February 10, 2013

Dear Apple, we need to talk about iOS security.

Filed under: Security — Tags: , , — martin @ 11:01 am

Dear Apple, we need to talk about iOS security.

First of all, you need to understand that many people out here, with me being one of them, really have a good time living in the closed and well-regulated iOS world that you built for us. The devices work as desired, they are highly reliable, we have working backup and restore, and the platform is free from malware. Everything is very fine, most of the time, at least according to me.

Still, security problems do exist. I have programmed, and just like everyone who has programmed, I have built security holes. Every piece of software contains security holes, gets some fixed and breeds new ones, all the time: Linux, Firefox, Windows, MacOS and of course iOS. Thankfully, there are countless security researchers out there, who research not only open-source software, but also closed systems such as the iOS environment.

Most of the time, security researchers are good guys. Nowadays, we have this thing called responsible disclosure and most reasonable software vendors, including you, have learned to listen to security reports. This majority of researchers takes pride in disclosing security issues. But what about the others? Everyone knows they do exist. Some may use their exploits for criminal activities, others may work for governments.

4852847095_466bc90184_oI had an insight a few years ago. While I was on vacation, jailbreakme.com started to trend on Twitter. Right after breakfast, I went to the website, swiped the slider, and, behold, the phone was jailbroken. A bug in the PDF rendering engine of iOS enabled administrative access for exploit code hidden in a PDF received from the website. I was quite negatively surprised to see my iPhone being exploited through a link on some web site. You fixed this fantastically dangerous exploit in a matter of days and I wondered how long it had been discovered already before it emerged in the form of this jailbreak.

Which brings us from white hat hackers, who diligently report what they have found, and black hat hackers, who abuse their findings for dishonorable motives, to those grey hats, who hold back their findings to earn jailbreak fame. And many end users actually do appreciate those jailbreaks. In other words, they profit directly from withheld security issues, while at the same time, all users have to face the risks from those same withheld security issues.

As far as I can tell, this culture, where users profit from withheld security issues, is unique to iOS. Similar situations, on a smaller scale and with a close focus on warez, may exist around gaming consoles, but iOS is the only general-purpose operating system where security issues regularly have a potential benefit for the user.

Please understand that it would be beneficial for all users of iOS if you ended this misguided culture of withheld security exploits. Please offer a way to run user-supplied software on iOS. You don’t want to find a place in history for having established “that OS” where users regularly waited out security exploits just to see if they can profit from them.

Please be nice and reasonable. Thank you!

(Historical screenshot credit: Micky.! on Flickr, licensed under CC-BY 2.0)

Create a free website or blog at WordPress.com.