Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Firms Can't Protect iPhone From Threats

Posted by kdawson on from the work-with-me-here dept.

nk497 writes "F-Secure researchers are calling attention to the fact that it's impossible to run third-party anti-virus on iPhones, because the SDK doesn't allow for it. It's a problem, as they claim malware will start to target the phone. 'None of the existing anti-virus vendors can make one, without help from Apple,' chief research officer Mikko Hypponen said. 'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' At the moment, the only worms faced by the iPhone have targeted unlocked, jailbroken devices — so Apple's not too bothered protecting users of such phones." While Apple claims that the iPhone's closed nature offers protection to its users, and security vendors maneuver for a piece of a market now closed to them, clearly both sides are pushing their own self-interest.

39 of 137 comments (clear)

  1. It's closed so it's perfect by Fred_A · · Score: 3, Insightful

    And it's from Apple.

    So it's doubly perfect. It's not like Mac OS has any security problems either.

    So nothing to see here.

    --

    May contain traces of nut.
    Made from the freshest electrons.
    1. Re:It's closed so it's perfect by rolfwind · · Score: 5, Interesting

      Anti-virus/anti-malware always seems to be a shitty bandaid to a badly designed system. Even running Windows 7, with UAC on, non-administrative account 99.999% time, always a non-IE browser, and very strict on what I run as .exe and where I download them, ad-aware just found some wind32 trojan.

      Also, people forget this is supposed to be a portable device, even a phone sometimes. Remember what most A/V does to your desktop? I don't run A/V on my notebook, and I actually do want a decent battery life on my phone, as hard as that is to believe.

      However, I know there will be problems with the iPhone. I do wish its safari had the option of "noscript" and stronger adblock plus than its own system among other things. And that when you do use it for the first time, it would have a video on safe usage. You can't upgrade or improve the user, the weakest link, but at least you can try to lead that horse to water that is education.

    2. Re:It's closed so it's perfect by flanders123 · · Score: 2, Insightful

      Wake me when a security problem surfaces on a non-jail broken iPhone.

      The mac OS is not as closed as the iPhone, which is why it is more vulnerable.

      ...Still waiting.

    3. Re:It's closed so it's perfect by plover · · Score: 4, Insightful

      Look at it the other way: it's perfect, until it's not closed.

      What I mean is that Apple is doing the right thing. They should continue to deny anti-virus vendors from selling their warez, at least until there's a proven threat. And so far, there are none. From Apple's viewpoint, it's a great marketing tool to be so confident in their security that they won't compromise it by letting AV software on the platform. And for everyone who knows just how crappy AV software usually is (and how bad it drags down performance) it really is good news.

      Seriously. As long as Apple keeps patching the holes the jail breakers use (which they seem to do within days) there simply are no credible threats. Oddly enough, this means the jail breakers are actually their best allies, in that they absolutely have the strongest motivations to hack the iPhone; and since their jailbreaks must necessarily be public to be useful, Apple can keep in lockstep with them.

      That also means Apple must continue to keep it tightly closed, and never permit leaky crapware like Flash to run on it. Which indirectly benefits the rest of us, as that means sites that want to play nice with iPhones may provide usable Flash-free alternatives. We can hope, anyway.

      --
      John
    4. Re:It's closed so it's perfect by john82 · · Score: 2, Interesting

      RTFA.

      If you don't void the user agreement by jailbreaking your iPhone, you don't have this problem. Apple set up the environment. As it's designed, users are protected. If you choose to negate that design, you may have problems.

      Where is Apple's liability if you don't use it as designed (or as dictated in the UA)?

    5. Re:It's closed so it's perfect by Anonymous Coward · · Score: 4, Insightful

      It's false for anyone to claim that there are any active worms or viruses on iPhone. The reported worms don't target the OS but rather the fact that users are (1) explicitly installing OpenSSH and (2) not changing their default passwords. Any machine at all that is on the internet with a known root password is vulnerable. It's similar to buying a router and leaving the password at "password." Is this a flaw in the router or the user?

    6. Re:It's closed so it's perfect by SilverJets · · Score: 2, Insightful

      If Apple opens up the iPhone to allow third-party anti-virus programs to run, guess what will happen? All of a sudden there will be viruses for the iPhone. Gee, I wonder why Apple doesn't want to do that?

      No sympathy from me for people using hacked iPhones and getting trojans since they knew the risks when they hacked it.

    7. Re:It's closed so it's perfect by v1 · · Score: 5, Insightful

      This entire thing is just laughable. "we can't write A/V software for your product because no one can write software for the iphone that is, or that stops, viruses". So, they're asking Apple to create the problem, which they will then be able to sell a fix for.

      Just HOW stupid do they think we all are?

      The only people right now that have any use for antivirus or antimalware software for their iphone are those that have jailbroken them, in which case they could also install and run AV software But there's not a big enough market for that at this point. If they really wanted to write it, they could, right now. There's just not enough profit in it yet.

      --
      I work for the Department of Redundancy Department.
    8. Re:It's closed so it's perfect by v1 · · Score: 2, Insightful

      AV Vendors please go back to the windows desktop PC where you came from.

      And a portion of the irony here is that this is partly the reason that windows has such a virus and malware problem. "We want the mac platform to be just as exploitable as the windows platform, so we can profit from it too."

      Uh... NO . go away.

      --
      I work for the Department of Redundancy Department.
  2. F-Secure smells money by cerberusss · · Score: 5, Interesting

    From the summary, F-Secure: "'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' .

    No, indeed, only jailbroken phones were infected. Thus the obvious solution for F-Secure would be to bring out an app in Cydia or other app stores for jailbroken devices.

    Of course, rather than do something, their execs prefer to spend their time whining.

    --
    8 of 13 people found this answer helpful. Did you?
    1. Re:F-Secure smells money by sopssa · · Score: 2, Insightful

      Yep, if they are worried, just push it out to Cydia. Of course most (before someone comes whining, I did not say all!) of the users with jailbroken phones use pirated software, so there's no money in that.

    2. Re:F-Secure smells money by purpledinoz · · Score: 4, Funny

      I can imagine what Norton Antivirus will look like on the iPhone. First, everything would run slower, battery life would be cut in half, and a huge yellow annoying banner would attach itself to the browser reminding you that you are "PROTECTED BY NORTON ANTIVIRUS".

    3. Re:F-Secure smells money by sopssa · · Score: 3, Funny

      But it does protect you, because after the resources Norton Antivirus takes, there's none left to actually run anything!

    4. Re:F-Secure smells money by wickerprints · · Score: 4, Insightful

      What I think is most telling about that quote is how an AV company has blurred the distinction between a "virus" and what basically amounts to a default password security hole. Sorry, but how does that make me want to trust you to run software on my device if you don't care to demonstrate you know the difference between these two types of attack?

      The only reason why the jailbroken phones were vulnerable was because the default SSH password was not changed. No amount of AV is going to protect against a user's stupidity. This statement by F-Secure is about the money-making opportunity they're dying to exploit, and they're clearly riding the wave of negative publicity surrounding the closed platform nature of the iPhone.

    5. Re:F-Secure smells money by marcansoft · · Score: 3, Insightful

      I love how everyone pretends that recent trojan targeted "jailbroken" iPhones.

      It didn't. It targeted stupid users who happened to have a jailbroken iPhone. Specifically, it targeted users who install OpenSSH without changing the default password (ignoring warnings to the effect). There's no vulnerability here, and a stock jailbroken iPhone is not vulnerable. The same exact kind of malware can affect every poorly configured UNIX system out there - for example, that router-based botnet that infected routers with default SSH passwords running Linux. There are tons of Linux rootkits out there too, and servers with poor passwords are rooted all the time. Does that mean we urgently need craptacular AV software on all Linux boxes?

      On the other hand, it is true that a non-jailbroken iPhone has an extra layer of protection in the form of compulsive executable signing. Apple ostensibly has superior security (in non-jailbroken devices), but that's just because they lock down the device tight. It's "good" old Trusted Computing, the kind that does not trust the user. By jailbreaking the device, you're freeing yourself from nanny Apple's oversight. If it turns out you were better off with it, well, that's your own fault.

    6. Re:F-Secure smells money by cerberusss · · Score: 2, Funny

      I can imagine what Norton Antivirus will look like on the iPhone. [...] battery life would be cut in half [...]

      Cutting my current iPhone its batterylife in half would mean that I need a USB connection in the toilet. Just to be able to browse Slashdot while taking a dump.

      --
      8 of 13 people found this answer helpful. Did you?
    7. Re:F-Secure smells money by NoOneInParticular · · Score: 2, Insightful

      No amount of AV is going to protect against a user's stupidity.

      And no amount of AV is going to protect against vendor/distributor stupidity either. Here we have a program, running on a non-firewalled device, which on install, instead of being non-functional, opens up to the whole world with a default password. This is not the 1990's people! In this day and age, I expect a program to be secure by default... whatever it takes, even if it means it is non-functional at install.

      I actually have a jailbroken iphone on which I installed openssh. When I logged in I immediately realized the risk I was running and changed the password. However, between the time of installing openssh on my iPhone and the moment I changed the password there was at least a period of 5 minutes in which people could have hijacked the machine. Unforgivable. This distributor should be ashamed of himself.

  3. Re:better for apple by MrMr · · Score: 2, Funny

    Don't you get it: Running the antivirus software keeps all other programs including the malware from running.
    Sure sounds familiar...

  4. I can protect your pretty iPhones... by wzzzzrd · · Score: 2, Funny

    ...all you have to do is to give me some money every week...If I were you, I'd think about what can happen to that pretty phone if it wouldn't be protected...

    --
    On second thought, let's not go to Camelot. It is a silly place.
  5. I'm glad they can't make anti-virus for iphone. by stevens · · Score: 2, Informative

    If it's like desktop anti-virus, it will have its own vulnerabilities, take up more resources than I'd like, cause buggy behaviour or incompatibilities with other apps, and feed me false positives too often.

    I don't need that on my phone. Since the only real malware we've seen for the iphone involves jailbreaking and then not properly managing your phone, I can do without.

  6. I see an opening for Android... by bogaboga · · Score: 2, Interesting

    ...and here it is:

    Some fella develops and distributes some serious virus that "shuts down" a big number of iPhones...

    This generates [bad] publicity for the device...

    The media pick the story up...(in the meantime, it's "damage control" for Apple)...

    Android is touted as the best alternative...

    Motorola and Co. jump on the bandwagon...

    What next? profits, numbers and market share for the Droid.

    Question is: Am I wrong?

    1. Re:I see an opening for Android... by nneonneo · · Score: 3, Interesting

      Except that this scenario is next-to-impossible on stock iPhones, because of the aforementioned code-signing restrictions, sandboxed applications and other mechanisms which prevent this from being a general problem.

      Jailbreaking your phone makes all these safety nets go away: the kernel is patched so that it will run anything and applications are permitted to roam free across all of the device. At that point, you are on your own as far as security goes. If you, as a user, willfully ignore the instructions saying "Use 'passwd' to change the default password!!", then the resulting compromise of your iPhone is *entirely* your fault, and Apple doesn't even have to do "damage control". A rooted Android phone would suffer the same problems.

  7. The new logic of security by Opportunist · · Score: 3, Interesting

    I tend to be wary when using my crystal ball, but this time I want to make a prediction: This is an intended development, and we'll see more of it in the future. Jailed devices that are deemed intrinsically secure. People who dare to unlock their device not only open themselves up for infections, they also can't get any help to make their devices secure again because everyone who could or would offer them this help is locked out.

    Now add laws that started to creep into our legislative where you're legally responsible for it if your device is insecure and doing something illegal.

    In the long run, you will only be secure and not responsible for anything your device does if you don't mind not owning it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Apps run in a sandbox by Negatyfus · · Score: 2, Interesting

    Apple isn't too concerned because all Apps run in a sandbox. There would have to be a very glaring hole in iPhoneOS would an attacker be able to take over an iPhone in this way. I remember a vulnerability that allowed exploitation through doctored SMS packets somehow, but I'm not sure how serious it was. At any rate, that's fixed now as far as I remember. Really, this is just about anti-virus companies trying to instill fear in the hearts of ignorant users. iPhone users that have jailbroken their iPhone have made it their own responsibility to look after security and I don't believe for a second that F-Secure is targeting *them* (SDK limitations wouldn't be a roadblock in that case). I see very little opportunity for a hacker to invade an iPhone, and thus it's not a huge priority to install any security software on the iPhone.

  9. No mechanism for transmission by argent · · Score: 5, Interesting

    This is even more stupid than their attempt to sell antivirus for Palm OS.

    There is no mechanism for transmission between one iPhone and another UNLESS the iPhone is jailbroken.

    So Symantec only needs to write antivirus for jailbroken iPhones. And Apple would have no way to prevent them. So what's their problem?

    1. Re:No mechanism for transmission by Locutus · · Score: 2, Insightful

      wow, they were really trying to sell anti-virus software for the PalmOS devices? There's a saying about having a hammer and everything looks like a nail and these anti-virus people sound like they've got the hammer. Windows was the perfect nail because it constantly needed pounding on to fix this or that flaw or breach. But when new products enter the market without the flawed security system of Windows, what's a lonely Windows security company to do? Make stuff up I guess.

      LoB

      --
      "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
  10. Re:better for apple by Duradin · · Score: 2, Informative

    Only third party apps are barred from running in the background.

    Apple apps can and do run in the background which is why any AV company would have to work with Apple.

  11. News at 11 by damaki · · Score: 3, Insightful

    F-Secure cannot get money out of iPhone users, therefore whines and tries to scare executives.

    --
    Stupidity is the root of all evil.
  12. Security Through Obscurity Never Works by SwashbucklingCowboy · · Score: 2, Insightful

    "While Apple claims that the iPhone's closed nature offers protection to its users"

    1. Re:Security Through Obscurity Never Works by sznupi · · Score: 2, Informative

      It's NOT obscurity in this case! "Closed" here describes sandboxing/etc. mechanisms, which might just as well be OSS (AppArmour, SELinux)

      --
      One that hath name thou can not otter
  13. Phones must not need anti-virus by Kupfernigk · · Score: 5, Insightful
    I am being quite serious here. Mobile devices need good battery life, and there is a limit to what can be done with batteries and screens. If you need an anti-virus program, you are using more power and the battery life is shorter: end of story. Forget whether Apple is Gandalf or Sauron, their attitude is 100% correct.

    Going further, I have absolutely no patience with people who hack iPhones. A phone is an appliance connected to a public asset - EM bandwidth. People using public assets have a duty of care, and it's the failure of duty of care (tragedy of the Commons) that has done a lot of damage to society.

    What I do on my own local network is my affair, but I think increasingly we should have a reasonable expectation that anything connected to a public network is properly secured and maintained, just like (in the UK at least) we test cars annually to check they are safe on the road. I'm afraid that the Wild West days of the Internet are increasingly over - and the excesses of some people is bringing down an overreaction.

    Over the next 20 years we have to find a way to put the genie back in the bottle without killing the genie or spoiling the bottle. The politicians will try to screw this up. But the rest of us need to realise that we need to grow up too - we need to understand that if we want a reliable public internet and mobile phone system, we need to stop treating people who act irresponsibly as if their behaviour was acceptable or clever. Otherwise anti-virus and anti-malware software will continue to eat up too many of our CPU cycles, shorten the lives of our hard drives, and cause increasing frustration to those of us who actually need to earn a living, and have to use the Internet and the phone system to do it.

    --
    From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
  14. The iPhone is running windows? by denebeim · · Score: 4, Insightful

    I thought it was running some form of Unix/Linux sort of OS.

    I realize these modern day snake oil salesmen have convinced corporate America that their product is effective against all viruses on all platforms. However if you look at the definition file that they install on all the systems you'll see that the signatures list which platform they're for. I was curious so I greped the file. Turns out that while there's hundreds of thousands of windows definitions in the file there's only tens for linux and fewer for sun.

    When pressed on this they'll tell you that they look for all those viruses so they arn't passed by the ftp/http/mail server on the unix box. While there's some merit to this position I don't see how it's at all relevant to the iPhone.

  15. Re:FUD by mdwh2 · · Score: 3, Funny

    Be fair now - they couldn't find anything else for today's daily Iphone Slashvertisement, so they had to run with this.

  16. "Whaaaaaa!" by BlueBoxSW.com · · Score: 2, Insightful

    That's all I hear.

  17. Unlock != Jailbreak by netsharc · · Score: 3, Informative

    BTW, if the original "anti-virus expert" really put unlock and jailbreak as the same thing, he needs to learn more about iPhones.

    Jailbreak is breaking out of the chroot jail. It gives you root access so you can do wonderful things like install an SSH-daemon (which, unfortunately uses a standard password which the worms out there are exploiting now), as well as install apps that you want instead of only those that's passed Apple's draconian approval service.

    Unlocking is SIM-unlocking, its purpose is so that an unauthorized SIM card (in the US that means non-AT&T) works on the iPhone. If you're using an AT&T card, you don't need to unlock, but you can still jailbreak. You need to run a software not authorized by Apple to do the unlock, so to unlock you *need* to jailbreak.

    As for F-Secure, eh, fuck 'em. Their threat of Symbian viruses is also snake oil, it requires the most idiotic of idiots to see "Hmm someone wants to send me something over BlueTooth. OK I'll accept. Transfer finished. Let's open it. Oh it wants to install an app, should I install or should I deny?" and F-Secure sells you unproven protection if you say "install". Goddamnit, if you are so goddamned dumb, you deserve to get swindled by this company.

    --
    What time is it/will be over there? Check with my iPhone app!
  18. Neither do game consoles! by ruiner13 · · Score: 2, Insightful

    Oh my God! My PS3, 360 and Wii are on the internet and they don't have anti-virus, too! What are we going to do!

    Seriously, this is news for nerds? Some morons jailbreak their phones, leaving SSH with a default password, they get hacked, and suddenly A/V firms think they have an "in"? You could install every A/V program on the planet on a windows PC, but if you install SSH with a default password, it will still get hacked.

    --

    today is spelling optional day.

  19. Non-jailbroken phones are 99.999 percent safe. by aristotle-dude · · Score: 2
    The reason why hacking the phone is called a jailbreak is because it essentially breaks the security sandbox mechanism called a BSD jail. All apps on the iPhone run inside of these sandboxes which prevent access to other sandboxes where other apps are running. On a non-jailbroken phone, all apps also have to be signed and installed via iTunes so it is basically impossible barring someone at Apple not screening the app first for malware to get onto the device.

    In the early days, there were some remote exploits that you could use to jailbreak a device but those remote exploits have now been fixed soon after the jailbreaking community discovered the holes and published their software.

    The official firmware from Apple is essentially hardened now against any remote attacks or malware attempting to run so there is no market for anti-virus on the iPhone.

    --
    Jesus was a compassionate social conservative who called individuals to sin no more.
  20. Re:Jail Breaking Makes sense NOT! by aristotle-dude · · Score: 2, Interesting
    Jailbreaking destroys the very security model which prevents malware from spreading. You seem to be ignorant of why the BSD jails exist in the first place.

    iLocalis is a clone of "Find My iPhone", a feature of the 3.x firmware.

    Winterboard is customizable but it is also slow and unstable.

    OpenSSH Server has no business on a phone. There are several SSH clients in the app store for connecting to other machines for administrative purposes. If you feel the need to have a phone that requires administration, I would suggest looking at a windows mobile phone. I hear that they have all sorts of interesting crashes and race conditions.

    If you want Intelliscreen, it sounds like you would be happier with a windows phone but there are obviously trade offs like no integration with a jukebox and no app store.

    MyProfiles, is a solution looking for a problem. It is such a small niche that it is not worth Apple to invest time in providing such a feature.

    If you want to hack phones, I'd suggest getting another type of phone. The iPhone is designed to be an appliance for busy people to use and have it "just work".

    --
    Jesus was a compassionate social conservative who called individuals to sin no more.
  21. Re:better for apple by edivad · · Score: 2, Interesting

    Actually, someone already had a fully flagged AV solution for jailbroken iPhones ...
    http://www.appleiphoneschool.com/2008/05/05/ivirusscan-10b02/