If you’re feeling whiplash over the state of iPhone security, you’re in good company. Last month, the first iPhone worms were reported, which either rickrolled your iPhone with a background picture of Mr. Astley, or did far worse things to your software and data. But the only people who were vulnerable were people who had jailbroken their phones, turned on SSH services, and neglected to change their root password. And we all know that people who use default root passwords are silly, right?
On Friday, Slashdot reported on a presentation given by Nicholas Seriot (PDF link), a Swiss software engineer, about the security risks of a stock, non-jailbroken iPhone. He demonstrated that installed applications can read your address book, steal your phone number, peruse your browser history, track your GPS movements, and get all sorts of other personal data on you.
Which is kind of understandable, since many legitimate apps rely on access to this data for their features. Yes, if an application secretly records your GPS location and uploads it to the software’s author, that’s a serious breach of your privacy. But if Loopt does the same thing, because you’ve told it to do so in order to share your location with your friends, that’s okay. So, how are the good apps to be distinguished from the bad?
Seriot contends that the volume of iPhone app submissions implies that, invariably, some malware is going to sneak through, probably in the form of an innocuous app which does one thing on the surface, and quite another under the hood. Trojan horse software is nothing new in the computer industry, but it’s a bit more scary when it’s attached to an always-on device that’s always on your person.
While it’s probably not worth it to get too concerned about this, it’s always prudent to be, well, prudent. People who like to download the newest software on day one are the most exposed to this risk; the rest of us can rely on the community to alert us when apps are acting nefariously. Delete apps which appear to be acting strangely, or which just don’t feel right. And you can always keep your important data in encrypted applications, such as 1Password.
Also, you might want to think about leaving really sensitive data off your iPhone entirely, no matter how cute you look in that bunny suit.