iPhone Security Flaw: Separating Fact from Fiction
By Liane Cassavoy
With all the news about jailbreaking iPhones in recent days, the security of Apple’s popular smartphone has been called into question. But, with the hype hitting overload and scare mongers everywhere, how do you know what to believe? Let’s examine the origin of the latest iPhone security flaw stories, and look at them in detail to find out how concerned you ought to be.
Get Out of Jail
Reports of iPhone security flaws are nothing new, but the latest batch of reports began earlier this week with the release of Jailbreakme 2.0, a new tool that lets you jailbreak your iPhone without connecting it to your computer.
Jailbreaking, which is the process of freeing your iPhone from Apple’s software restrictions and potentially from AT&T’s network, was ruled legal last week by the U.S. Copyright Office. A jailbroken iPhone can run apps that have not been approved by Apple, giving users more control over what they do with their smartphone. But once an iPhone is jailbroken, it may also be less stable, and by jailbreaking the device, you void any warranty you may have had.
Jailbreaking an iPhone can pose some risks to your device. I tried it once, on an older iPhone, and was left with a device that was bricked: it was unable to make or receive calls. Luckily, I was easily able to fix my iPhone by restoring it to its original settings via iTunes. But I haven’t tried jailbreaking again.
While the latest reports of security flaws with the iPhone have centered around the new jailbreak tool, the security flaws themselves actually aren’t with phones that have been jailbroken. Instead, it is the way that Jailbreakme 2.0 accomplishes the jailbreak that has highlighted potential security problems with the iPhone.
In the past, jailbreaking your iPhone required connecting it to your computer and transferring the necessary software to the phone from your Mac or PC. But Jailbreakme 2.0 simply requires that you use the iPhone’s Safari browser to visit its Web site, from which it downloads the hack necessary to jailbreak the device. My colleague Daniel Ionescu gave it a try, and was able to jailbreak his iPod Touch in less than a minute, no user interaction required.
Safari to Blame
And that, right there, is the security flaw that has experts so concerned: No user interaction required. As Gizmodo points out, the ease with which Jailbreakme 2.0 works highlights a serious security flaw within the iPhone’s Safari browser:
“It just requires the user to visit a web address using Safari. The web site can automatically load a simple PDF document, which contains a font that hides a special program. When your iOS device tries to display the PDF file, that font causes something called stack overflow, a technical condition that allows the secret ninja code inside the font to gain complete control of your device.
“The result is that, without any user intervention whatsoever, that program can do whatever it wants inside your iPhone, iPod Touch or iPad. Anything you can imagine: Delete files, transmit files, install programs running on the background that can monitor your actions…anything can be done.”
The problem lies with the way Apple’s mobile version of Safari handles PDF documents, Sophos’ Graham Cluley tells BBC News. The iPhone’s Safari browser automatically opens PDF files, so a hacker could conceivably embed malicious code in such a document.
(Ironically, the BBC notes that the only way to prevent your iPhone from automatically opening PDFs is by jailbreaking the phone and installing an app called PDF Loading Warner, which will then ask for your permission whenever your iPhone attempts to open a PDF file.)
Sophos’ Cluley notes that this security flaw, while serious, exists only on paper at this point, and has not been seen in the wild. An Apple representative told CNet that Apple is “aware of the reports and is investigating” the flaw.
Should You Worry?
Many reports surrounding this security flaw have made it sound like something that only those willing to jailbreak their iPhones need to worry about. But that is clearly not the case: this flaw could affect anyone who uses the iPhone’s Safari browser.
It has yet to be exploited, but we all know there are plenty of hackers out there who would love to be the first to compromise Apple’s iPhone. So, right now, I’m not terribly worried about the security of my iPhone. But I sure would like to see a fix from Apple … and soon.
When you purchase through links in our articles, we may earn a small commission. This doesn't affect our editorial independence.