Apple is currently hiring and is in search of an iPhone OS platform security manager. What does the particular job consist of? Here is the low down:

The team is responsible for secure booting and installation of the OS, partitioning and hardening of security domains within the OS, cryptographic services, and risk analysis of security threats. The team is made up of a variety of security experts with backgrounds in system security and reverse engineering.

The more secure Apple makes the OS the harder it will become to find and use a particular exploit — for good, like our beloved jailbreak, or for evil, like we’ve seen with computer viruses, malware, etc.

Now don’t get us wrong, we are pretty sure that one person will not do away with our beloved jailbreak but this does raise some questions. Is Apple really concerned popular mobile devices will get attacked the way PCs do today? Or are they just done putting the practice of preventing jailbreaking (and the unlocking and app piracy that sometimes goes with it) on the back burner?

What do you think this may mean for the future of the jailbreak if anything? Sound off in the comments below!

[Job listing via Ars]

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Apple Seeking iPhone OS Platform Security Manager: What does this mean for Jailbreaking?

We’ve warned you previously about some of the security vulnerabilities that come with jailbreaking your iPhone. Turns out a Dutch hacker has gone and made a point to a countless number of jailbroken devices by using a port scanning technique along with some networking smarts. Then after he gained access to the jailbroken iPhones the rest was easy. All of the devices that were hacked had unchanged root passwords along with SSH enabled. You’d know if you were hacked if the following message popped up on your screen:

If you don’t pay, it’s fine by me, but remember, the way I got access to your iPhone can be used by thousands of others-they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It’s just my advice to secure your phone.

Like promised, no harm was done or will be done. It turns out the hacker just wanted to teach people a simple lesson – change your root passwords and disable SSH. He’s even been nice enough to post directions on how to make sure your jailbroken iPhone is not at risk.

[Via Gizmodo]

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Dutch Hacker Held Jailbroken iPhones Hostage Via Security Vulnerability

The cracking of GSM “encryption” has been making the inter-rounds lately, and this week on the Security Now! Podcast, Steve Gibson takes a look at how badly it’s broken, and what the potential risks are. In simple terms, it means what you say on your iPhone — or any GSM phone, which includes all phones on AT&T, T-Mobile, Rogers, and almost all phones internationally — can be intercepted, decrypted, and listened to if a person has several thousand dollars worth of equipment and the motivation to do it. In more complex terms:

So again, we’re now at the hobby level. We’re at the level where the hobbyist with a couple thousand dollars can – needs to know nothing about radio and even hardware. And even all of the preprocessing steps for demultiplexing the data and analyzing it and performing spectrum analysis and finding the channels and everything, all of that’s been done. There’s even some people have taken – they’re not at the GPL licensing, but they are – so they’re proprietary licenses, but free, but they’re open source and free for personal use, where turnkey packages to pull all this data together have been produced. There’s even one which abstracts this USRP, this Universal Software Radio Peripheral, making it look like a network device so that Wireshark, our favorite packet capture utility, is able to capture GSM packets and decode them and show you all the bits and all the protocols and everything going on in a stream that you capture.

So, I mean, we’re way far along in making this possible. In my opinion, this GSM Alliance is – they’re saying what they have to say politically; but, if they really believe what they’re saying, that they’re in serious denial because this is no longer James Bond government-level sci-fi stuff. It would be entirely possible for a company who wanted to do some surveillance of a competitor to equip a van with some of this equipment, spending only tens of thousands of dollars, park it across the street from a competitor, aim their antennas at the competitor’s building, and spend a day just streaming in, sucking in all of the cellphone traffic that is being transacted by the employees within the building, and then drive the van off and decrypt those conversations offline afterwards and find out what was being said. I mean, it is no longer difficult to do. It’s entirely possible.

It should be noted that the GSMA (GSM Alliance) seems to consider this attack theoretical and impractical for now. If you’re interested in more, check out the audio podcast [MP3 link] or the transcript.

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

GSM Encryption Cracked: Know Your Risks

The Jailbreak and Unlock wizards behind the iPhone DevTeam are off to DEFCON 17, the security/hacking convention that juxtaposes Black Hat 2009, and have provided a set of tips to help those at the conferences (or anywhere really) avoid getting their iPhone hacked into. The tips are really targeted at Jailbroken iPhones, but some cross over to regular iPhone users as well.

Disable all your login cookies in Safari. If you use the hotel or conference wifi, it is 100% guaranteed that your traffic will be sniffed. If you allow a web site (like twitter.com) to store your login info in a cookie, and if you connect to that site through a normal http connection, your login info will be exposed. At the very least, you’ll end up on the Wall of Sheep. But you’ll be giving up your password to anyone else sniffing too.

They also advise avoiding any public Wi-Fi at hotels, conference centers, airports, etc. (and to tether instead), and either uninstalling or disabling SSH access, or at the very least changing the root and mobile password from Apple’s default.

They also provide their suggestions for talks that might interest the iPhone jailbreak community. If anyone attends, let us know how it goes via our iPhone Jailbreak and Unlock Forum. And If you have more pro tips, send them our way!

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Pro Tips: How to Secure Your Jailbroken (or Regular) iPhone Against Hackers

Apple has updated their MobileMe News “blog” with a helpful tip for added security, and for when that security necessitates the need for a helpful little reminder.

First up, Apple reminds everyone that even good passwords, left static for too long, grow old and stale.

One simple way to increase the security of your life online is to change your account password periodically.

You can change your MobileMe password via the Account icon, and Apple provides some suggestions for picking good passwords. (Here’s ours — use something long and with lots of numbers and symbols thrown in. Pseudo-random is the best. Use GRC.com to generate it, or use a good password manager (I use 1Password on the Mac, my PC friends recommend RoboForm) to both generate and store lots of logins).

Next up is what to do if you forget your MobileMe password, and it’s fairly standard stuff, involving a secret question:

Should you ever forget your MobileMe password, go to the MobileMe login page at me.com and click the Forgot password link. You’ll be taken to a page and given the option of resetting your password by answering a secret question to establish your identity.

Pro tip: If you’re even a semi-public figure, or just “don’t trust anyone” make up a fake history, with fake maiden names, pet names, etc. or anyone who knows your background can hack your account as easily as they did Salma Hayak’s.

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

How To: Recover Your MobileMe Password and Update it Often for Added Security

Wired.com talks to Jonathan Zdziarski, iPhone developer, hacker, forensics teacher, finder of the iPhone kill switch, creator of the AMBER alert app, about the iPhone 3GS‘ new hardware encryption, recently touted as giving consumers “enterprise-class” security. His take? It’s implemented so poorly it can be cracked in two minutes, “like storing all your secret messages right next to the secret decoder ring”.

To steal an iPhone’s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install an Secure Shell (SSH) client to port the iPhone’s raw disk image across SSH onto a computer.

We’ve heard before that Jailbreaking strips away security layers on the iPhone, though that’s been in the context of the users own device. This is using the Jailbreak process to actively get at another device’s data.

Is Apple going to change the way they implement their hardware-based iPhone 3GS encryption in light of this? Can the current model be made more robust? And what, if any, changes made to keep bad guys out of the iPhone will effect users who simply want to gain access to their own iPhones?

[Thanks to Antony for the tip!]

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

iPhone 3GS Hardware Encryption “Useless”?

No word yet on whether you get a pocket Hasselhoff to push it for you, but it sounds like Opera Mobile 9.7 is set to bring back the “Turbo” boost in an effort to take it to Mobile Safari (and, we presume, WebKit in general as found on the iPhone, Google Chrome lite for Android, Palm Pre, some Nokia devices, etc. etc…. etc…)

Ganging up on the “real internet” browser are our good friends Matt Miller from NokiaExperts.com and Phil Nickinson from WMExperts.com. Matt explains the concept behind Nokia’s blast from the past via his ZDNet blog:

Turbo mode that supplements the native Opera Mobile browser with the proxy functionality found in Opera Mini. So, with Opera Mobile 9.7 and Turbo mode enabled you get a fully functioning web browser with proxy/server side lifting going on to provide the FASTEST browsing experience currently available on a mobile phone.

TiPb vaguely remembers proxy and cache tricks from those old spamvertisements promising to quadruple our old dial-up modem speeds. Phil tries to pip us to the proxy post, however:

OK, this isn’t exactly a fair fight, but forget about that for a minute. To the average user it probably doesn’t matter whether your browser is being rendered through a proxy, security and privacy implications be damned.

And he’s absolutely right. When those users are stuck on the equivalent of dial-up. Once they — like iPhone, Android, and Palm Pre users — get with the equivalent of broadband, well… let’s just say we don’t get those spamvertisements anymore…

Holding the snark for a moment, it’s great to see Opera providing stop gaps for users with slow connections who don’t care about privacy or security. Here’s hoping the gap stops being necessary to fill quickly, however, and Opera can focus on forward-looking browser technologies, since WebKit doesn’t look to be slowing down any time soon.

[Tip o'the browser to Phil for the image inspiration as well!]

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Browser Wars: Opera Mobile Brings Back “Turbo” Boost to Compete with Safari

SplashID [$4.99 - iTunes link] is an app for the iPhone and iPod touch that provides a great  place to store your data securely with a password. Just how secure is it? Super secure. 256bit Blowfish secure.

I have used SplashID for years on the Palm OS. I was so excited to see that SplashData brought SplashID to the iPhone last year as I was easily able to port my old files over to the iPhone using their desktop companion app.

So what does SplashID do for you? A lot, let’s take a look after the break!

First, you can choose what type of password you would like to use; a simple 4 digit pin or  a longer password; it’s your choice. Of course, there is nothing more irritating as you go back and forth between SplashID and another app for you to keep entering your password into SplashID. There is a feature that allows you to suspend the locking feature for a period from 1 minute to 30 minutes.

You can organize your data in SplashID into several categories from software serial numbers to airline frequent flyer miles to your families social security numbers for quick reference. When you are dealing with sensitive data, you can also choose to mask certain fields to hide the data from the roaming eyes of casual observers.

Not only do you have the ability to customize your categories, but you can choose a theme and view for your data as well. You can pick row colors and choose between a list or panel view. I am personally partial to the panel view as it groups your items by category type instead of a list. Depending on the volume of entries you have, the list get get a little unyieldy. In an effort to help manage those that store a lot of information in SplashID, there is a very convenient “Most Viewed” button to access the info you view most frequently. If you have a hard time viewing the information in portrait mode, you can rotate to landscape too!

If you need to share any information, you can quick do so my using the email feature. With the tap of a button on screen, you can send information via email. One way I use this feature is to email my SSID information and password to friends that are visiting my house so they can get on the network (no I don’t have the new Airport Extreme with guest access ). You can also send the information as a secure file to another SplashID account!

I could really go on and on about SplashID since I have been using it for years. The added value of the companion desktop app ($19.99) is of additional benefit as your data is always safe, backed-up and accessible from your Mac/PC and your iPhone.

If you need something more than a simple password manager and need a tool to manage all of your sensitive information, look no further than SplashID for iPhone!

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Quick App: SpashID for iPhone – Save that Important Data Securely

TidBITS has an interesting write-up on the various security features of iPhone 3.0 in general, and the 256-bit AES hardware encryption of iPhone 3GS in particular, and how combined together:

consumers can now experience enterprise-class security.

They cover passcode lock, data erase, remote wipe, lack of insecure external data cards, frequent and easy to install software updates/security patches, and (encrypted) backups that can restore your data if your device is accidentally wiped. Definitely worth a read if you tend towards the security conscious.

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Hardware Encryption and MobileMe Give iPhone Consumers Enterprise-level Security

Turns out that if you jailbreak your iPhone you remove most of the Apple’s security protections — 80% to be exact — and are vulnerable to attacks. At least according to Charlie Miller:

“If you care about security, don’t use a jailbroken iPhone,”

Miller, speaking at SyScan in Singapore, believes that by jailbreaking you open your device some major risks. The operating system on an iPhone is basically a watered down version of Mac OS X. For those of you who are unfamiliar with Macs, Mac OS X is the latest OS that Apple computers run. Macs are generally known for pretty risk-free machines with a few exceptions. Those exceptions being Java, Adobe Flash, and PDF files. The major risk on the iPhone is opening your device up to any application available on Cydia/Icy. iPhones will generally only run applications that are digitally signed by Apple, this is not the case when jailbroken. So if you don’t know what you are installing, there is a possibility you can be in for a world of hurt.

Of course just a few hours ago Rene told you about the huge vulnerability within the iPhone’s SMS application that Charlie found, so nothing is completely safe.

Does this scare you away from jailbreaking your iPhone? Perhaps you are thinking about doing a restore and going legit from now on? Let us know if this warning from Charlie sways you to avoid the jailbreaking life!

[Via Macworld]

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Jailbroken iPhones – Security Risk?