Slashdot Mirror
Security Firms Can't Protect iPhone From Threats
nk497 writes "F-Secure researchers are calling attention to the fact that it's impossible to run third-party anti-virus on iPhones, because the SDK doesn't allow for it. It's a problem, as they claim malware will start to target the phone. 'None of the existing anti-virus vendors can make one, without help from Apple,' chief research officer Mikko Hypponen said. 'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' At the moment, the only worms faced by the iPhone have targeted unlocked, jailbroken devices — so Apple's not too bothered protecting users of such phones." While Apple claims that the iPhone's closed nature offers protection to its users, and security vendors maneuver for a piece of a market now closed to them, clearly both sides are pushing their own self-interest.
And it's from Apple.
So it's doubly perfect. It's not like Mac OS has any security problems either.
So nothing to see here.
May contain traces of nut.
Made from the freshest electrons.
At the moment, the only worms faced by the iPhone have targeted unlocked, jailbroken devices — so Apple's not too bothered protecting users of such phones.
Of course, it's just better for Apple if the viruses do go around in jailbroken devices.
And how would iphone support antivirus anyway? It can only run one program at a time.
From the summary, F-Secure: "'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' .
No, indeed, only jailbroken phones were infected. Thus the obvious solution for F-Secure would be to bring out an app in Cydia or other app stores for jailbroken devices.
Of course, rather than do something, their execs prefer to spend their time whining.
8 of 13 people found this answer helpful. Did you?
...all you have to do is to give me some money every week...If I were you, I'd think about what can happen to that pretty phone if it wouldn't be protected...
On second thought, let's not go to Camelot. It is a silly place.
If it's like desktop anti-virus, it will have its own vulnerabilities, take up more resources than I'd like, cause buggy behaviour or incompatibilities with other apps, and feed me false positives too often.
I don't need that on my phone. Since the only real malware we've seen for the iphone involves jailbreaking and then not properly managing your phone, I can do without.
...and here it is:
Some fella develops and distributes some serious virus that "shuts down" a big number of iPhones...
This generates [bad] publicity for the device...
The media pick the story up...(in the meantime, it's "damage control" for Apple)...
Android is touted as the best alternative...
Motorola and Co. jump on the bandwagon...
What next? profits, numbers and market share for the Droid.
Question is: Am I wrong?
FUD
For those new to the internet, that would be Fear, Uncertainty, and Doubt. This sort of garbage would be a pretty classic example of it.
I tend to be wary when using my crystal ball, but this time I want to make a prediction: This is an intended development, and we'll see more of it in the future. Jailed devices that are deemed intrinsically secure. People who dare to unlock their device not only open themselves up for infections, they also can't get any help to make their devices secure again because everyone who could or would offer them this help is locked out.
Now add laws that started to creep into our legislative where you're legally responsible for it if your device is insecure and doing something illegal.
In the long run, you will only be secure and not responsible for anything your device does if you don't mind not owning it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Apple isn't too concerned because all Apps run in a sandbox. There would have to be a very glaring hole in iPhoneOS would an attacker be able to take over an iPhone in this way. I remember a vulnerability that allowed exploitation through doctored SMS packets somehow, but I'm not sure how serious it was. At any rate, that's fixed now as far as I remember. Really, this is just about anti-virus companies trying to instill fear in the hearts of ignorant users. iPhone users that have jailbroken their iPhone have made it their own responsibility to look after security and I don't believe for a second that F-Secure is targeting *them* (SDK limitations wouldn't be a roadblock in that case). I see very little opportunity for a hacker to invade an iPhone, and thus it's not a huge priority to install any security software on the iPhone.
... that be used by any tom , dick or harry and screw up or silently alter the functioning of the kernel?
Oh , shame. I guess they'd better stick to using Windows if that's the sort of enviroment these antivirus writers are happy working in.
This is even more stupid than their attempt to sell antivirus for Palm OS.
There is no mechanism for transmission between one iPhone and another UNLESS the iPhone is jailbroken.
So Symantec only needs to write antivirus for jailbroken iPhones. And Apple would have no way to prevent them. So what's their problem?
F-Secure cannot get money out of iPhone users, therefore whines and tries to scare executives.
Stupidity is the root of all evil.
"While Apple claims that the iPhone's closed nature offers protection to its users"
I don't have a Blackberry, so I don't know the answer. But are there AV programs available for the various Blackberries out there? Or are they just singling out Apple and the iPhone because it's convenient to do so?
Going further, I have absolutely no patience with people who hack iPhones. A phone is an appliance connected to a public asset - EM bandwidth. People using public assets have a duty of care, and it's the failure of duty of care (tragedy of the Commons) that has done a lot of damage to society.
What I do on my own local network is my affair, but I think increasingly we should have a reasonable expectation that anything connected to a public network is properly secured and maintained, just like (in the UK at least) we test cars annually to check they are safe on the road. I'm afraid that the Wild West days of the Internet are increasingly over - and the excesses of some people is bringing down an overreaction.
Over the next 20 years we have to find a way to put the genie back in the bottle without killing the genie or spoiling the bottle. The politicians will try to screw this up. But the rest of us need to realise that we need to grow up too - we need to understand that if we want a reliable public internet and mobile phone system, we need to stop treating people who act irresponsibly as if their behaviour was acceptable or clever. Otherwise anti-virus and anti-malware software will continue to eat up too many of our CPU cycles, shorten the lives of our hard drives, and cause increasing frustration to those of us who actually need to earn a living, and have to use the Internet and the phone system to do it.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I thought it was running some form of Unix/Linux sort of OS.
I realize these modern day snake oil salesmen have convinced corporate America that their product is effective against all viruses on all platforms. However if you look at the definition file that they install on all the systems you'll see that the signatures list which platform they're for. I was curious so I greped the file. Turns out that while there's hundreds of thousands of windows definitions in the file there's only tens for linux and fewer for sun.
When pressed on this they'll tell you that they look for all those viruses so they arn't passed by the ftp/http/mail server on the unix box. While there's some merit to this position I don't see how it's at all relevant to the iPhone.
That's all I hear.
Except requiring a username, password, and registered device id# combination to download updates
Then one hacked version of the antivirus app would upload the updates to a pirate server, and the publicly available hacked version of the antivirus app would download the updates from that server.
BTW, if the original "anti-virus expert" really put unlock and jailbreak as the same thing, he needs to learn more about iPhones.
Jailbreak is breaking out of the chroot jail. It gives you root access so you can do wonderful things like install an SSH-daemon (which, unfortunately uses a standard password which the worms out there are exploiting now), as well as install apps that you want instead of only those that's passed Apple's draconian approval service.
Unlocking is SIM-unlocking, its purpose is so that an unauthorized SIM card (in the US that means non-AT&T) works on the iPhone. If you're using an AT&T card, you don't need to unlock, but you can still jailbreak. You need to run a software not authorized by Apple to do the unlock, so to unlock you *need* to jailbreak.
As for F-Secure, eh, fuck 'em. Their threat of Symbian viruses is also snake oil, it requires the most idiotic of idiots to see "Hmm someone wants to send me something over BlueTooth. OK I'll accept. Transfer finished. Let's open it. Oh it wants to install an app, should I install or should I deny?" and F-Secure sells you unproven protection if you say "install". Goddamnit, if you are so goddamned dumb, you deserve to get swindled by this company.
What time is it/will be over there? Check with my iPhone app!
"F-Secure researchers are calling attention to the fact that it's impossible to run third-party anti-virus on iPhones, because the SDK doesn't allow for it. It's a problem, as they claim malware will start to target the phone"
Why not use the same method the mawlare writers use. Oh, wait, it isn't possible unless the user explididly jailbreaks the device and uses the default password in SSH ..
davecb5620@gmail.com
Oh my God! My PS3, 360 and Wii are on the internet and they don't have anti-virus, too! What are we going to do!
Seriously, this is news for nerds? Some morons jailbreak their phones, leaving SSH with a default password, they get hacked, and suddenly A/V firms think they have an "in"? You could install every A/V program on the planet on a windows PC, but if you install SSH with a default password, it will still get hacked.
today is spelling optional day.
This smacks to me very similarly to what happened originally with the pre-release Vista. MS was going to lock down the kernel and Norton and the other anti-virus anti-virus companies screeched monopoly and restriction of trade. The result was a weakened model so these parasites could continue to make and sell their products. Apple has never been a target of viruses for reasons that have been debated over and over. Mainly because of the spread of the iPhone, these companies now see a market and want in... even if the product is not really needed. The anti-virus companies characterization of apple as uncaring of their users is a tactic. If I were Apple, I wouldn't care about the anti-virus companies either. Mind you if I was MS, I would have locked the kernel and told the av vendors to screw off. Apple is actually doing the right thing.
.... WOOOOOOOOOOOOOOOOSH !!
something flying over our heads?
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
In the early days, there were some remote exploits that you could use to jailbreak a device but those remote exploits have now been fixed soon after the jailbreaking community discovered the holes and published their software.
The official firmware from Apple is essentially hardened now against any remote attacks or malware attempting to run so there is no market for anti-virus on the iPhone.
Jesus was a compassionate social conservative who called individuals to sin no more.
If you don't think that this is an orchestrated effort, wake up.
Check out the timeline of the vulnerability releases. From the first one that just alerted the user, the next that rick rolled, the next that actually did naughty things.
The very first news snippets fully explained what happened, how it could happen, that the user was at fault, and how users could fix it, along with potential suggestions to providers on how -they- could prevent these attacks across their network.
Then the next few always pointed out that non-jailbroken iPhones would not be at risk because, hey, those users -can't- install OpenSSH anyway.
Lately, news items just mention that jailbroken iphone users are at severe risk.
I'm not claiming Apple is being the grand orchestra conductor - it may very well be self-regulation along news sites who want to continue to paint iPhone in the joyful light so that every small news item on it is bound to get a crapton of page (and thus ad) views, and keep Apple on their good side for potential review items.
Either way, public opinion is being formed by this type of reporting, and it's working. Even on slashdot more and more voices say that jailbreaking your iPhone is something that should not be done - for a variety of reasons.
users long for McAfee32.exe eating up 10-15% of CPU time, while intercepting network traffic and checking your mails. Clearly.
If my phone got exploited I'd just restore from my latest backup, it might take all of twenty minutes.
There are no viruses for OS X, none. Maybe, in the future, there will be, but there are none now. The only reason there are any 'viruses' for the iPhone is b/c jail-broken ones all have the same ssh password. Change it, and the 'virus' can't hurt you.
The best way to get viruses on a Mac is to install Windows on it.
I run
Jail breaking is obviously not for everyone... IE, those who don't change the root password to their phone as per Rocks, Icy, and Cydia's warning when installing openSSH.
If Apple let people customize their phones like I detailed above, I'd really have no need for Jail Breaking. But I want specific features out of my phone, I'm ready to assume the risks, and lower battery life(which is why I have three chargers, 2 at home, 1 at the office because I only get a day and a half of battery life)
Yes, this is mildly off topic... But no, I do not think an Anti-virus for the iPhone will make things any better... Jailed phones don't need it, most jailbroken users are smart enough to not need it.
iLocalis is a clone of "Find My iPhone", a feature of the 3.x firmware.
Winterboard is customizable but it is also slow and unstable.
OpenSSH Server has no business on a phone. There are several SSH clients in the app store for connecting to other machines for administrative purposes. If you feel the need to have a phone that requires administration, I would suggest looking at a windows mobile phone. I hear that they have all sorts of interesting crashes and race conditions.
If you want Intelliscreen, it sounds like you would be happier with a windows phone but there are obviously trade offs like no integration with a jukebox and no app store.
MyProfiles, is a solution looking for a problem. It is such a small niche that it is not worth Apple to invest time in providing such a feature.
If you want to hack phones, I'd suggest getting another type of phone. The iPhone is designed to be an appliance for busy people to use and have it "just work".
Jesus was a compassionate social conservative who called individuals to sin no more.
Security firms? You mean like Symantec, Trend Micro, etc.? How about Microsoft's own latest security offerings? Why don't you ask those guys why their products don't detect Specter 360 or CNE? This is commercial spyware and is invisible to anti virus and anti spyware products from all these companies.
See for yourself.
As a linux system administrator I fully understand the purpose of jailing my apps as most of my processes on my linux servers are jailed and in some instances running in a VM inside of the OS.
Find my phone is a clone of iLocalis, not the other way around since iLocalis has been around since the 2.x days of iPhone. iLocalis provides enhanced features that Find My Phone does not, such as the ability to activate call forwarding, lock out the phone completely, backup the contents of the phone, wipe it out, record audio from where the phone is, be located of where your friends are (like Latitude), Share my location on my own website, etc...
I've never had a problem with Winterboard becoming slow or being buggy. It has always worked for me. Its the skins people develop that are the problem, simply remove the skin and problem solved.
I agree that openSSH doesn't need to be on the phone. And Rock and Cydia do not force you to install it. I installed it because as a geek I like to tinker.
I wouldn't be happier with a Windows Phone because there are not nearly as many apps for a Windows Phone, and I dislike the interface for Windows Mobile.
MyProfiles isn't a solution to a problem that doesn't exist. I can't remember the number of time when I've gone to a meeting, hospital, movie, or other even and forgot to silence my phone, and it rings. Or being woken up at 3AM by a buddy who's drunk off his ass being an idiot. I want to be able to receive calls from important people all hours, like my parents... But silence my phone to the rest of the world during certain times. MyProfiles just automates this for me instead of having to change multiple settings to accomplish the same thing that it can do for me.
The iPhone is a nice appliance. And one of the easiest manipulated, which is why I chose the iPhone. Sure I could have got an Android phone, but where is the fun in that? For those who want a nice polished piece of plastic, the iPhone does that too. For me, its a powerful tool I use to run my day.
For example; some of the files downloaded as part of the update would be encrypted with a key based on the device ID
And decrypted during upload to the pirate server.
and then digitally signed with a key only available to the software maker.
And re-signed with the pirate's private key.
as soon as you update the app, the hack is gone.
Pirates of course would provide their own updates as cracked versions of the official updates. Look at cracked versions of PSP firmware for instance.
Since the pirates don't have access to the specifications of the proprietary protocol used to transfer the updates
They have the executable code that implements the client side of this protocol.
as soon as the main program executable is updated to be able to read the new version of the datafile format, it will also detect if the control block has been tampered with in attempt to run it on the wrong device hardware ID#.
Unless the pirate NOPs out this check in the cracked version.
Baloney. I want to use the fact that my phone is in fact a complete UNIX machine. Don't you dare tell me that this is unnecessary and as such must not be done. I love the fact that the iPhone has such a useful and intuitive GUI, but it's missing some stuff. Because it's actually so flexible, despite Apple's intentions, it can in fact do all that. Did you know that you can run a VNC server on the phone itself, so you can control the screen through any VNC client?
In any case, who do you think you are to be dictating tradeoffs? The iPhone is actually quite a hackable device, as evidenced by all the quality jailbroken programs that you just dismissed.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
It's curious watching how the mod points work - I get modded up, but then a load of mod points evidently get dished out to an Apple fan who, rather than debate facts, is incapable of that, and mods down anything that disagrees with his pro-Apple worldview.
When will Slashdot return to distributing mod points fairly (I haven't had any in years), instead of giving loads of points to a small handful of people?
Asking fair questions is not a troll. Similarly for my other posts, talking on-topic is not off-topic. Whoever did this should be the one to lose mod points.
You can jailbreak if you want but you should be aware that your phone is no longer secure once you do that and any personal information that you store on your device can be compromised. The BSD jails prevent other applications from accessing data that does not belong to them.
Jesus was a compassionate social conservative who called individuals to sin no more.