The iPhone: Don't Trust the Client

There’s a high stakes cat-and-mouse game that smany folks aren’t even aware of going on right now. What’s more, this game includes timeless lessons for us all. I’m talking, once again, about Apple’s iPhone. Let’s take a look. Two months ago, I predicted here that Apple would have its hands full with people trying to find weaknesses in their iPhone. As we have now seen, that has come to pass. No, I’m not claiming to have some all-seeing crystal ball – indeed, just about anyone with the remotest knowledge of the security world wasn’t surprised by the attacks on the iPhone.

We now have some additional information, however. There have indeed been several weaknesses published regarding the iPhone. Although none have succeeded in completely compromising the device, they’ve all found various weak points that can be exploited by an attacker for different purposes.

Last week, just before the Black Hat conference – a coincidence, I’m sure – Apple released a few security patches to the iPhone that corrected at least some of these security defects. The patches were released using Apple’s standard firmware upgrade process on the iPhone–iTunes. Now, any iPhone owner who plugs his device into his Mac or PC to synchronize the device will automatically receive the updated firmware.

Big deal, right? We’ve been updating devices this way for quite a while. Why is this one different? Well, I see a couple things. One is that several published reports have said that the update also scans the device for possible end-user modifications that have been done on the device and it undoes them. Most view this as Apple trying to wrest control of the device back.

There’s the cat-and-mouse game, as well as the timeless lesson. There are at least two ways of viewing Apple’s counter move here. One is that they’re taking control back by undoing what the “attackers” have done. This forces the attackers to re-analyze the system and possibly re-engineer their modifications so that they’ll work with the revised device.

The other view is that this “control” is nothing more than a temporary illusion. Face it, the device is owned by its user, and the user can basically do whatever he wants with the device. If security defects exist, they can be exploited. Sometimes they’ll be exploited accidentally; sometimes deliberately; sometimes maliciously; but they will be exploited inevitably.

And there’s our timeless lesson to pay attention to. Don’t trust the client. Or, more generally, don’t place trust in that which is not worthy of trust. If something is under the control of a user, we must assume it will be tampered with.

This holds for firmware on smartphones just as much as it does for, say, Javascript running in an end user’s browser context. It can and will be tampered with.

Now, I will say that I find it encouraging that Apple is doing some things better – or at least quite differently – than many who have gone before it. Automating the updates via the software that the end user uses to synchronize content is a brilliant mechanism. Indeed, the user would have to opt out of updates in order for a device to not get the latest patches. (Though I still hate the idea of periodic patches, they remain our most viable option.)

Apple has also made their device much more closed than many other devices. In this context, by “closed” I mean that the end user cannot easily extend the functionality of the device. The method of “adding” applications to the iPhone is via web apps through the device’s browser. Thus, they’re moving to a more centralized model in which the apps sit in a data center, not in the device itself.

There are numerous security benefits from this model, as well as some operational disadvantages, since you must be connected to a net to run the apps. From a security standpoint, all the code sits in one place. Updates affect all users effectively simultaneously. There are also big configuration management benefits from this approach.

I suspect, however, that some of the benefits of centralization will be lost by applications that rely too heavily on client side code, like Javascript for an AJAX-enabled application and such. This effectively negates a lot of the advantages, but that’s a gripe for another column.

My last observation from watching the great iPhone saga comes from comparing it with its competition. I’ve used different mobile devices for years, and I’ve tried all the big guys: Nokia, Ericsson, Motorola, Blackberry, you name it. These firms have all been making mobile devices for decades. Apple has been in the game for a month, and they’ve already managed to have an update mechanism that seems to me to work better than any of the others. They’ve also revolutionized the user interface and such in one step.

The one thing that makes all of this possible is the software. The fact that they clearly recognize that gives me confidence that they’ll place equal emphasis on the security of the software.

Story Courtesy of internetnews.com


security, Blackberry, iPhone, smartphones, Mac