It’s always interesting to get expert feedback on a particular subject - especially if it involves something high profile like the iPhone. Mike Hawkes, who is CTO of mobile security experts Broca Communications - and also the security expert in the Exec Committee of the Mobile Data Association - has been in touch, and has this to say.
- - - -
It’s interesting to note that it took only two months from the iPhone’s launch to hackers publishing methods describing how to install applications and access core components within the operating system. Within a couple of weeks of the initial ‘hack’, instructions appeared defining how to unlock the iPhone and use it on other networks. Rumours have it that the iPhone was cracked by a small group of teenagers using college resources in the USA.
This demonstrates how device manufacturers struggle to produce secure handsets – with the right equipment a little know-how, anyone can obtain access to lower-level functions in a handset and change the way they operate. Part of the challenge for the iPhone was that Apple chose to release the device via a single network. In some ways, this helped publicise the iPhone as many bloggers complained bitterly about expensive data plans and limits imposed by Apple and the US telcos. This kept the device in the public eye and, some could also argue that the attempts to crack the device helped keep the publicity engine ticking.
Now that Apple is launching the iPhone in Europe, much is made of the lack of support for 3G or high-speed data access. Given the maturity of the mobile data market in Europe, I remain sceptical as to whether a new user interface is enough to draw large numbers of people away from much more competent devices from companies such as Nokia and Sony Ericsson. Much now relies on ongoing advertising and Apple maintaining a ‘style war’ on their competition – in my opinion, Apple users may adopt the iPhone because it’s an Apple, not because of the underlying technology.
Kudos must go to Apple as it has managed to make headlines by introducing a new mobile device into an already saturated market. The company has also chosen to implement a very limited subset of technologies and restrict application development. The ‘other 3G’ content providers (Girls, Gaming and Gambling), are likely to struggle to support the iPhone and many I have spoken to are unwilling to update portal software or deployment services to support one device without a compelling commercial reason. This, in turn, may affect the device’s appeal for m-commerce and more serious application developers.
From a security viewpoint, the iPhone is no different to any other mobile device. Hackers have already demonstrated the ability to download and execute hostile code – and, as we noted in the past, Apple made itself a target for this type of attack by attempting to prevent programmers from installing code on the device. As with most radio devices, it is also vulnerable to fake-cell (man-in-the-middle), key phishing and over-the-air data theft, making no better than its competition. Some could argue that by locking application developers out of the loop, the iPhone could run a higher risk of viral attack as anti-virus software is more difficult to provide.
All in all, the iPhone is a mobile device and I find it difficult to excited about what, on the face of it, is a less well connected communications device. Its security model has weaknesses and there are many people out to prove that they can, from a software perspective, break the device wide open. The same rules apply to the iPhone as to any other device – turn off anything you don’t need; keep it password protected (and locked when not in use); and, never accept or install anything unless you trust the source.
- - - -
Interesting thoughts, thanks Mike. What do you think? Feedback and comments welcome as always.
Related Posts
On this day- Navizon -- iPhone 'GPS' application - 2007
- No mobile means poverty, say children - 2007
- Response from Vodafone re: Amy Rose - 2007
- Visto and IBM to mobile enable Domino - 2007
- Dan's open letter to Vodafone UK - 2007
- Hark! Does Vodafone have a blog relations team? - 2007
- T-Mobile get the iPhone Germany gig - 2007
- Apple's iPhone is target for phonejacking muggers - 2007
- Older generation are suprisingly mobile-savvy - 2007
- The iPhone UK FAQ - 2007
Danlane on 
Comment by Loulou on 19 September 2007:
Just curious like, but how many people do you know that have been attacked by a virus on a phone?
A decade in the mobile industry doing and installing all kinds of stuff from the sublime to the ridiculous on literally hundreds of handsets, using phones to the full capacity of their functionality … and nada. Nowt. Fook and all.
As for advice on applications and installs, there is so much red tape and hoops you have to jump through to get apps onto UK networks (security certificates, NTSL approval, partnerships etc etc) that I’m surprised a text can come onto a phone these days, let alone malicious software!
As for the “I have unlocked it to run on a different network” stuff - I view it in the same way as overclocking a PC - if it’s trying to do something for which it wasn’t designed, then don’t be surprised if apps and virii find themselves on there!
Comment by Mike Hawkes on 19 September 2007:
Thanks for the comment - yes, I agree entirely: few virus attacks are available for mobiles thanks to the excellent job the networks do in protecting their customers. I think it’s fair to say that fair chunk of this protection disappears when you connect via WiFi or Bluetooth (indeed, the most prolific virus to data is spread by Bluetooth).
I also think we’re in agreement with the principle that if you install something or change the way the handset operates, then you expose yourself to risks. I recently took a train journey into London and ran a Bluetooth push utility off my laptop. Out of 8 devices discovered, 6 users accepted the Broca logo … they had no idea what they were accepting prior to it arriving. Advertisers are now using this to push, for example, coffee discount vouchers or ticket offers to any device in Bluetooth range - encouraging users to accept untrusted content. That’s why I made the comments I did with respect to turning off interfaces not in use and never accepting content of unknown origin.
However, we move away from the main point of my comment: is the iPhone more or less secure than any other mobile device? No. Can it do more than any other mobile? No Does it protect users more than any other? No. In a security context, there’s little to get excited about. It’s just another mobile with a virtually identical risk profile.
I just think there’s more marketing hype than real substance to the iPhone - but we should expect nothing less: that’s where Apple excels! I hope that Apple continue their success with the iPhone and that people enjoy using the new user interface. If it brings more usable mobile services into the market then I welcome that. Hopefully, it will also demonstrate that there are other data entry mechanisms on small devices than ever smaller buttons.
Purely personal comments, I know, but I think I’ll probably hold back for version two of the iPhone as it’s likely to include the missing EU network protocols and will, hopefully, provide a network-free API. Good luck Apple - it’s good to see another manufacturer bringing innovation - perhaps the next one might even excite me enough to make me move away from my trusty clockwork phone … in the meantime … where did I put the winding handle?
Mike