My friend and colleague Adjunct Professor Richard Steinberger from the MSIA Program at Norwich University continues his analysis of Apple iPhone security. Everything that follows is entirely Ric’s work with minor edits.

* * *

iPhone apps are, with a few limited exceptions, available to iPhone owners only via Apple’s iTunes store and only if iTunes has been installed on the computer accessing the store. Users cannot, in general, download apps from any other source, or share their apps (even free apps) with other iPhone owners. This distribution architecture allows Apple to vet every app that iPhone users install on their phones. In emergencies, Apple may also remotely remove or disable dangerous apps that have been installed on iPhones.

Based on my personal observation and analysis, the main security constraints imposed by the iPhone Operating System are as follows:

• No app may access any iPhone OS files.
• No app may access any other app’s files (with a few exceptions). Any files created by an app must remain local to that app. For example, an app designed to edit Java files could only edit Java files created within that app (or downloaded to that app). Primary exceptions include: Third-party apps may access and modify stored photos and phone contacts.
• No app may alter any system settings. For example, a precise, NTP-enabled clock may not set the iPhone’s clock.
• If an app crashes, then in theory, only that app crashes, and the OS is unaffected. In practice, a crashed app may hang a system, requiring a restart.
• An iPhone app may sync with a PC- or Mac-based application to exchange or update the app’s data. But the syncing must be done by a wireless LAN connection and cannot be carried out using the cable that connects the iPhone to the computer; i.e., synchronization via an iTunes conduit to a PC or Mac application is not permitted.
• Apps are allowed to communicate with the Internet using the iPhone’s network connection. Thus, any data files present within an app may, in theory, be sent to an unauthorized destination without the iPhone owner’s knowledge. This transfer would be an example of an app Trojan horse program. Although such programs may escape Apple’s initial vetting, the author knows of no cases where such an app has actually been distributed via iTunes.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.