Security Watch

Keeping Track of patches and hacks in the IT security world.

IBM ISS: No SDK Means No(?) iPhone Security Bugs

The allergy to the iPhone security analysts have acquired? IBM Internet Security Systems isn't buying it. As a matter of fact, Neel Mehta, team leader of the advanced research group at ISS, says the iPhone is going to suffer less from the malware that's hit Symbian's OS and Windows Mobile, thanks to the fact that Apple has no intention of releasing a substantial SDK (software development kit).

CommWarrior, a worm that operates on Symbian Series 60 devices and spreads via both Bluetooth and MMS (Multimedia Messaging Service) as well as by text-messaging everybody on a victim's contact list, is an example of malware authored with the help of a vendor-supplied SDK. (F-Secure's description of CommWarrior is here.)

The lack of an SDK will make it hard, if not prohibitive, for third-party developers to write applications that run on the iPhone. That won't limit only legitimate developers, of course, but virus writers as well, Mehta said.

"In virtually every case, malware is written for smart phones with an SDK," he said. "Malware for Windows Mobile, for Symbian. ... For the iPhone it will be quite challenging to write any software, but particularly viruses."

Most mobile phone viruses and attacks today are relatively unsophisticated, relying as they do on user interaction as well as a vendor's SDK.

"[Mobile exploits] largely rely upon the lack of security knowledge of the person running the phone. The [malware] application comes in over Bluetooth or SMS, but the person has to [select] 'Yes' many times before the virus is installed. Compared to e-mail-based viruses in the late 90s, say the Melissa or the ILOVEYOU virus, [mobile malware] is very unsophisticated," Mehta said.

Not that a mobile virus is impossible to write without an SDK, he said, but it would require much more sophistication than security experts are now seeing in mobile malware.

But, even though the iPhone environment is meant to be a closed one and the smart phone won't come out with an SDK or third-party applications, it will likely share code with other Apple devices: MacBooks, for example, or Mac desktops. "And some that run on a very open system, such as MacBook, will probably be very transparent," Mehta said. "It might be easier to analyze the security functions of the MacBook and see if the iPhone shares any risks."

On the plus side, another security positive for the iPhone that might get taken for granted is how easy it will be to update the phone. We take for granted the ability to automatically patch a desktop or laptop without having to search for patches ourselves or figuring out which ones we need to install. Many smart-phone operators, Mehta said, simply don't upgrade or patch phones. Compare that with Apple products such as the iPod, where updating firmware is as easy as synching. "If the same update mechanism is used, it should be very easy" to keep the firmware up to date, he said.

Indeed, the biggest security risk to Apple's first phone will be the intense scrutiny it will have to undergo when it's released, Mehta said. If Apple's WinSafari beta, released June 11, is any indication, researchers could be popping out vulnerabilities within hours of the phone's release.