In a demonstration called “The Dark Art of iOS Application Hacking" Jonathan Zdiarski showed that while iOS might have some decent security the Apps that are written for it do not add in any extra. We have talked about this before from the user end where the belief that iOS or any product is “secure and safe” so they do not have to be concerned or cautious about their usage patterns. Now Zdiarski is showing how this trend is affecting developers too.
Some will claim that the exploits Zdairski showed off are far-fetched, but considering that most smart phone users walk around with Bluetooth, WiFi and NFC (if they have it) turned on access to your phone is not all that hard with the right tools (remember the Root password for almost all iPhones is “alpine”). Although Apple did not include a shell application it is still possible to send commands to it (at least up through iOS5 we are not sure about iOS6). Or you can use a personal area network to push a web page to a phone which contains the code you need. Really the idea that physical possession of the phone is required to make changes to it is fading. There are too many ways to connect to phones these days and as developers take shortcuts in the name of convenience for the user it is only a matter of time before we see the smart phone become a bigger target.
We have also watched as malware has been slipped into the iTunes App Store (three of them that have been reported) so the idea of compromised apps is gotten directly from the App Store is not farfetched either. In this case neither Apple PR nor Fan loyalty will protect you, developers for iOS Apps must starting thinking of security first just as users of Apple’s iPhones may need to start considering an extra layer of security to make sure they are protected. It is something we recommend for ALL smartphones from Apple to Android, to Windows Phone to Blackberry; you really cannot rely on the claims that any device is “secure” anymore.
Discuss this in our Forum