Re: iphone OS userspace apps run as root in Security http://www.dslreports.com/forum/r18628838 en Fri, 27 Nov 2009 03:17:29 EDT Fri, 27 Nov 2009 03:17:29 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18732049 norwegian :
You forgot the "sales, profit margins, share holders gains" off the point you made.
----------------------------

They obviously are ingoring some basic principles.

My mobile phone is for phone calls, my computer is for the internet, but then I'm not a businessman with needs at the touch of a button, nor the cofidential data at risk.

Sorry state of affairs. :(
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke]]> http://www.dslreports.com/forum/remark,18732049 Mon, 23 Jul 2007 18:25:35 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18729680 jdong :
said by justin See Profile :

It depends how much control of the phone side some "root" code on the iPhone has. How about an iPhone virus that quietly called one of those charge-per-minute numbers and ran up huge bills for the benefit of the ultimate owner of the number?
I'm guessing root has full access to the iPhone's radio, the calling API, and anything else that has to do with the phone, including swapping out the radio drivers for one that can do eavesdropping.

It really shocks me that they don't use some sort of sandbox/jail/partitioner for code that has to run on the iPhone. Heck even the OLPC sandboxes every app that runs on it, and it doesn't nearly have the same security ramifications if something goes wrong..

Is this a case of lazy developers, or limiting hardware?
--
UbuntuForums Administrator: try Ubuntu Linux]]> http://www.dslreports.com/forum/remark,18729680 Mon, 23 Jul 2007 12:50:46 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18729468 justin : It depends how much control of the phone side some "root" code on the iPhone has. How about an iPhone virus that quietly called one of those charge-per-minute numbers and ran up huge bills for the benefit of the ultimate owner of the number?]]> http://www.dslreports.com/forum/remark,18729468 Mon, 23 Jul 2007 12:20:01 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18729371 EGeezer : This makes me wonder if a pwn3d iPhone could be used as an attack vector to Macs, Win machines or networks.

With the potential money to be made in commercial hacking, developers must be digging into the possibilities of scraping information from iPhones connected to devices or networks when they're syncing or storing to/from them.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.
]]> http://www.dslreports.com/forum/remark,18729371 Mon, 23 Jul 2007 12:06:21 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18729103 justin : »www.securityevaluators.com/iphone/

That didn't take long. As a result of the setup detailed by my link at the top of this article, this group found an apple application crash, triggerable by any web page hosting the exploit, that lets them into the entire device.]]> http://www.dslreports.com/forum/remark,18729103 Mon, 23 Jul 2007 11:22:09 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18651762 zteardrop :
said by justin See Profile :

»rixstep.com/2/1/20070703,00.shtml

I bet this potential issue gains traction & speculation over the next few weeks. There haven't been any mac OSX viruses that spread from mac to mac (via email or apple listening ports) that I know of, but if you imagine all the iphones as little macs (no need to imagine, that is what they are) and if they can reach each other "somehow" (poisoned mail messages, or corrupted itunes installs, appear to me to be more likely than open ports) .. then there is fertile ground for an "iphone virus".
Wait, but its an Apple. Apples dont get infected :-)]]> http://www.dslreports.com/forum/remark,18651762 Wed, 11 Jul 2007 11:52:49 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18651632 orph4824 :
said by hirschbuhl See Profile :

Couldn't you put the iphone in a Zip-Loc bag until the virus has run it's course?
As long as you wrap the iPhone in tinfoil(hmmm tinfoils hats for phones who'da guessed) before placeing it into the condom(plastic bag) :D
--
Life's 3 rules: 1. Stuff happens 2. Stuff happens on a regular basis 3. Better get used to the first two... (not the actual saying but you get the drift)]]> http://www.dslreports.com/forum/remark,18651632 Wed, 11 Jul 2007 11:27:56 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18651499 justin : Yes I think thats the difference. If iPhone can limit optional programs to sandboxed browser plugins, java applets and flash, then it is probably not much less safe than a windows CE smartphone.]]> http://www.dslreports.com/forum/remark,18651499 Wed, 11 Jul 2007 11:08:01 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18651425 jdong :
said by dave See Profile :

(To comment on Justin's interpretation of the question: yes, Windows CE has a file system. No, Windows CE does not have file permissions. As far as I know.)
That's correct -- but a lot of the programs people install on mobile phones come in the form of J2ME MIDlets, which do have some form of permissions/sandboxing system.
--
UbuntuForums Administrator: try Ubuntu Linux]]> http://www.dslreports.com/forum/remark,18651425 Wed, 11 Jul 2007 10:56:23 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18650889 dave :
said by Epyon9283 See Profile :

Do any other operating systems on mobile phones have concepts of file and user permissions?
I think Windows CE does not.

(To comment on Justin's interpretation of the question: yes, Windows CE has a file system. No, Windows CE does not have file permissions. As far as I know.)]]> http://www.dslreports.com/forum/remark,18650889 Wed, 11 Jul 2007 09:12:08 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18650754 Khaine : Well this is apple, the company whose products "just work". I mean look at appletalk, sure you didn't need to configure addresses for any computers in your network, but they were very chatty, and susceptible to many forms of attack. ]]> http://www.dslreports.com/forum/remark,18650754 Wed, 11 Jul 2007 08:34:43 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18650307 hirschbuhl : Couldn't you put the iphone in a Zip-Loc bag until the virus has run it's course?]]> http://www.dslreports.com/forum/remark,18650307 Wed, 11 Jul 2007 03:55:05 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18628838 justin :
said by Epyon9283 See Profile :

Do any other operating systems on mobile phones have concepts of file and user permissions?
well I don't know how you can have a smart phone without a filesystem, so thats files. As for permissions, since this phone is OSX it is commonly understood that the standard way for the OS to insulate itself from exploitable crashes by common applications is to have them run under their own permission level so that they have no simple way to modify OS files.

Which is why a Mac running OSX needs the administrator password to be provided for patches and so on.

Windows never defaulted to this setup out of the box which is why any windows program appears to be able to write DLLs to any system directory without requesting the administrator password, and probably 99% of the windows users out there run "with full administrative rights".

So if the iphone has no higher level hypervisor built-in, that is watching and blocking key file changes within the OS & if it is true that everything on the iphone runs as uid 0, the iphone is less secure than any standard OSX Mac. If someone finds the right kind of crash in the browser, mail or SMS client then crafting the right web page, mail message or SMS message could install a program that looks for more iphones and we have the first widespread iphone virus.

One would have thought they'd have designed the iphone to be MORE secure than a Mac, first because it is likely to keep the AT&T lock-in alive in the marketplace for longer, and to keep buggy and destabilizing 3rd party applications from being offered all over the net, and second because the iphone, portable as it is from wifi network to wifi network, is potentially more exposed to network risks than a standard home Mac sitting happily behind a secured nat router. I take my evil iphone into a large wifi cafe or airport hotspot and the probabilities are (or will be shortly) that there is another iphone user on 192.168.1.something ..]]> http://www.dslreports.com/forum/remark,18628838 Sat, 07 Jul 2007 10:36:58 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18627884 Epyon9283 : Do any other operating systems on mobile phones have concepts of file and user permissions?]]> http://www.dslreports.com/forum/remark,18627884 Sat, 07 Jul 2007 02:04:24 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18627415 EGeezer : Well, the deafening silence when one mentions mobile device security is a bit distressing. Only when there is a big, ugly and public exploit will there be a drive to retrofit security. Right now it's a few enterprise ITSEC people who are essentially voices in the desert.

In the meantime, the industry and users will continue on fat, dumb and happy with their cool new phones that they've loaded with sensitive information.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.
]]> http://www.dslreports.com/forum/remark,18627415 Fri, 06 Jul 2007 23:45:45 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18627281 jdong : Come on, guys, brighten up! It just means Apple can migrate to Linspire... oops did I say that out loud?
--
UbuntuForums Administrator: try Ubuntu Linux]]> http://www.dslreports.com/forum/remark,18627281 Fri, 06 Jul 2007 23:16:11 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18624025 hpguru : I'm glad I decided to wait on the next generation iphone.]]> http://www.dslreports.com/forum/remark,18624025 Fri, 06 Jul 2007 12:00:29 EDT Re: iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18624002 nil : Yikes.. that's dumb. ]]> http://www.dslreports.com/forum/remark,18624002 Fri, 06 Jul 2007 11:55:05 EDT iphone OS userspace apps run as root http://www.dslreports.com/forum/remark,18623469 justin : »rixstep.com/2/1/20070703,00.shtml

I bet this potential issue gains traction & speculation over the next few weeks. There haven't been any mac OSX viruses that spread from mac to mac (via email or apple listening ports) that I know of, but if you imagine all the iphones as little macs (no need to imagine, that is what they are) and if they can reach each other "somehow" (poisoned mail messages, or corrupted itunes installs, appear to me to be more likely than open ports) .. then there is fertile ground for an "iphone virus".]]> http://www.dslreports.com/forum/remark,18623469 Fri, 06 Jul 2007 09:58:08 EDT