Reader Karl writes in to let us know his twelve year old son discovered a glitch in SMS security:
Being security conscious he turned on the passcode lock and disabled SMS Preview. [...] If a message is received during the passcode entry or while the screen is locked, a generic message of “New Text Message” appears, to prevent viewing of messages without unlocking the phone. [...] If however the phone is placed in emergency call mode, any incoming SMS messages are previewed instead of presented as the generic messages.
Next comes two issues concerning the implementation choices Apple made in the iPhone Mobile Mail client. According to Ars Technica, as disclosed by Aviv Raff, the first involves the way Mail truncates URLs for display on the iPhone. If a malicious URL is properly crafted by an attacker, the truncation can cause a fake URL to be non-obvious to the users, and thus more likely to result in phishing.
The second results from the lack of an option to display images in the full HTML Mobile Mail client. Since images are automatically displayed, spammers can gain confirmation that the email account that received it is active and ripe for spam attack.
As always, malicious attacks evolve and propagate at an alarming rate, and while we hope Apple fixes these immediately if not sooner, the onus is ultimately and always on we end users to pay attention and do everything we can to avoid them.
eWallet, from Ilium Software, is now available in the iTunes App Store for $4.99 with a desktop version for Mac OSX coming soon, according to Ilium.
Ilium Software offers their popular eWallet app for Palm, Windows Mobile Pro and Windows Mobile Smartphone. Now, you can have this useful app on your iPhone or iPod Touch.
How does eWallet for the iPhone measure up? Read on for the full review!
Read the rest of this entry »
TiPb loves answering your emails, but we also love sharing our answers with the community in hopes that more people will benefit, and even better answers will present themselves (hey, that’s why we have them forums!). For today’s debut TiPb Answers, reader Ryan asks:
I’ve installed some apps on my phone from itunes, one being facebook mobile. What concerns me is that once i’ve entered my user/pw the first time it is never required again and anyone who simply “slides” the phone unlocked will have full access. I assume this is true for email as well (although I haven’t set that up yet.)
My question is, is there any way to passcode a particular icon on the iphone? Or put a security lock on it?
TiPB answers, after the jump…
Read the rest of this entry »
About a month ago Dieter reported about a fairly large security flaw in firmware 2.0.2 that gave access to Safari, Email, and a frightening amount of personal data. Apple patched it in 2.1. Or did they?
This could be a flaw, or feature, but it turns out you still have the ability to make a phone call, to any number, while the iPhone is locked with a passcode. Wasn’t the “emergency” call feature meant to call “emergency” numbers such as 911 only?
Apple can you please put this on your “need to fix” list? Thank you!
(Via Macrumors, as discussed way back in 2.0.2 on the forums of iLounge.com)
Apple has past mastered using animation to aid both usability and fill transitions. An example of the latter is the “shrink” effect used when you hit the home button: whatever’s currently on diminishes to nothingness and the home screen icons fly back into place. To do this effect, however, the iPhone takes a quick screen shot, and then uses the built in CoreGraphics/Animation layers to rapidly scale it down.
See the problem? No? Wired does: once a screenshot is taken, even if the iPhone immediately deletes it, those bits hang around inside your device. Current recommendations to properly destroy data involve multiple, pseudo-random overwrites. Absent that, forensics experts can often retrieve so-called “deleted” files. Including the screen shots the iPhone uses for animation. Including, potentially, any confidential or classified documents you were viewing — or embarrassing Hello Kitty sites you were browsing –when you hit the home button.
Sure, this will likely never be a problem to most users. Passwords are obscured and not many of us have docs — or look at sites — that would be worth the significant forensic resources it would take to recover iPhone screenshot files.
But, a security/privacy concern is a security/privacy concern, and while this one doesn’t trouble me personally, not knowing about it — and making an informed decision based on knowing about it — would.
And hey, at least it’s not as tattly as Google Chrome…
It started innocently enough. Prince Mclean over at Apple Insider commented in passing:
Data transaction security in MobileMe’s web apps is based upon authenticated handling of JSON data exchanges between the self contained JavaScript client apps and Apple’s cloud, rather than the SSL web page encryption used by HTTPS. The only real web pages MobileMe exchanges with the server are the HTML, JavaScript, and CSS files that make up the application, which have no need for SSL encryption following the initial user authentication. This has caused some unnecessary panic among web users who have equated their browser’s SSL lock icon with web security. And of course, Internet email is not a secured medium anyway once it leaves your server.
If Apple applied SSL encryption in the browser, it would only slow down every data exchange without really improving security, and instead only provide pundits with a false sense of security that distracts from real security threats.
And the web went wild. Daniel Eran Dilger, took the crown off to retort them all over at Roughly Drafted:
For the record: Apple’s MobileMe desktop email can be secured via encrypted SMTP and IMAP; Apple presents details on how to ensure this is set up, as users may not have this enabled by default. Address Book and iCal sync on Mac OS X is secured automatically when it transacts with Apple’s server cloud. Windows apps use the same security when syncing their data via Outlook through iTunes for Windows. The iPhone and iPod touch also support encrypted email and all push messages are also secured via encryption.
Our take? If you’re super sensitive about your data, only ever browse via SSL over a VPN while sending with a strong PGP key, and hope no intelligence service is willing to spend serious money and assets on snooping in your general direction.
Other than that, use common sense. Don’t risk information you can’t afford getting out, and take advantage of every security feature your chosen system implements.
Last week the UK ruled that Apple was misrepresenting the iPhone’s provisioning of “just the internet” due to the lack of support for two ubiquitously popular 3rd party plugins: Flash and Java. We’ve previously covered the will they/won’t they drama surrounding development and deployment of Flash and Java pretty much ad nauseum infinitum, as well as some seldom discussed yet surprisingly frightening concerns about Flash and its downright sneaky use of 3rd party advertising cookies.
More recently, however, another issue has come to light. Primarily concerned with Windows Vista security and how it can be circumvented, this issue throws a renewed focus on the danger of 3rd party plugins like Flash and Java, on how they interpret and run code on our machines, and how they provide an increasingly popular attack vector for bad guys (hackers, malware authors, identity thieves, etc.)
How does this all relate to the iPhone, and what about ZOMG! Can has my Flash vidz? Read on to find out!
Read the rest of this entry »
Dieter’s already brought us up to speed on the nasty security bug Gizmodo found in the iPhone’s current 2.0.2 firmware (which John Gruber points out Apple already fixed once for firmware 1.1 way back last year — yikes!). Now Macworld (via MacRumors) reports that Apple has taken the unusual step (for Apple) of confirming the upcoming fix:
“The minor iPhone security issue which surfaced this week is fixed in a software update which will be released in September,” Apple representative, Jennifer Bowcock, said in an email to Macworld.
So add security to the list of what Apple’s now promising, along with 3G connectivity and App stability, for the next update.
Will that update be the already in beta 4 iPhone firmware 2.1? Kevin Rose has rumored it for September 6th, but we’ve already seen push notification fall off the feature list. With more bugs to fix, will Apple pull a Vista, or settle for a less ambitious, more urgent 2.0.3 in the interim?
I’m favoring the 2.0.3 at the moment. I’d rather stability over features at this point. Nail 2.0.x, then move on. What’s you preference?
Gizmodo has uncovered what can only be described as a gigantic, huge, and completely embarrassing security flaw on the iPhone.
If you have your iPhone ‘locked,’ it can be circumvented very easily with very little trickery aside. On the ‘lock’ screen, you can still make an emergency call. When you tap that, you can then double-tap the home button to bring up your favorites (assuming you have that set).
The issue is that your favorites are basically the keys to the kingdom. You can tap the blue arrow next to a favorite to gain access to a contact’s information. From there, you can further tap email, a url, or sms to gain access to email, Safari and your bookmarks, or all of your SMSes, respectively.
Rene notes in an email that this is reminiscent of the old PalmOS bug wherein you could still search the device while it was locked. This, though, this is definitely worse.
Thankfully, Apple has the best ROM update system in the entire smartphone industry — able to push out updates to every iPhone via iTunes with minimal carrier delays. Let’s hope we see 2.0.3 very soon. Meanwhile Giz recommends you set that double-tap behavior to either ‘Home’ or ‘iPod’ to temporarily fix the issue.
Of course, this only applies to people who actually use the lock function on their iPhones, the rest of us just live dangerously.
Update: Macrumors reports that Apple is aware of the issue and has a fix on the way:
[...]this security flaw was already reported to Apple earlier this month and has been acknowledged as an issue. A fix will presumably be included in a future firmware update
So a new employment opportunity popped up at Apple’s job listings the other day and Apple is looking for an experienced iPhone Security Engineer to create “proof of concept” attacks on current security mechanisms and provide risk analysis of potential security threats. Basically, Apple needs an iPhone Hacker to prevent future jailbreaks, unlocks, and security breaches.
So if any of you are good at what you do and want to work for the “good guys”, go give it a try. Apple is trying to ramp up security to protect enterprises who are adopting iPhone 2.0 and more selfishly, protect their own App Store from competition ahem Cydia & Installer. Either way, Apple is getting serious about security and the iPhone.
What do you think?
ReadVia
