Apple’s iPad went on sale last weekend. As Cory Doctorow and others have noted, Steve Jobs made the iPad a closed system. You’re prohibited from installing unapproved software, modifying the hardware, or even changing the battery.
Doctorow looks at the issue from the perspective of rights and creative freedom. I’d like to talk about the security aspect.
In the world of information security we’re often forced into balancing security on the one hand against convenience and freedom on the other. The closed nature of the Apple iPad certainly reduces freedom. The question is, does sacrificing freedom actually make the iPad secure? I asked our security staff for their opinions.
Violating Privacy? There’s an App for That
Adrian Sanabria, Security Consultant, isn’t convinced that the loss of freedom has any security advantages. “I’d challenge the view that a closed system buys you any more security. I think it is a dangerous misnomer. As noted by Nicolas Seriot, a Swiss iPhone security researcher, apps with hidden agendas have already made it through Apple’s review process, and were pulled until the companies cleaned up their apps. One game was uploading all the iPhone’s contacts to the developer’s server, and another was sending iPhone owner data back to the sales department so that they could “upsell” users who downloaded their app.
“Any security added by having an App Store is only as good as the App Store’s ability to detect and reject malicious code. It seems to me, personally, that the App Store review team is more concerned with rejecting competition (read:Google) than detecting and rejecting malicious apps.
“Seriot created an app just to show how much data can be gathered and compromised by ANY app running on the device. The iPad environment will likely be just as vulnerable. News story, POC code, and Blackhat presentations below, respectively.”
- CNET: Researcher warns of risks from rogue iPhone apps
- nst’s SpyPhone
- Nicolas Seriot’s iPhone Privacy Presentation from Blackhat 2010
Breaking Down Apple’s Walled Garden
“We have created for the first time in all history a garden of pure ideology, where each worker may bloom, secure from the pests of any contradictory true thoughts.” – Apple “1984″ commercial
Kyle Bubp, Systems Engineer, notes that the iPad was rooted less than 24 hours after its release. “Like the earlier technique, it is believed to use a browser-based exploit as part of a trick to get root access and let unsigned apps run on the tablet.”
Eric Walker, Systems Engineer, says “Just like the iPhone the iPad can be jail broken.” A jail break bypasses Apple’s restrictions in order to use software and content from outside the walled garden of the App Store. He points to the ongoing iPad jail break project, which is progressing rapidly in the days after the iPad’s release.
Jail breaking isn’t just for hackers anymore. By one estimate, 8.5% of all iPhones and iPads have been jail broken. There are numerous jail break guides and even commercial jail break software that’s a Google search away. Once that’s done you can get software from alternative app stores such as Cydia.
Once the device is jail broken it can use apps that aren’t Apple-reviewed. TippingPoint researchers released a phony weather application called WeatherFist for jail broken iPhones (and Android phones). WeatherFist collected the owner’s user information, including their phone number and GPS coordinates. A malicious version, WeatherFistBadMonkey, could subvert a Droid or jail broken iPhone into a bot to send spam emails or launch DDoS attacks on Web sites.
Safari Undermines the Security Model
Bill Dean, Director of Computer Forensics, has another take. “I do agree that the iPad is more secure than a general purpose computing platform. But bear in mind that although the iPad is a closed system, it still uses Safari as the Web browser. For the past couple of years, hacking competitions have shown that the Safari Web browser was the first to fall when matched up against IE, Firefox, and Chrome.”
After being hacked easily in 2009 Apple tried to do better in the 2010 Pwn2Own browser-hacking competition. Less than two weeks before the event Apple pushed out a Safari update that patched 16 vulnerabilities.
No matter. Safari on iPhone was the first browser to be hacked at the contest. “Using an exploit against a previously unknown vulnerability, the duo – Vincenzo Iozzo and Ralf Philipp Weinmann – lured the target iPhone to a rigged Web site and exfiltrated the SMS database in about 20 seconds.” Worse, the exploit was able to retrieve deleted messages that were potentially more sensitive.
And the second browser hacked at this year’s Pwn2Own? Safari running on Max OS X. IE and Firefox later fell. For the second year in a row only Google Chrome remained unhacked.