Watered Down Phishing Protection In IPhone OS 3.1?

CrazyCanucklehead writes "Security Researcher Michael Sutton discusses his findings when looking at the advertised anti-phishing features in the recently released iPhone OS 3.1. It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all."

Far Less than OS X

[neonprimetime]

It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all.

the iphone in general contains far less than what is provided in OS X so this doesn't come as a surprise to me.

now, whether or not iphone 3.1 phishing protection is a big oversite on apple's part is another discussion and a worthy one at that

Re:Far Less than OS X

It's spelled oversight.

Re:Far Less than OS X

[Hurricane78]

the iphone in general contains far less than what is provided in a real smartphone so this doesn't come as a surprise to me.

There, fixed that for ya!

*ducks*

Re:Far Less than OS X

[InsertWittyNameHere]

To be fair, do any phones offer anti-phishing on the device?

Re:Far Less than OS X

Yah, cause after all my BlackBerry Curve had anti-phishing... wait no it didn't... and that windows mobile phone work gave me had... wait no it didn't... granted both had such awful browsers I don't think many people even used them. Either way it's really popular to rag on Apple for things not being entirely perfect. Fact is I'm more excited about the loads of other things that came with 3.0 and less worried about perhaps a less than great anti-phishing black list. Besides I think you've gotta be pretty stupid to get caught by a phishing attack.

Re:Far Less than OS X

[Jurily]

To be fair, do any phones offer anti-phishing on the device?

Do users of any other phone need it?

Re:Far Less than OS X

[Tom]

> To be fair, do any phones offer anti-phishing on the device?
>
> Do users of any other phone need it?

Only the part that constantly brags about how their smartphone of choice has this one important feature that the iPhone doesn't, and therefore it is superior in every way.

Re:Far Less than OS X

Blackberry?

Re:Far Less than OS X

Ummm, if they have web browsers then they need it just as much as iPhone users do.

Re:Far Less than OS X

[Minion+of+Eris]

If your BlackBerry Smart phone is connected to a BlackBerry Enterprise Server, and you use the BlackBerry Browser (as opposed to Internet Browser or whichever browser your carrier supplies in their software package), then all off your requests pass through the server, instead of "directly" to the 'net over your carrier - as a result, you share whatever filters/protections IT has put in place on the server. If you are BES connected, then you get whatever spam/phishing protection is enabled in your email client at work.

Re:Far Less than OS X

[AnalPerfume]

You're missing the point, it's shiny, and Steve has given it the stamp of cool and he's the only person on the planet officially allowed to do that, so he should know cool when he sees it. That should be enough for you. Or are you a commie? /sarcasm.

Re:Far Less than OS X

It's spelled intensive purposes.

Re:Far Less than OS X

[Monkeedude1212]

The difference between Windows Mobile not having phishing filters and the IPhone not having phishing filters is that Windows Mobile never at any point gave you an illusion of protection.

If you haven't been trained on basic internet usage - its VERY easy to fall for phishing attempts. We've been browsing the net for years now, and all it takes is someone who says "You can pay your bills online" for someone to try and google how to do it on their own and then fall into a trap.

I'd say Cross Server Scripting has gotten the best of at least half my friends. Fortunately most of them didn't have any valuable information.

Re:Far Less than OS X

[Hurricane78]

What's a BlackBerry? What's a Windows Mobile phone?

No, I know what they are. But why bring out the obscure ones?

Oh, I know, because on my Symbian phone, I can "install and tweak whatever I want"(TM), including anti-phishing stuff. :)
(Hmm, I think that's even possible on those two systems above.)

Re:Far Less than OS X

[MMC+Monster]

Also, no one in their right mind uses Windows Mobile to browse the internet. :-)

Seriously, though, given the percentage of iPhone users that actually use Mobile Safari (much higher than any other single mobile device), they really should get phishing protection like a desktop. Wasn't there a /. article a while back about people using iPhones as their only computer?

Re:Far Less than OS X

The Curve does have one advantage over the iPhone and most other competitors., it enables accidentally dialing your local emergency # six times in a month while the phone's locked. Can't do that on an iphone unless the SIM's been pulled. Score: Curve 1, iphone 0.

Re:Far Less than OS X

[david_thornley]

Nonsense? An intensive purpose is one that's clearly focused. Doing something with the aim of getting to a particular movie theater is an intensive purpose. Doing something with the aim of promoting world peace is not. Now, it seems to me that one intensive purpose is unlikely to have much to do with another one, and so there really wouldn't be many things to generalize over them, but other people seem to disagree.

Re:Far Less than OS X

[MobileTatsu-NJG]

To be fair, do any phones offer anti-phishing on the device?

Do users of any other phone need it?

Oh, come on. Web browsing on other phones isn't that bad.

Re:Far Less than OS X

[david_thornley]

Most phones either don't provide a web browser, or provide one so painful that nobody's going to use it long enough to get phished. With that protection, who needs specific anti-phishing measures?

Re:Far Less than OS X

[contrapunctus]

but it's about web sites, you see over sites: oversite.

Re:Far Less than OS X

[Minion+of+Eris]

try standby mode instead of lock (it's the little button up on top of the 'phone).

Re:Far Less than OS X

I use opera on my winmo phone you insensitive clod. I even have tabs :)

Re:Far Less than OS X

[indiechild]

Elaborate?

Re:Far Less than OS X

Which is why it's so popular! Only nerds need to SSH into something from a smartphone.

Re:Far Less than OS X

No man a doodley "intensive purpose" is marketing a doodley speak for people in black turtleneck seaters! a dodoley

Slight catch in that last sentence

[The+Ancients]

FTA:

If you work for Apple, please comment on why you went with watered down phishing protection on the iPhone.

If anyone from Apple does comment, we'll not know for sure as they'll not be able to identify themselves sufficiently. As such, everything we do see will just be guesses. Some may make sense and quite probably be right, but who knows...

I've got built-in phishing protection.

[jtownatpunk.net]

It works really well. If I don't know how I got to a site, I don't enter my banking information. Simple. It's amazing how well that works. If I get an email from "my bank" asking me to click on a link to verify something, I don't click on the link. If I think that it has the slightest chance of being legit, I'll open a web browser and type my bank's URL in by hand and log into my account. If the original email was legit, I'll be prompted to do whatever it is they need. If I get an email asking me to reply with my username and password, I know it's a scam. How could anyone NOT know that's a scam? It's not frickin' rocket science.

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

Re:I've got built-in phishing protection.

[pak9rabid]

Seconded (only because I don't have mod points at the moment)

Re:I've got built-in phishing protection.

[bFusion]

If you invent anti-stupid technology, I'm sure you'd be a near instant millionaire.

Re:I've got built-in phishing protection.

[stokessd]

It's not frickin' rocket science.

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

The problem is that the API for "people" is really old, and many of the functions appear to be deprecated (see driving a non-syncromesh manual transmission, hunting, fabricating arrow points, etc). It's much easier to foam rubber coat the world, than to try to make "people" smarter (See modern playgrounds for freshly instantiated "people").

Sheldon

Re:I've got built-in phishing protection.

[mcgrew]

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

You can make people less ignorant, but there is no way to make them less stupid.

Re:I've got built-in phishing protection.

[starglider29a]

This problem is self limiting... People who are stupid enough to fall for a phishing scam will have their finances and credit pwned so badly that they won't be able to GET an iPhone.

Though maybe people would be less susceptible if they didn't think that their browser/OS/phone was idiot-proof. Maybe the best phishing protection is to declare that there isn't any phishing protection. Motorcyclist drive more carefully than people in air-bagged cars.

Re:I've got built-in phishing protection.

[Tom]

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

Rational analysis tells me that's the wrong approach. Inventing a 100% reliable anti-phishing technology is considerably easier than making people less stupid.

Re:I've got built-in phishing protection.

You think making people less stupid is easier??

Please excuse me while I clean up the drink I just snarfed all over my laptop!

Re:I've got built-in phishing protection.

[sakdoctor]

My Nigerian company, in a Joint venture with a Russian company, actually sells an anti-stupid product.
It really works, and it's available to buy TODAY!

http://shop1337.youscam.ru/darwin/get_smart_stupid

Re:I've got built-in phishing protection.

[Tweenk]

we should make people less stupid.

Unfortunately that is a physical impossibility, so your plan fails.
Moreover the wide access to technology depends on it being accessible to stupid people - otherwise they wouldn't buy them and the technology companies would fold. There is just no solution to this problem: idiots will always get their computers hacked, fall for scams, get their credit cards stolen etc. no matter how secure we make them. The only way to cope with this is to minimize the effects they can have on other people.

Re:I've got built-in phishing protection.

[Nadaka]

Hey... I still drive a manual (though admittedly it is syncromesh), I still hunt, I still fabricate arrow heads. These are largely relegated to hobbies, but some people really do still do these things.

Re:I've got built-in phishing protection.

[greyline]

I think so many people tried to visit your site, it went down. Can I just post my information here for your product?

Re:I've got built-in phishing protection.

[cadeon]

we should make people less stupid.

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) demographic

approach to fighting phishing. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Phishers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(X) It is defenseless against brute force attacks
(X) It will stop phishing for two weeks and then we'll be stuck with it
(X) Users don't want to be educated
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from phishers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for information
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of phishing
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(X) Accessibility
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your information?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:I've got built-in phishing protection.

You Can't Fix Stupid - Ron White

Re:I've got built-in phishing protection.

[jellomizer]

Until you make a type and misspell your banks website domain name. (or are you stupid enough to have a nice bookmark wide open for anyone to click on to see who you bank with) then you go to a site that look just like your bank. Heck it may even have a valid security certificate, and you just got fished.

So you know how you got onto you site. However you a simple mistake... To bad you didn't have a Phishing protection to tell you that you went somewhere wrong.

It is not that people are stupid. But they let their guards down at some point when they do most of the time they are lucky but you can get that one point where you let you guard down and you make the mistake then bingo you are in trouble.

The really stupid people in the world think everyone else is stupid. The smart people in the world realize that they are not that smart and know to take advantage of help and tools to help offset their shortcomings.

Re:I've got built-in phishing protection.

[mehrotra.akash]

I dont think that the iPhone is targeted to people who actually know how to protect themselves, many of them would be using blackberries/nokia E/WinMo series or other business focused handsets as their primary phone and the iPhone as a secondary media device.

"Instead of putting all this effort into anti-phishing technology, we should make people less stupid."
then only those who want a media player would want iPhones

Note: all my comments are based on the original unjailbroken iPhone, have not encountered a newer version

Re:I've got built-in phishing protection.

[goldmaneye]

I disagree that no protection is the best protection. Plenty of people make simple typing errors all the time when they go looking for a website. Bank0fAmerica (it's a zero; could you tell?) looks an awful lot like BankOfAmerica. As phishing attacks get more and more sophisticated, eliminating any kind of protection makes less and less sense; even smart people can get taken in by an expertly-executed phishing attack that uses a URL that very closely mimics the correct URL and a website that looks nearly identical to the actual website.

Regarding your analogy with motorcycles, statistics compiled by the National Highway Traffic Safety Administration suggest that motorcyclists might actually drive less safely than people in air-bagged cars. In a fatal collision, when compared to passenger vehicles involved in such collisions, motorcyclists were found to be:

(1) More likely to have been speeding.
(2) More likely to have had their license suspended.
(3) More likely to have been driving with a suspended license.
(4) More likely to have been legally intoxicated.
(5) More likely to have a previous DUI on their record.

Please note: The report does not suggest that these behaviors are prevalent among motorcyclists, and it is not in any way my intention to suggest that they are. Most motorcyclists that I have seen on the road drive in a very safe manner. I am just summarizing the statistics from the NHTSA report.

Source: http://www.nhtsa.dot.gov/portal/nhtsa_static_file_downloader.jsp?file=/staticfiles/DOT/NHTSA/Traffic%20Injury%20Control/Articles/Associated%20Files/810990.pdf

Re:I've got built-in phishing protection.

[MobileTatsu-NJG]

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

You can make people less ignorant, but there is no way to make them less stupid.

You know, it's funny, chicks look at our fashion sense the same way we look at their understanding of the internet.

Re:I've got built-in phishing protection.

[Gulthek]

Speaking as a parent of a toddler: modern playgrounds are AWESOME. At a nearby park there is a frikin' 3 story spiral tunnel slide! A ladder that leads to a rock wall about 5' up that kids can climb along then drop down (yes, drop) onto a big flat slide. An obstacle course of monkey bars that go UP from about 6' to 8' then end at a raised platform on a sprawling playset.

All in all, playgrounds seem far more dangerous (and awesome) than the tiny slides and see-saws I played on as a kid. I'm actually pretty jealous.

Re:I've got built-in phishing protection.

[sbeckstead]

Please do, we'll contact you when the product ships!

Re:I've got built-in phishing protection.

[sbeckstead]

Seconded!

Re:I've got built-in phishing protection.

[jargon82]

Having kids is really just an excuse to keep playing with their toys, at least for men.

Re:I've got built-in phishing protection.

[Gulthek]

Oh also, manual transmission FTW. My wife has actually never owned a car that was anything else.

Re:I've got built-in phishing protection.

[johndiii]

I agree with your point about no protection not being the best protection, but I don't think that the statistics that you cite demonstrate the point that you are trying to make. The notion that motorcycle crashes in general have a greater incidence of fatality means that behavior that causes crashes will correlate better with motorcycle fatalities than with passenger vehicle fatalities.

A more meaningful number would be something like the number of crashes per vehicle mile. Or perhaps the number of injury-producing crashes per vehicle mile. Even then, a conclusion might be slippery, because motorcycles do not tend to get into minor accidents like parking lot fender-benders, but even a minor motorcycle accident is more likely to produce an injury than a passenger car accident.

Re:I've got built-in phishing protection.

Hey, my transmission is not synchromesh, you insensitive clod!

Re:I've got built-in phishing protection.

[0110011001110101]

hahah silly man. I have 9 different banks bookmarked in my browser to fool people who break into my house, log into my computer and scan my favorites to see where I bank. There are like "beyotch why steal your tv when i can find out where you bank boooyyyy!". But then they see my 9 bookmarks, and they are like.. oh f#*$ this guy is smart, but still they start clicking. At some point they will click on my wachovia link (most robbers bank with wachovia) and decide they need to check their account balance.. bad news for them because thats my own fishing site and they are unknowingly giving me their password... hah! suckaz! The funny part is, not one of those nine bookmars are my bank, actually my banks website is spelled out with random letter positions from each of those 9 bookmarks. I look each one up and then build a string from that, then copy and paste that into my browser. You are thinking, what if you cant remember all the letter positions in each bookmark smarty pants?? well, i have that taken care of, see next to my keyboard is my Wells Fargo checkbook.. and inside of that the hidden combination of letter sequences is written out. So... good luck robber b*tches! I'm all covered yo!

Re:I've got built-in phishing protection.

[mcgrew]

I don't know, there are a few women I know that know more about the internet than some slashdotters, and other women who have less fashion sense than me (and I wear pretty much the same kind of clothes I wore decades ago).

To me, fashion=stupid.

Re:I've got built-in phishing protection.

[KingPin27]

Having kids is really just an excuse to keep playing with their toys, at least for men.

Unless all you have are girls then all you do is spend most of your time with them undressing and re-dressing various assortments of barbies..... Ugh!

Re:I've got built-in phishing protection.

[MobileTatsu-NJG]

To me, fashion=stupid.

Right. So would it be fair for me to say you're not beating the hotties off with a stick?

No offense intended, I didn't mean that as an attack. Frankly, I'm not one to talk. My point is that we, as geeks/nerds think other people are stupid, yet other people think we are stupid.

I have a feeling that example isn't going to go over to well so I'll use another. There are peeps out there that would think *I* am stupid because I don't know how to change the oil in m car. I could retort that I think those people are stupid for not knowing how to write a useful Mel script. If I look extra not-cool right now, you're getting my point.

Re:I've got built-in phishing protection.

[amoeba1911]

Sign me up too please! Here's my name, address, birthday, social security number, bank account and routing number, credit card number.



Thanks!

Re:I've got built-in phishing protection.

[amoeba1911]

The day you invent anti-stupid technology, the stupid will get stupider.

Re:I've got built-in phishing protection.

[geekboy642]

I wish I could afford an automatic transmission. Sure, there's something to be said for a proper gearshift, but after a decade of stop-and-go driving in the city, I'm ready to not use a clutch anymore.

Re:I've got built-in phishing protection.

[mcgrew]

Actually, the "out of fashion" thing works for me. Women want the "bad boys" because they have a need to change them, and you don't have to be a true "bad boy" for the effect to work. The first thing a woman does after she gets her hands on me is try and get me to get rid of the sweater.

And I don't think I've ever seduced a woman. I suck at it, but some do come on to me. Unfortunately, some gay men do, too.

As to changing the car's oil, that's not stupidity, it's ignorance. You could learn to change the oil in your car, a truly stupid person couldn't. When I say "fashion=stupid", fashion is a waste. I'm not going to throw out a perfectly good pair of jeans just because fashion says jeans should be a darker color blue, and I'm not going to throw away my comfortable jeans because tight fitting ball busters are in style.

Re:I've got built-in phishing protection.

[Dishevel]

How could anyone NOT know that's a scam? It's not frickin' rocket science.

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

As a rule in advanced societies people get more stupid and less able.

Re:I've got built-in phishing protection.

[MobileTatsu-NJG]

As to changing the car's oil, that's not stupidity, it's ignorance. You could learn to change the oil in your car, a truly stupid person couldn't.

This is ultimately the point I was trying to make. We agree, man.

Have a good day.

Re:I've got built-in phishing protection.

[starglider29a]

In a fatal collision...

Ah, but what about the collisions that never happened? That's the point. A rider without the protection of a cage will driver gingerly and NOT GET into a fatal collision. Whereas, a driver who knows that their airbag will deploy will drive less carefully than a car without airbags.

But, says Steven Peterson, professor of economics at Virginia Commonwealth University, "An airbag allows me to drive more aggressively but not face any more risk." In fact, drivers of airbag-equipped cars get into and cause more accidents, negating the safety benefits for drivers and increasing the risk to others.

And here's a stat you won't find... Bikers with NO helmet, NO leather will drive VERY carefully. NOT relying on airbag or even traffic laws to protect them.

The person surfing the web should be babysitting their OWN stuff because anti-phishing measures make better phishers, and idiot proofing makes better idiots.

And when I get an email from Bank0fAmerica telling me my account needs X, click here to login... I delete it without reading it. Zero or not. Keep telling them that they are safe and they eventually won't be.

Re:I've got built-in phishing protection.

If you invent anti-stupid technology, I'm sure you'd be a near instant millionaire.

No, I will be. You see, I have a patent on anti-stupid. I call it "smart" (TM)

Re:I've got built-in phishing protection.

Maybe you can't make *this individual* less stupid, but you can make future generations less stupid. By not babyproofing everything (future generations won't stick forks into electrical sockets?)

This is a joke, mostly...

Re:I've got built-in phishing protection.

[davidshewitt]

In Soviet Russia, our anti-stupid product sells YOU!

Re:I've got built-in phishing protection.

[intheshelter]

I've got no mod points right now, but I have to say your reply was kind of dumb. I think you might fall under the stupid demographic for actually dissecting his tongue in cheek idea.

I RTFA

[mcgrew]

That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.

Re:I RTFA

[Webcommando]

That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.

I know where people are coming from on this but it is a first pass at a new capability. Should they used the same mechanism as Safari on OSX (i.e. Google database)? Maybe, but perhaps there is a reason why that wasn't appropriate.* Perhaps there was a specific challenge they hadn't resolved for 3.1

I think it is encouraging that they made an attempt and expect to see some improvements as the engineering team gets real world feedback on the feature. Regardless, I don't think I normally go to sites on my iPhone that I don't already know from normal browsing and have a shortcut already.

* As an aside, if I was Apple, I'd start finding alternative ways of providing key content (maps, videos, etc.) to my phone that didn't rely on Google. Never sole source to a supplier that starts competing directly with you.

Re:I RTFA

[Bill,+Shooter+of+Bul]

Phishing sites come into existence so fast, that I really wonder how much use any phishing filter is. But any protection is better than none, though I'd recommend not trumpeting it too loudly for the exact same reason you gave.

Re:I RTFA

[jtownatpunk.net]

If people were smart enough to "be more careful", they wouldn't need phishing protection in the first place. :)

mnerd

You do realize that just about any security feature of any platform could be broken or circumvented and "may not provide any protection at all"

Doesn't matter anyway

[ironicsky]

It doesn't matter how many bells and whistles, security and user protection systems you put on a device. A dumb user is still a dumb user. Look at your typical computer user. Even though they are using the latest A/V software, their ISP scans for email viruses and spam, they are using Firefox which has anti-phishing protection, a firewall program or a router with SPI, and malware protection software they still manage to blow their computer out of the water on a regular basis requiring tech support to fix it, or fall victim to a phishing scheme. This is 10 years of doing consumer tech support talking. Most user's have the "Press Yes" mentality. The dialog could clearly state, press Yes to install this nice virus on your computer, and without reading it, they would hit yes.

The best solution out there is to actually train users of online devices to know how to spot problems or suspicious sites, programs, etc. Until the users are trained how to recognize problems they won't learn how to deal with them.

You bought an iPhone...

[f0rk]

... you're already fished.

Latency

[topham]

Latency is the likely reason to not go with the Google lookup method.

Besides, don't know about you, but I'd prefer that not all my browser habits be logged to the government.

Re:Latency

[AnalPerfume]

I wasn't aware Google = Government, with a few exceptions like China. Any closed source application can be tracking you and you'd never know. Chances are Apple are doing the same in all sorts of ways, for the same reasons Google do....targeted advertising. They want to know more about you so they can put an advert up which is more likely to appeal to your wallet opening tendencies.

At least with Google you don't need to use Google apps to access the services, you can use open or closed source third party apps like Firefox which has an addon to limit what information Google get from you when you do use their services. More than that, you can choose not to use Google at all. With the iPhone Apple ensure that some of their apps are the ONLY option. They won't allow any competing web browser so your stuck with theirs, regardless of whether they've stuffed it with spyware or not. Same goes with iTunes, do you believe they don't track what media you have? Are you really that naieve?

Re:Latency

[mehrotra.akash]

actually, google would make a great government and in reality might just get big enough to start buying small countries at first and then slowly expand and become the world government

just imagine, if i wanted to go from point A to B anywhere in the world, i could easily look it up on google as, google being the world government would have all the information necessary, and no passports/restrictions/different currency conversions,etc would be required

even better, they might just be able to plan your life, just imagine that you want to spend X days in A y in B and z in C, google could automatically plan a trip, apply for your leave at office and the amount of money would be deducted from your bank account, all with just 1 click

Re:Latency

[dhaines]

You are not stuck with Apple's browser on the iPhone. A casual search turned up 15 web browser apps before I stopped counting.

I'd provide links, but someone might be tracking.

But...but...

[dreamchaser]

But it's Apple! I thought everything from Apple was considered magically delicious here. Now I'm confused :(

Re:But...but...

[Monkeedude1212]

No, you're thinking of ONE product from GENERAL MILLS.

Snap judgements

[93+Escort+Wagon]

Given that the iPhone OS 3.1 was just released yesterday, I've got to wonder just how thoroughly this blogger investigated anything.

Note that doesn't mean I think the features in question are good or bad - but really, I'm not going to put much stock into anything anyone wrote up after at most a few minutes of use.

Sigh... I'll be so happy when blogs die their already-overdue natural death.

Re:Snap judgements

[Monkeedude1212]

He went to the popular testing site Phishtank and tried the phone out against a bunch of different phishing attempts. He says not one was blocked.

Re:Snap judgements

[amicusNYCL]

Note that doesn't mean I think the features in question are good or bad - but really, I'm not going to put much stock into anything anyone wrote up after at most a few minutes of use.

His central point was that he couldn't find a single site that was flagged as a phishing site. He even bolded that for you. If you can disprove that, go ahead and post a comment to his blog, he doesn't have any comments yet of people offering sites that do actually get flagged.

Re:Snap judgements

[johndiii]

He's not just a "security researcher" - he's an official blogger for Zscaler, a "cloud security" vendor. Essentially, they seem to provide security-checking proxies. My take is that he would have a vested interest in portraying the iPhone (or any platform not protected by Zscaler) as insecure.

The PhishTank list has 2279 entries. I'd be interested to know how many he tried, and which ones.

Let me Blow your mind.

[k_187]

Anything from Apple is considered magically delicious and explicitly loathed here.

He didn't do his research.

[nneonneo]

I followed the same steps as outlined in TFA: download the verified online phishing list, pick a few URLs and load each into MobileSafari.

The very first one on the list, citibanking.ru, was blocked by both Firefox and MobileSafari. Since it was at the top, I thought that perhaps it was too recent (reported Sept 10, 2009), so I went down the list a bit, and got colorear.org/ray/, also blocked on Firefox and MobileSafari (reported Aug 26, 2009). guildoftibia.w.interia.pl was also blocked on both (reported July 28, 2009). I also found a few that were blocked on neither, but none that were blocked only on one and not the other, suggesting that MobileSafari uses Google's list (further reinforced by the fact that the "about" link takes you to a help page on Google.

So, I call sloppy research on the part of this security researcher (who writes "In fact, I have yet to identify a single phishing page blocked on the iPhone", emphasis his), since I was quite easily able to find several pages which were blocked.

Re:He didn't do his research.

[nneonneo]

For those of you who are curious and have never seen the phishing warning, here it is (two images were combined to show the full height of the message).

Re:He didn't do his research.

[teshuvah]

I have a 32GB iPhone 3GS phone, and I just put http://citibanking.ru/ into MobileSafari and the webpage loaded. I did not get the phishing warning or anything. Something is very inconsistent here if it works for some and not for others.

Re:He didn't do his research.

[nneonneo]

Is it running iPhone OS 3.1, and is the Fraud Warning option enabled under Settings->Safari?

Re:He didn't do his research.

[teshuvah]

Yes, forgot to mention I am running iPhone OS 3.1. And yes, fraud warning is turned on in settings. What model of iphone do you have? how are you connecting - wireless or 3G/edge?

Re:He didn't do his research.

[nneonneo]

iPod touch, first generation, firmware 3.1.1 (released yesterday), WiFi.

Re:He didn't do his research.

[teshuvah]

3.1.1? I only have 3.1 and it says I am up to date. Maybe this is a bug in 3.1 for the iPhone but it works for the iPod touch 3.1.1?

Re:He didn't do his research.

[nneonneo]

It's basically the same version, but the iPhone edition is labeled 3.1, while the iPod edition is 3.1.1. I don't think there's a major difference in the actual software.

Still, it's quite curious that it works for me but not for you. This would explain Michael's more recent observations.

Who cares?

[Stone+Wolf99]

Iphone security is already a joke. There's no anti-virus, firewall, or malware protection of any sort. Get a keylogger on one and any competent hack could bankrupt by buying up Itunes, the first time the owner buys anything on the app stores or itunes. That doesn't even count what could happen if someone were to actually make a purchase at an actual website with the thing. Apple is more worried about protecting the phone from people who want to put their own applications and themes on it, than they are with making it secure. Go figure.

Phishing vs. blacklists vs. whitelists

[Animats]

The trouble with phishing blacklists is that if you take a hard enough line to make them work, there's collateral damage. Blacklisting by URL is useless; most attackers with a clue use a different URL in each email. Even blacklisting by full domain is no longer enough; many attackers use a bogus subdomain for each phishing e-mail.

If you take a hard line and blacklist at the second-level domain, blacklists are more effective. We measure the collateral damage of doing that. We (as SiteTruth) maintain an updated list of major domains being exploited by phishing scams. This is a list of domains that are both in PhishTank with a hostile URL, and OpenDirectory, as "major". Today, there are only 37 domains on the list, which is about as low as it's ever been. The high was around 175, back in 2008. This matters because the big-name sites are likely to be whitelisted, and phishers look for exploits that will let them use a big-name domain to evade filters.

We nag sites into fixing security holes which allowed some phishing site to exploit them. Microsoft, Yahoo, and eBay have cleaned up their act. Only a few major sites are still on the list. Google is on the list because someone figured out a way to use a Google Docs spreadsheet to host a phishing site. Piczo.com, a free hosting service now hosting 103 phishing URLs, just doesn't seem to care. The other sites with more than one entry tend to be dying hosting services: Geocities, FortuneCity, RoadRunner.

The problem of big-name sites being exploited by phishers is coming under control. It's probably safe to blacklist by second-level domain now. (If only Google gets their act together and deals with that spreadsheet exploit.)