The press turns ebullient whenever the words "Apple" and "security" can be brought together in a story. After all, the myth that the Mac is inherently more secure than Windows PCs makes Apple seem more skilled in security matters, and thus anything that might crack that myth gets front-page treatment. Case in point: the recent SMS vulnerability discovered in the iPhone.
I'm not jumping on that bandwagon, nor will I play apologist for Apple. But the latest vulnerability discovered for the iPhone points out weaknesses in Apple's iPhone infrastructure, particuarly with regard to the distribution and installation of software updates. The problem is not new, but it is now a real risk, not a theoretical one: To update iPhone firmware, a user or their IT department must tether the phone to a Mac or PC and run iTunes.
[ The InfoWorld Test Center puts the new iPhone Configuration Utility through its paces. | See how far you can push an iPhone or a BlackBerry for everyday business use. | Get the InfoWorld editors' mobile deep drive PDF report. ]
Although the iPhone started out as a iPod variation, and thus shared the iPod's iTunes tethering, the iPhone has long since become a device in its own right: a programmable smartphone that is connected to a Mac or PC more often to recharge it than to transfer data. That's why I have iTunes set not to launch automatically when my iPhone is connected. But it also means I often don't notice a firmware update unless it's attached to a new release of iTunes or the iPhone SDK. I'm sure I'm not alone.
That's the first problem: lack of reliable and specific notification of critical updates. Some millions of iPhone users aren't aware that the 3.0.1 firmware is essential inoculation, and I can't guess how many aren't aware of the update at all. The Apple Push Notification Service (APNS) gives Apple a priority line to all legitimate iPhone 3.0 users. That's a good way to get the word out, and I hope Apple takes to using it, but an update-o-gram from Apple that pops up on your phone should be reserved for critical updates -- those that leave your privacy, data, or core device stability at risk if they go uninstalled.