of patience now will be rewarded by many years of great third party applications running on safe and reliable iPhones."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll