Security Firms Can't Protect iPhone From Threats

nk497 writes "F-Secure researchers are calling attention to the fact that it's impossible to run third-party anti-virus on iPhones, because the SDK doesn't allow for it. It's a problem, as they claim malware will start to target the phone. 'None of the existing anti-virus vendors can make one, without help from Apple,' chief research officer Mikko Hypponen said. 'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' At the moment, the only worms faced by the iPhone have targeted unlocked, jailbroken devices — so Apple's not too bothered protecting users of such phones." While Apple claims that the iPhone's closed nature offers protection to its users, and security vendors maneuver for a piece of a market now closed to them, clearly both sides are pushing their own self-interest.

F-Secure smells money

[cerberusss]

From the summary, F-Secure: "'Apple hasn't been too interested in developing antivirus solutions for the iPhone, because there are no viruses, which of course, isn't exactly true.' .

No, indeed, only jailbroken phones were infected. Thus the obvious solution for F-Secure would be to bring out an app in Cydia or other app stores for jailbroken devices.

Of course, rather than do something, their execs prefer to spend their time whining.

Re:It's closed so it's perfect

[sopssa]

Mac OS X has security problems because it allows running executables and non-signed programs too. iPhone on the other hand doesn't, so trojans and such wont work. The only possible way is to exploit a vulnerability, but that doesn't happen every day and should be pretty quickly patched by Apple (doesn't the phone network push updates automatically?). And if there's a new exploit, antivirus software are just as bad in protecting against it.

Re:It's closed so it's perfect

[rolfwind]

Anti-virus/anti-malware always seems to be a shitty bandaid to a badly designed system. Even running Windows 7, with UAC on, non-administrative account 99.999% time, always a non-IE browser, and very strict on what I run as .exe and where I download them, ad-aware just found some wind32 trojan.

Also, people forget this is supposed to be a portable device, even a phone sometimes. Remember what most A/V does to your desktop? I don't run A/V on my notebook, and I actually do want a decent battery life on my phone, as hard as that is to believe.

However, I know there will be problems with the iPhone. I do wish its safari had the option of "noscript" and stronger adblock plus than its own system among other things. And that when you do use it for the first time, it would have a video on safe usage. You can't upgrade or improve the user, the weakest link, but at least you can try to lead that horse to water that is education.

I see an opening for Android...

[bogaboga]

...and here it is:

Some fella develops and distributes some serious virus that "shuts down" a big number of iPhones...

This generates [bad] publicity for the device...

The media pick the story up...(in the meantime, it's "damage control" for Apple)...

Android is touted as the best alternative...

Motorola and Co. jump on the bandwagon...

What next? profits, numbers and market share for the Droid.

Question is: Am I wrong?

The new logic of security

[Opportunist]

I tend to be wary when using my crystal ball, but this time I want to make a prediction: This is an intended development, and we'll see more of it in the future. Jailed devices that are deemed intrinsically secure. People who dare to unlock their device not only open themselves up for infections, they also can't get any help to make their devices secure again because everyone who could or would offer them this help is locked out.

Now add laws that started to creep into our legislative where you're legally responsible for it if your device is insecure and doing something illegal.

In the long run, you will only be secure and not responsible for anything your device does if you don't mind not owning it.

Apps run in a sandbox

[Negatyfus]

Apple isn't too concerned because all Apps run in a sandbox. There would have to be a very glaring hole in iPhoneOS would an attacker be able to take over an iPhone in this way. I remember a vulnerability that allowed exploitation through doctored SMS packets somehow, but I'm not sure how serious it was. At any rate, that's fixed now as far as I remember. Really, this is just about anti-virus companies trying to instill fear in the hearts of ignorant users. iPhone users that have jailbroken their iPhone have made it their own responsibility to look after security and I don't believe for a second that F-Secure is targeting *them* (SDK limitations wouldn't be a roadblock in that case). I see very little opportunity for a hacker to invade an iPhone, and thus it's not a huge priority to install any security software on the iPhone.

No mechanism for transmission

[argent]

This is even more stupid than their attempt to sell antivirus for Palm OS.

There is no mechanism for transmission between one iPhone and another UNLESS the iPhone is jailbroken.

So Symantec only needs to write antivirus for jailbroken iPhones. And Apple would have no way to prevent them. So what's their problem?

Re:I see an opening for Android...

[nneonneo]

Except that this scenario is next-to-impossible on stock iPhones, because of the aforementioned code-signing restrictions, sandboxed applications and other mechanisms which prevent this from being a general problem.

Jailbreaking your phone makes all these safety nets go away: the kernel is patched so that it will run anything and applications are permitted to roam free across all of the device. At that point, you are on your own as far as security goes. If you, as a user, willfully ignore the instructions saying "Use 'passwd' to change the default password!!", then the resulting compromise of your iPhone is *entirely* your fault, and Apple doesn't even have to do "damage control". A rooted Android phone would suffer the same problems.

Re:It's closed so it's perfect

[john82]

RTFA.

If you don't void the user agreement by jailbreaking your iPhone, you don't have this problem. Apple set up the environment. As it's designed, users are protected. If you choose to negate that design, you may have problems.

Where is Apple's liability if you don't use it as designed (or as dictated in the UA)?

Re:Jail Breaking Makes sense NOT!

[aristotle-dude]

Jailbreaking destroys the very security model which prevents malware from spreading. You seem to be ignorant of why the BSD jails exist in the first place.

iLocalis is a clone of "Find My iPhone", a feature of the 3.x firmware.

Winterboard is customizable but it is also slow and unstable.

OpenSSH Server has no business on a phone. There are several SSH clients in the app store for connecting to other machines for administrative purposes. If you feel the need to have a phone that requires administration, I would suggest looking at a windows mobile phone. I hear that they have all sorts of interesting crashes and race conditions.

If you want Intelliscreen, it sounds like you would be happier with a windows phone but there are obviously trade offs like no integration with a jukebox and no app store.

MyProfiles, is a solution looking for a problem. It is such a small niche that it is not worth Apple to invest time in providing such a feature.

If you want to hack phones, I'd suggest getting another type of phone. The iPhone is designed to be an appliance for busy people to use and have it "just work".

Re:better for apple

[edivad]

Actually, someone already had a fully flagged AV solution for jailbroken iPhones ...
http://www.appleiphoneschool.com/2008/05/05/ivirusscan-10b02/ [appleiphoneschool.com]