Although the impending release of the iPhone’s Software Development Kit (SDK) could enable applications to be written be developers for the phone, there has been talk that it may bring up a number of possible security issues.
In a statement posted on Apple’s website, CEO Steve Jobs announced that the iPhone’s SDK will be released shortly after the New Year.
“Let me just say it: We want native third-party applications on the iPhone, and we plan to have an SDK in developers’ hands in February,” he stated.
He declared that the reason why Apple needs more time for the development of the SDK is because they are trying to successfully achieve two things. First is to be able to offer developers an open and advanced platform and the second is to protect the end-users from privacy attacks, viruses and the like.
According to H.D. Moore, a noted hacker, the release of the SDK would finally allow the third-party developers to design applications that will be able to work on the iPhone, without creating a weakness in the Mac OS code of the iPhone. This because if this happens, security issues may arise.
He further stated on a blog post, “Using a security vulnerability to enable third-party development is nothing new, but in the case of iPhone, this can be a problem.”
Chris Andrew, VP of Security Technologies at Lumension, said to SCMagaazineUS.com that the development of the SDK comes with a warning. “As long as the [iPhone] is a closed platform, it’s not a very big attack target, but once you can get other applications on it, there’s potential for exploits, just like those we see for any other platform,” he declared. “The Mac OS is one of the more secure operating environments, and [security vulnerabilities on the iPhone] have not been a huge issue so far. But as you open it to developers who will provide a bunch of new applications, any new applications, especially networking applications, can have [the] same kinds of problems we see in desktop software.”
Meanwhile, Jobs advised that it would only take a little more time for the iPhone to be targeted by hackers.
As Jobs went on on his announcement,
“Some claim that viruses and malware are not a problem on mobile phones — this is simply not true…There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous. And since the iPhone is the most advanced phone ever, it will be a highly visible target,” he said. “We are working on an advanced system which will offer developers broad access to natively program the iPhone’s amazing software platform while at the same time protecting users from malicious programs.”
There are a few researchers in the market that already see the iPhone as a security “open hole.” For example, Moore posted that “every process runs as root. MobileSafari, MobileMail, even the calculator, all run with full root privileges [on the iPhone].”
“Any security flaw in any iPhone application can lead to a complete system compromise,” noted Moore. “A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list and phone hardware. Couple this with ‘always-on’ Internet access and you have a perfect spying device.”
On the other hand, nCircle Security Director Andrew Storms said to SCMagazineUS.com that a little credit is deserved by Apple for giving information about possible security issues.
“We have to applaud Apple’s admission that mobile phones are an attack vector for viruses and malware,” he pointed out. “Other mobile phone vendors have not yet admitted this, and these vendors will definitely be behind the curve in protecting their users.”
Storms further stated that Jobs is actually making Apple’s public position on security better.