Apple iPhone, iPad Security Goes Into the Toilet and Down the Tubes

Last Updated Aug 6, 2010 2:48 PM EDT

Apple (AAPL) has long had a reputation for creating "secure" computers. But those who used to crow about the safety had better take another look. Only days after the news that an iOS security problem allowed jailbreaking, and malicious takeover, of iOS 4 devices, there's word of Russian software that allows people to gain access to password-protected iOS data backups.

Combine all this with the virtually complete log of everything typed on the keyboard that iOS keeps -- including credit cards, account numbers, and other sensitive information -- and you've got a mess. To top it off, for reasons out of the control of Apple, or any other mobile operating system vendor, getting the frequent updates necessary for safety is unlikely to happen. Welcome to the problems of mobile computing.

The first dash of cold water into the face of complacent fanboys -- and enterprises that hoped to placate users and tie the popular platform into corporate back ends -- came from French research firm VUPEN Security. On Tuesday it announced two flaws that left iOS vulnerable. One was a memory corruption error that occurs when iOS processes Compact Font Format data in a PDF file. Attackers can use the exploit to have the operating system execute code. All a user would need to do is fall prey to a phishing attack and visit a specially-designed web site with Apple's Mobile Safari browser.

The other flaw was an iOS kernel error. Attackers could use it to let an app "gain elevated privileges and bypass sandbox restrictions," according to the VUPEN web site. That means an app could get low-level access to the operating system, something that Apple tries to prevent by reviewing all apps for use of so-called private APIs -- system calls that give such capabilities.

What makes this particular exploit, or others, as they are discovered, so dangerous is Apple's dynamic dictionary files, which allow iOS to learn how a given user spells particular words. So far as I know, security researcher and well-known iPhone hacker Jonathan Zdziarski was the first to point this out in his 2008 book, iPhone Forensics. I got further confirmation from Michael Harrington, director of training and services for mobile forensics vendor Teel Technologies, and John Hering, CEO of mobile security vendor Lookout, which made a splash at the recent Def Con security conference by pointing out how vulnerable Android can be.

To learn a user's spelling, iOS records everything that the person types on the keyboard and stores it in keyboard cache files. The size of the files, and the amount of data recorded, depends on the amount of storage available on the device and how much of the storage other files use. According to Zdziarski and Harrington, a device could retain data up to a year or even longer.

Security circles have known about the data retention for years. Harrington said "it's possible, and more than likely, probable," that iOS captures and stores credit card numbers and CVV-2, CID, and CVC2 security codes. You could probably confidently add important corporate information for iPhones used in a business setting.

Forensics experts have unearthed details from the dynamic dictionary files in the past using special equipment and software working on a disk image of an iPhone. However, an app with low-level system access could browse through such files, looking for potentially sensitive data, and then send out to some location on the Internet without alerting the user.

To date, many people have assumed that Apple's app review would prevent any such app from being released. However, last month came news that an app called Handy Light had a hidden feature: the ability to provide other devices with 3G Internet access without subscribing to AT&T's $20 a month tethering program. Although Apple quickly removed Handy Light from its app store when the news broke, clearly the company doesn't catch all problems.

However, a jailbreak exploit -- which Apple still hasn't patched -- could also download malware that would easily accomplish this task. Then again, someone could use the password recovery application from Elcomsoft to get into an iPhone backup and grab the information that way.

Unfortunately, app developers have no control over how the keyboard works or what the operating system records, according to James McCarthy, CEO of mobile app consulting firm Digital Plight Studios. There is a potential workaround, in which developers create their own keyboard on the touch screen and bypass the data recording and retention. "You might be able to pull it off the first time, but then Apple would look for it [once the use became public knowledge]," McCarthy says. Or you could depend on users to completely turn off the dictionary feature at the operating system level -- and give up an important feature.

It's not as though Apple is the only party unwisely leaving data on iOS devices. To date, the major problems with ill considered data retention has been on the part of app developers themselves, says Lookout's Hering, whose firm has analyzed 300,000 iPhone and Android apps. Remember the problem Citi had two weeks ago with its mobile banking app storing sensitive user data in a file normally unavailable to other applications?

Once a flaw appears, correcting it is a slower process on a smartphone than on the desktop for reasons that are unique to the mobile industry. If a change touches on issues of the radio itself, the app may need reauthorization by the FCC. And then there's concern of the carriers about tying up network bandwidth and the potential for customer dissatisfaction with having each complex update use rationed bandwidth.

"If something goes wrong [with a patch] and if devices have problems, people will call their operator. The ecosystem itself makes security more challenging," Hering says. This raises a lot of questions of how advisable mobile commerce and business are.

Related:

Vault door image: RGBStock.com user katagaci, site standard license.
  • Erik Sherman On Twitter» On Facebook»

    Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.