Monday, July 27, 2009

iPhone 3GS Is Bad For Business People

By Benedict Wee

A recent article in Wired has talked about how the encryption of Apple's new iPhone can easily be broken into within two minutes with readily available software found on the internet.

Jonathan Zdziarski -an iPhone developer and hacker- compared the weak security measures of the iPhone to that of putting an answer code next to an encrypted message:
"It is kind of like storing all your secret messages right next to the secret decoder ring. I don't think any of us (developers) have ever seen encryption implemented so poorly before, which is hard to describe why it's such a big threat to security."
The iPhone 3GS has been touted by Apple to be enterprise-friendly compared to its pervious iterations the iPhone and iPhone 3G. Add this to the mobile's easy to use interface and it would compel businesses to purchase the mobile for their employees but Zdziarski says that it is as easy to access sensitive information (such as credit card numbers) from the 3GS as it was the previous models as the mobile automatically decrypts its own data when it is extracted. No effort is done on the part of the hacker at all to decode the information.



All it takes to retrieve the information is to steal the iPhone and use free jailbreaking software (these are used by many to install an unofficial application store in order to download apps which Apple might not approve of due to trademark issues or violations of Apple policy) readily available on the internet to extract the data. This takes as little as 2 minutes with retrieving the entire contents of the phone in about 45.



In addition to the weak encrypting feature, the article talks about how easy it would be for developers of legitimate applications to sneak in malicious code for their programs despite Apples tough screening process. A good example is the Lyrics application which allows you to read lyrics -including swear words- found in certain songs. This was originally rejected by Apple but the developer found a way to hide the option of making the profanity available.

Apple big-boss Steve Jobs is not worried however as he admitted that there is a remote kill switch for the iPhone which is able to delete an application remotely by triggering a command. There is a similar option for iPhone users who subscribe to Apple's MobileMe service which allows them to remotely delete their information on their iPhone via PC but Zdziarski says that circumventing that measure is as easy as removing the SIM card.

Source:

1 comment: