Security Review: Apple iPhone 3rd party application support

By jimg at 10:54 pm on March 9, 2008 | 2 Comments

On Thursday, Apple happily unveiled its plan for third party support of native iPhone applications. The plan involves an application development and distribution pipeline including an iPhone SDK, a suite of IDE tools, and a sales and distribution plan through the new iPhone “App Store”. Apple is restricting the distribution of 3rd party applications through their app store by requiring an iPhone developer account. There will be no other supported way to get 3rd party iPhone applications onto the iPhone. Apple has also made the claim that no malicious, pornographic, or software with security vulnerabilities will be distributed through their store.

There are a number of assets that are touched by Apple’s new iPhone development plan. For instance, an iPhone user’s private data should be protected from unauthorized access by third-party applications obtained through the App Store. Additionally, Apple is opening up a large amount of information about the inner workings of the software and hardware running on the iPhone. The SDK needs not to introduce or reveal vulnerabilities about the device that attackers could exploit. The distribution model introduces other security issues. Because Apple is the only method for obtaining iPhone applications and they are choosing to host and sell all applications, the onus is on them to ensure that no malicious software is distributed through their channel. They need to protect their users’ trust and safety.

The iPhone is an interesting subject for security review because there is are a wide range of potential entities that could attack the iPhone. The iPhone is an exceptional device because it is used not just as an address book, but also stores a lot of other private information such as website passwords, real time geographic location information, and web browsing history. Spammers, greedy corporations, data miners, enemies and ex-girlfriends might all have interest in exploiting weaknesses in the distribution system. Threats to this system might come from two angles: the phone and its data, or the distribution system for the application. Threats to the phone involve an attacker gaining access to personal/private data by exploiting an application through a web browser or over a cell phone network. Threats to the distribution model might include a hacker discovering how to install 3rd party applications that bypass Apple’s distribution model and thus evade the security measures in place.

One serious weakness in Apple’s distribution system is the impossibility of code reviewing every line of every program that is being distributed. This allows for the possibility of a developer introducing vulnerabilities onto the iPhones, whether it is their intent or not. These vulnerabilities can be in the form of buffer overflows or other stack vulnerabilities introduced by bad programming, or they could be intentional back doors introduced by dubious developers. These vulnerabilities are compounded by the fact that every application on the iPhone runs as the root user.

There are several defenses that might be employed against adversaries attacking either the phone itself or the distribution system. Apple requires developers who want to distribute their application to pay a $99 fee to obtain a digital signature with which to sign the application. This might serve as a deterrent against developers who might want to distribute malicious code, as their work will be easily traced back to them. Another defense against these kinds of malicious applications is the ability for Apple to stop distribution of applications that have been found to contain dubious code. It would also be good from a security standpoint for Apple to be able to remotely disable malicious programs. (But this brings up ethical issues). Apple might also implement code-review and static analysis procedures on the applications that are being submitted for distribution in order to stop malicious code from every reaching end-users.

With Apple’s new SDK, the risks are large. The iPhone carries a huge amount of personal data that is always up to date. A person’s phone being data mined, taken offline, or hijacked could cause huge losses financially, in privacy, and in convenience. If a person downloads third party applications, they are “assured by Apple” that the application is safe, which may be a problem if people lower their guard.

As Apple breaks new ground in the mobile market there are bound to be pitfalls along the way. Unfortunately the risks are high. People use their phones to contain a large amount of personal, sensitive, and real time data. The iPhone is essentially a mini computer that is always on the network. This is a huge asset to protect and from a company that isn’t necessarily used to dealing with such mission critical devices.

Apple’s business decisions for the iPhone are additionally complex. Traditionally being a very closed system company, it is surprising that they are going to such ends to open the device to third party developers. This puts a lot of reliance on the company’s ability to keep the parts of the pipeline that are secured, such as their developer SDK, the developer accountability, and distribution channel, secured. If any of these are compromised, Apple may be in a place of responsibility, possibly at a legal level.

Collaborative effort: jimg and robert

Filed under: Announcements,Current Events,Ethics,Security Reviews2 Comments »

2 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by iPhone Software

    March 12, 2008 @ 6:06 pm

    It was a risk on Apple’s part to take this approach. They were D’d if they did and D’d if they didn’t when it came to how open they would be with the SDK. Only time will tell.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by hackyourlife

    September 7, 2008 @ 7:06 am

    One thing I don’t like about Apple is they control too much

RSS feed for comments on this post