Apps make iPhone vulnerable to attack

@CNNMoneyTech August 4, 2011: 9:53 AM ET

Cybersecurity experts said that several popular free apps, such as Facebook and Twitter, lack a key feature to protect iPhone users from attacks.

LAS VEGAS (CNNMoney) -- Apple introduced an important security feature in the latest version of the iPhone's software, yet it is rarely used by third-party applications, leaving users vulnerable to a targeted attack.

The feature, known as address space layout randomization, or ASLR, randomizes key pieces of data in the iPhone, making it difficult for attackers to find where they're stored.

One component of ASLR, known as position-independent executable, or PIE, hides executable code that hackers can use to carry out attacks. When enabled, those tools can help protect the iPhone from being remotely exploited by a hacker.

All of the applications that come pre-installed on the iPhone running the latest software version, iOS 4.3, use both ASLR and PIE. But only the iPhone 3GS and iPhone 4 have access to iOS 4.3. In the U.S., the update is only available for AT&T (T, Fortune 500) customers and is not yet on Verizon's (VZ, Fortune 500) iPhones.

In fact, most third-party apps have poor data encryption, and they are rarely compiled with the security features that Apple (AAPL, Fortune 500) put in place, said Dino Dai Zovi, independent security consultant and notorious Apple hacker, at the Black Hat cybersecurity conference in Las Vegas on Wednesday.

"That's a pretty serious threat factor," he argued.

Without those features, a hacker could exploit an app's vulnerabilities and take over a phone when a user clicks on a malicious link.

Countries brace for The Code War

For instance, a click-happy user could tap on the wrong link in the Twitter or Facebook apps -- neither of which have PIE support -- and the user's iPhone could be taken over by a hacker.

Even with that vulnerability in place, it's not an easy process to take control of an iPhone. An iPhone attacker who finds a bug can't get very far without gaining access to the system administration or "root" of the device.

But in an iPhone, even root access does not give a hacker access to the core of the phone known as the kernel, which connects the software to the hardware. And even if an attacker has access to the kernel, that doesn't necessarily mean the hacker can access it for any application or even if the user reboots the iPhone.

"That's what makes jailbreaking apps so impressive, because it takes a lot more steps to attack an iPhone than a desktop," said Dai Zovi. "IOS is not perfect, but it makes the attacker work extra hard."

Still, those kind of hacks of the iPhone's system are possible, albeit technically challenging.

Exploiting third-party apps' vulnerabilities aren't the only way to attack an iPhone, Dai Zovi said. Hackers could make Apple think they're a trusted developer and send malicious apps over the air to a group of iPhones.

Apple uses certificates to verify a developer's credentials, even going as far as to identify the real person who published or authored a piece of software before an app makes it into the app store.

But corporate developers have the ability to bypass the app store and remotely send proprietary apps to iPhone users in their company. With a stolen corporate developer's certificate, an attacker could even distribute compromised apps over the air to unknowing victims and target those users for attack.

Dai Zovi also noted that corporate iPhone customers who use Microsoft (MSFT, Fortune 500) Exchange e-mail accounts could be at risk: The passwords for ActiveSync, a Microsoft tool that syncs data between the iPhone and a user's computer, are always made accessible so that IT departments can wipe a phone's memory if it's lost or stolen.

"It's a serious issue, making the iPhone less secure than you'd hope," said Dai Zovi.

He recommended that corporate security professionals wait for the next version of the iPhone's operating system before they allow for company-wide usage of the devices. To top of page

  • -->

    Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.