iPhone Security, Part 2

The iPhone app security model

Steinberger: Based on my personal observation and analysis, the main security constraints imposed by the iPhone Operating System are as follows.

My friend and colleague Adjunct Professor Richard Steinberger from the MSIA Program at Norwich University continues his analysis of Apple iPhone security. Everything that follows is entirely Ric’s work with minor edits.

* * *

iPhone apps are, with a few limited exceptions, available to iPhone owners only via Apple’s iTunes store and only if iTunes has been installed on the computer accessing the store. Users cannot, in general, download apps from any other source, or share their apps (even free apps) with other iPhone owners. This distribution architecture allows Apple to vet every app that iPhone users install on their phones. In emergencies, Apple may also remotely remove or disable dangerous apps that have been installed on iPhones.

Based on my personal observation and analysis, the main security constraints imposed by the iPhone Operating System are as follows:

• No app may access any iPhone OS files.

• No app may access any other app’s files (with a few exceptions). Any files created by an app must remain local to that app. For example, an app designed to edit Java files could only edit Java files created within that app (or downloaded to that app). Primary exceptions include: Third-party apps may access and modify stored photos and phone contacts.

• No app may alter any system settings. For example, a precise, NTP-enabled clock may not set the iPhone’s clock.

• If an app crashes, then in theory, only that app crashes, and the OS is unaffected. In practice, a crashed app may hang a system, requiring a restart.

• An iPhone app may sync with a PC- or Mac-based application to exchange or update the app’s data. But the syncing must be done by a wireless LAN connection and cannot be carried out using the cable that connects the iPhone to the computer; i.e., synchronization via an iTunes conduit to a PC or Mac application is not permitted.

• Apps are allowed to communicate with the Internet using the iPhone’s network connection. Thus, any data files present within an app may, in theory, be sent to an unauthorized destination without the iPhone owner’s knowledge. This transfer would be an example of an app Trojan horse program. Although such programs may escape Apple’s initial vetting, the author knows of no cases where such an app has actually been distributed via iTunes.

In other words, apps are islands unto themselves. Although a rogue employee may use a mobile phone to help steal or distribute confidential information, it remains far less likely that a trustworthy iPhone owner’s use of downloadable apps presents any major new security risk. As mentioned in the introduction, the primary risk of mobile phones remains their theft or loss. Organizations need to be prepared for the loss of confidential information when staff member phones are misplaced or stolen unless the iPhones are equipped with encryption software. In addition to using a password or personal identification number (PIN) to protect the phone itself from unauthorized access, some useful encryption and data protection apps for the iPhone are:

SplashID1PasswordMy Eyes OnlyVerisign Identity Protection (VIP)Jaadu VNC

With appropriate precautions, corporate security managers can survive the latest wave of innovation from Apple.

* * *

Richard H. Steinberger, CISSP, CISM, has over 20 years of hands-on and supervisory experience with computers and networks with special expertise in Internet and network security; security principles and products including firewalls, routers, VPNs, vulnerability assessment tools, intrusion detection systems, and hacking tools; advanced Unix software development; and system administration. He has taught network security at University California Berkeley Engineering Extension and for several years as Adjunct Professor of Information Assurance in the MSIA Program at Norwich University. You may reach Ric by e-mail

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

IT Salary Survey 2021: The results are in