iPhone 3.0 is a Giant Security Rollup

By David Worthington | Thursday, June 18, 2009 at 8:07 pm

In the countdown to iPhone 3.0, users were not just waiting for the ability to cut and paste: Apple was sitting on a slew of critical security fixes. CNET is reporting that the iPhone 3.0 software update fixes 46 security vulnerabilities, and I’m not the least bit surprised.

While some teams at Apple may have security expertise, the company lacks a holistic company-wide approach to secure development. The company practices security through obscurity, hoping that hackers will not exploit bugs if that do not know about them, which is not security at all.

Earlier this month, Security expert Rich Mogull sharply criticized Apple for falling short on protecting its customers. He recommended that Apple adopt a security development life cycle (SDL) process that a handful of companies, including Microsoft, implemented several years ago, and share with third party developers.

The number of security vulnerabilities found in Microsoft’s product have dropped markedly, because it changed how it makes its software. No code can be shipped out of Redmond unless it has gone through the SDL process. Apple is another story.

If left unpatched, the iPhone is as exposed as the broad side of a mountain. Twelve iPhone components are exploitable ranging from its Mail application and Safari browser down to lower level graphics and telephony stacks.

Apple’s saving grace is that it controls the iPhone’s application ecosystem, and it’s harder for malware to reach users . It has said that it evaluates apps against security criteria, but I wonder how comprehensive that process is in light of its disjointed vetting process. Maybe it has just been lucky.

In March I called for Apple to assist its developers to write secure Apps for the iPhone. I repeat that call, and am upping the ante by challenging Apple to share its internal processes for secure development (if those processes are even mature enough to share).

I love my iPhone, and own several Apple computers, but I’m not in love with Apple’s halfhearted approach to security.

3 Comments

Read more: Apple, Apple. iPhone, Security

2 Comments For This Post

Ange"area rug cleaning Los Angeles"Lyn Says:
June 25th, 2009 at 2:04 am
Thank you for posting a caution about the new 3.0 release. It’s very helpful.
Air Purifers Says:
November 15th, 2011 at 1:15 pm
I love my iPhone too and think Apple is a good brand, but I don't like using products that aren't secure. Especially in this age of hackers and technological thievery!

1 Trackbacks For This Post

Critical iPhone SMS Vulnerability Revealed | Technologizer Says:
July 2nd, 2009 at 8:03 pm
[…] iPhone 3.0 update contained 46 security patches, but it did not address against the SMS vulnerability that Miller discovered–that fix is on […]

The Weird History of Windows
Laptopia: Twenty-One Totally Bizarre Laptops
Fifteen Classic Game Console Design Mistakes
The Thirteen Greatest Error Messages of All Time
When the Muppets Worked for IBM
Tech Products That Were Brilliant. And Doomed
The Legend of the Legend of Zelda
15 Breakthrough Products That Went Absolutely Nowhere
The 25 Most Notable Quotes in Tech History
How 1940s Whiskey Ads Predicted the Future
The Great Operating System Games
The Weird Secret Origin of Tech's Favorite Insult

Technologizer by Harry McCracken