Roundtable: Apple iPad and Security vs. Freedom

Apple’s iPad went on sale last weekend. As Cory Doctorow and others have noted, Steve Jobs made the iPad a closed system. You’re prohibited from installing unapproved software, modifying the hardware, or even changing the battery.

Doctorow looks at the issue from the perspective of rights and creative freedom. I’d like to talk about the security aspect.

In the world of information security we’re often forced into balancing security on the one hand against convenience and freedom on the other. The closed nature of the Apple iPad certainly reduces freedom. The question is, does sacrificing freedom actually make the iPad secure? I asked our security staff for their opinions.

Violating Privacy? There’s an App for That

Adrian Sanabria, Security Consultant, isn’t convinced that the loss of freedom has any security advantages. “I’d challenge the view that a closed system buys you any more security. I think it is a dangerous misnomer. As noted by Nicolas Seriot, a Swiss iPhone security researcher, apps with hidden agendas have already made it through Apple’s review process, and were pulled until the companies cleaned up their apps. One game was uploading all the iPhone’s contacts to the developer’s server, and another was sending iPhone owner data back to the sales department so that they could “upsell” users who downloaded their app.

“Any security added by having an App Store is only as good as the App Store’s ability to detect and reject malicious code. It seems to me, personally, that the App Store review team is more concerned with rejecting competition (read:Google) than detecting and rejecting malicious apps.

“Seriot created an app just to show how much data can be gathered and compromised by ANY app running on the device. The iPad environment will likely be just as vulnerable. News story, POC code, and Blackhat presentations below, respectively.”

Breaking Down Apple’s Walled Garden

“We have created for the first time in all history a garden of pure ideology, where each worker may bloom, secure from the pests of any contradictory true thoughts.” – Apple “1984” commercial

Kyle Bubp, Systems Engineer, notes that the iPad was rooted less than 24 hours after its release. “Like the earlier technique, it is believed to use a browser-based exploit as part of a trick to get root access and let unsigned apps run on the tablet.”

Eric Walker, Systems Engineer, says “Just like the iPhone the iPad can be jail broken.” A jail break bypasses Apple’s restrictions in order to use software and content from outside the walled garden of the App Store. He points to the ongoing iPad jail break project, which is progressing rapidly in the days after the iPad’s release.

Jail breaking isn’t just for hackers anymore. By one estimate, 8.5% of all iPhones and iPads have been jail broken. There are numerous jail break guides and even commercial jail break software that’s a Google search away. Once that’s done you can get software from alternative app stores such as Cydia.

Once the device is jail broken it can use apps that aren’t Apple-reviewed. TippingPoint researchers released a phony weather application called WeatherFist for jail broken iPhones (and Android phones). WeatherFist collected the owner’s user information, including their phone number and GPS coordinates. A malicious version, WeatherFistBadMonkey, could subvert a Droid or jail broken iPhone into a bot to send spam emails or launch DDoS attacks on Web sites.

Safari Undermines the Security Model

Bill Dean, Director of Computer Forensics, has another take. “I do agree that the iPad is more secure than a general purpose computing platform. But bear in mind that although the iPad is a closed system, it still uses Safari as the Web browser. For the past couple of years, hacking competitions have shown that the Safari Web browser was the first to fall when matched up against IE, Firefox, and Chrome.”

After being hacked easily in 2009 Apple tried to do better in the 2010 Pwn2Own browser-hacking competition. Less than two weeks before the event Apple pushed out a Safari update that patched 16 vulnerabilities.

No matter. Safari on iPhone was the first browser to be hacked at the contest. “Using an exploit against a previously unknown vulnerability, the duo – Vincenzo Iozzo and Ralf Philipp Weinmann – lured the target iPhone to a rigged Web site and exfiltrated the SMS database in about 20 seconds.” Worse, the exploit was able to retrieve deleted messages that were potentially more sensitive.

And the second browser hacked at this year’s Pwn2Own? Safari running on Max OS X. IE and Firefox later fell. For the second year in a row only Google Chrome remained unhacked.


IT Dept

Comments

  1. DensityDuck Says: April 7, 2010 at 2:05 pm

    Pwn2Own: Oh no, they can read my text messages!

    This “hacking” sounds less like something dangerous, and more like the equivalent of typing “5318008” into your calculator.

  2. Fred Gander Says: April 7, 2010 at 2:33 pm

    Both Safari and Chrome are based upon the open source browser engine “webkit”. While the sandbox design of Chrome seems to be a significant advantage, I wonder if it also benefits from “security via obscurity.” Opera seems to benefit from its small market share as well.

  3. It seems the crux of your point is that since I could hack into my own iPad and possibly load malware that hadn’t been approved by Apple that the iPad itself is somehow no more secure than a designed open system. It would seem to me a better evaluation methodology would be to assume that the typical user would use the device as designed. The responsibility for avoiding malware on a designed open system often falls solely to the user, many of whom may have neither the technical savy nor the free time to research in order to do as well a job as one might reasonably expect Apple’s ap team to do.

    From a malware perspective it seems a no brainer that limiting the software that may be installed yields a safer more secure platform. If not, then why do IT security specialists at companies across the globe care so much about limiting which users have admin rights to install software on company assets?

  4. Les Jones Says: April 7, 2010 at 3:01 pm

    DensityDuck: Being able to steal user communications is generally considered a bad thing in the security world.

    Fred: it is interesting, isn’t it? One of the Pwn20wn participants found flaws in Chrome but couldn’t find a way to actually exploit them.

    submandave:

    “It seems the crux of your point is that since I could hack into my own iPad and possibly load malware that hadn’t been approved by Apple that the iPad itself is somehow no more secure than a designed open system.”

    All else being equal a closed system like the iPad should theoretically be more secure until it’s jail broken. However, once it’s jail broken it’s no more secure than a general purpose computer. That means that the iPad has to be regarded as being as insecure as a general purpose computer for planning purposes. Otherwise you could let down your guard and get burnt by one of the 8.5% of the devices that have been jail broken.

  5. I was about to write essentially what SubManDave wrote but he beat me to it.

    I think it is pathetic that the world as we see it has so many people wanting to do horrible, unethical things in the pursuit of a buck, but they exist and we need to protect against them.

    I have a friend with a PC that’s so laden with viruses and spyware it barely functions, and most people I know with PCs who are not in the computer biz somewhere labor under similar problems.

    I think they should all get iPads. I got one on intro day. It’s fabulous.

    And somehow Apple’s restrictions have in no way impacted the creativity of app developers – iPad software is truly state of the art, best available, while Windows users survive with mediocrity. The best talent is going to this platform, and it shows.

    Frankly, I think that’s what Doctorow is really upset about and I don’t blame him.

    D

  6. Les Jones Says: April 7, 2010 at 3:25 pm

    David (and submandave): I think I see how we’re coming at this from different perspectives. You’re 100% right that if you don’t hack your iPad then there’s no danger that you’ll suffer the dangers of malware like MonkeyFist.

    Our security team is looking at this from the perspective of designing and managing security for enterprises with thousands of employees. They have to think about what would happen if even a few users with access to the organization’s resources decided to jail break their iPad. Looking at it from an enterprise planning point of view you just can’t assume that an iPad hasn’t been jail broken.

    • punditius Says: April 7, 2010 at 5:37 pm

      So…if you are an average individual user, the iPad really is “the computer for the rest of us.” I agree with David about knowing people whose pcs are dragged down with viruses. The iPad might not be totally invulnerable, but from the point of view of someone who just wants to USE a computer, as opposed to modify it for drag racing, the iPad is *almost* the way to go. Not quite, though, because it won’t do things like print, or download files from the internet to save.

      Whereas, Les says, if you are a business entity, the iPad is no different than any other computer, from a risk perspective. This makes perfect sense to me. And what a business entity has that a private individual doesn’t is a tech guy.

      So from my point of view, if you are a tech guy, jailbreak away. You are a shadetree mechanic, a ham radio man, and more power to you. But the rest of us are happy with power steering and an automatic transmission…

  7. Les, thanks for the clarification. I think a lot of people are going to read this article and think of it as an indictment of iPad security, and think it applied to their own personal purchasing decisions. Clearly, it was not meant that way.

    So, just to make things clear, here’s a simple take about iPad:

    Is it completely safe? No, nothing is completely safe.

    Is it much safer? I would think yes.

    D

  8. Pat Casey Says: April 7, 2010 at 7:13 pm

    I understood the article to say that the closed policy of the iPad led to a somewhat false sense of security because its security is limited to how diligent the reviewers at Apple are in searching out malware. And it sounds like they are dividing up that diligence between looking for malware and looking for competitors. Also, they are inherently limited just by their numbers.

    Eric Raymond wrote a classic article several years ago where he compared two different ways of creating software – The Cathedral and the Bazaar.

    In the Cathedral model, a central architect and carefully selected team build the building. It has a lot of cohesion but it also is limited by what the master-builder and his team are able to focus on.

    In the Bazaar model, the building is built by a wide range of people with many different areas of expertise. It suffers when it comes to cohesion in that everything seems to go every which way, but its strength is that serious weaknesses are discovered and corrected early – “Given enough eyes on the problem, all bugs are shallow.” When a problem arises, often, there might be someone that might be good at describing and duplicating it, but might not know what to do to fix it. Meanwhile, another person might know just what to do to fix it once it is called to his attention.

    Apple is taking the Cathedral approach, and Google Droid is taking the Bazaar approach. Given enough time, both can actually produce some very good products, in much the way that Microsoft (Cathedral) and Linux (Bazaar) have both produced some very good operating systems.

    Anyway, back to the original point, I don’t think the article was saying that only a jailbroken iPad was vulnerable to malware. I think it was pointing out that the closed nature in itself might be somewhat of a vulnerability too.

  9. […] Les Jones: The closed nature of the Apple iPad certainly reduces freedom. The question is, does sacrificing freedom actually make the iPad secure? […]

  10. Adrian Sanabria Says: April 9, 2010 at 10:43 am

    Jail Breaks aside, iPhone/iPad apps have a very high level of access to the OS and user data. If you compare the application security in a Blackberry to that of an iPhone or iPad, the Apple devices are essentially wide open. It can be annoying if you install a lot of apps, but a Blackberry will tell you EXACTLY what an app wants to access on your phone, and you have to manually grant it access by default. On an iPad or iPhone, your app has access to whatever it might need.

    This is not a vulnerability, however, but a design trade-off. Having a ton of notifications a la Blackberry, Vista, or Windows 7 would ruin the user experience. On the other hand, a back door in an app that gives someone remote control of your iPad could also potentially ruin the user experience.

    In the end, keeping malware off any computing device mostly comes down to common sense – don’t install apps that appear suspicious. If you’ve never heard of the vendor, look them up. Check out their website. Check the reviews. If your hackles are still down, then install it.

  11. […] in the comments of my latest iPad-related post, Les Jones’ company’s new weblog has a lively discussion concerning Apple’s newest offering as well: In the world of information security we’re often forced into balancing security on […]

  12. […] whether Apple’s decision to reduce user freedom on the iPad actually made it secure. (See Roundtable: Apple iPad and Security vs. Freedom.) This week we’re seeing more scrutiny of the state of iPad […]

  13. This is a good tip especially to those fresh to the blogosphere.
    Short but very accurate information… Thanks for sharing this
    one. A must read article!