Winter 2011: Password security standards and trendsWhen Apple releases a software development pack for the iPhone in February, new threats could develop as a result of third-party applications running natively on the smart phone, but security experts say that cybercriminals will likely continue to target device owners with social engineering techniques to fool victims into giving up personal information.
Flaws within third-party applications will open up new attack vectors for attackers, but today flaws already exist in Apple's mobile mail application and mobile Safari browser. The device's popularity makes it an obvious target for hackers, but cybercriminals seeking a larger payoff will stick to Windows desktops, said Graham Cluley, senior technology consultant for UK-based security software company Sophos.
"It's perfectly possible right now for iPhone users to receive spammed phishing messages and follow the link and enter their confidential data," Cluley said. "A lot of hacking attacks actually have very little to do with technology - but with vulnerabilities in the squishy fleshy human instead."
Apple CEO Steve Jobs said Wednesday that the need for security has slowed the release of a software development kit. Rumors circulated that a kit would be available in January, but Jobs confirmed that a February release is likely.
"Some claim that viruses and malware are not a problem on mobile phones -- this is simply not true," Jobs said in a letter to customers. "There have been serious viruses
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous."
Hackers have been busy cracking the iPhone. On Tuesday, HD Moore, creator of the popular Metasploit Framework penetration-testing tool, published working exploits for Apple's mobile mail application and Safari browser. Moore released shellcode for the iPhone last month and included instructions to turn the phone into a hacking device.
Toralv Dirro, a security researcher with McAfee Avert Labs said Thursday in the Avertlabs blog that allowing native third-party applications is a positive development to reduce the number of iPhone owners who hack the phone to install unauthorized applications.
"If everyone would look at security aspects and not just features during development, the electronic world may be a much safer place then it is now," Dirro said.
Sophos' Cluley said Apple's main challenge moving forward is the success it's having in the mobile market. The bad guys focus on where they can make the profit, he said.
"Microsoft Windows is targeted because it is so popular, and if you want to infect a wide range of people it's the obvious focus of attention for hackers," Cluley said. "My suspicion is that if we see malware for the Apple iPhone it is more likely to be written for headlines than dollars."
Charles King, principal analyst for Hayward, Calif.-based Pund-IT Research, called Apple's eventual SDK release more about increasing its profits than security concerns. Apple must compete with a large number of device makers already rolling out touch screen smart phones with extensive features.
"Apple's suggestion that it has proceeded slowly with the SDK due to concerns over issues including viruses, malware, and privacy attacks ring somewhat hollowly," King wrote in an advisory to customers. "While some say that Apple's initial focus on Web-based iPhone applications indicated its willingness to bravely take a chance on a newly emerging market, we believe the company's motivations were simpler: Advocating Web-based application development allowed Apple to simply continue exerting its historic behavior of tightly controlling development on its proprietary company platforms."