This post is written from the perspective of an old stick-in-the-mud, which I apparently became at some point but hadn’t noticed until now.
A couple days ago, the stars aligned to the point where I decided it was finally time to hack my iPhone. The Jailbreak hacking process had gotten “click-this-link” simple, some cool-sounding applications had appeared, Apple would soon be closing the TIFF exploit that Jailbreak used to hack into the device, and I had just the right amount of beer in me to make me adventurous enough to try the hack, but not enough to tip me into a TV-watching stupor.
The hack was as simple as advertised: Go to jailbreakme.com, click install, click Agree, then wait awhile. The application loader installed quickly, then pointed me to several Community Sources for iPhone applications.
Perusing the wealth of applications that were suddenly available to me, I found several that caught my eye. A simple voice recorder, an Instant Messaging client, a NetStumbler-like wireless detection application, and a cool looking GPS program that uses using cellular tower and WiFi information to guess where I am.
I typically use my iPhone roughly along these lines: 50 percent media (music, podcasts, videos), 25 percent cell phone (calls and SMS), 10 percent Google Maps, 10 percent Web browsing. The remaining 5 percent is made up of a little bit of e-mail, calendar, weather, and the camera.
I was surprised to learn that—at that point in time—I wasn’t ready to ask more of the device. Perhaps the applications I chose weren’t compelling enough, but more likely, they failed some sort of ad-hoc evaluation of necessity versus hassle and trust. The iPhone reliably does what I want it to do normally, and perhaps I was not ready to embrace more things at the time (again, probably the beer).
Of course, it also didn’t help that the newly hacked iPhone lost a great deal of my perceived reliability after the hack. The new applications crashed several times in the short time I tested them, sending me back to the start page. And the GPS program had rendered my touch screen keyboard completely inoperable, requiring me to soft reset the device to regain control.
I also suddenly found myself suspicious of the iPhone as well. I hesitated before entering in a Webmail password, and I didn’t want to check e-mail or write an SMS. I wondered exactly what was I had put on the device, as there’s not like there is some kind of software certification and vetting program for iPhone, as Apple won’t expressively permit third party applications until their SDK (software development kit) comes out early next year. Sure the applications are probably benign, but I hadn’t been assured of their benevolence, either.
But I think my real problem was the way the software got onto the device in the first place. Exploiting a known TIFF vulnerability in the iPhone’s Safari browser, the Jailbreak application literally cracks its way onto the device. And after years doing desktop support for various businesses, and subsequent years writing extensively about exploits and security software, I’ve trained myself to perceive and react to vulnerabilities and exploits in a certain way—with suspicion and caution, tempered with the need to plug the hole ASAP. Even though the Jailbreak installation actually corrects the TIFF vulnerability as its final install act, I was not reassured.
In the end, after an hour of mucking around with the new apps, I restored the iPhone back to an unmodified state.
Trust and reliability will be issues for Apple as they move forward with their Software Developers Kit next year. There needs to be some kind of software certification program that third party apps should go through to ensure that a) nothing suspicious is going on, b) new holes aren’t being introduced, and c) reliability is not negatively affected. Presumably these are among the reasons why Apple didn’t embrace third party applications in the first place and I can only hope they remember them as they move forward. For sure, it will be interesting to see how exactly Apple allows applications to be installed onto the device next year and what level of control they will exert over the installer.
The same goes for Google and their recently announced (but nowhere near ready) Android mobile platform, which is intended to be the new state of the art technology for open, mobile platforms.
Glancing at the Open Handset Alliance Web site, I notice that there are no security vendors in the consortium at this time. There’s a real opportunity for companies like Symantec, Trend Micro or McAfee (or a more visionary security start-up) to get on board with the Alliance, to work closely with the best and brightest in the handset-hardware and mobile software community, in order to get a certain level of security built into the Android platform from the get-go, and also to build in the necessary hooks for more advanced security software—their own products—down the road.
Yet, somehow, I doubt they will have the foresight to pursue it yet.