MacDailyNews - Where Mac news comes first

Oct 26, 08 - 09:08 am Comment from: Wandering joe

Well, it is an android, half of this, half of that without really being anything whole.

Gee Wally, didn't the "experts" cry about this same serious flaw with the iPhone when it first came out? What could they be selling?

I don't like Google. I remain deeply suspicious of their motives and business plans. I consider "Don't be evil" is a marketing ploy for idiots like Cramer et al and not a "punch a dent in the universe" type of philosophy. However, this is a different issue. Maybe reading the entire article would help understand that Charles A. Miller, the exposer of this 'flaw,' is an attention seeking 'expert.' He pulled the same stunt against Apple earlier. I side with Google on this that he should have allowed Google a bit more time to rectify this issue before rushing to public with this. It's just being a bad sport of the reckless kind.
Good news is, Apple is no longer alone in attracting these kinds of attention seeking twits.

Oct 26, 08 - 10:59 am Comment from: DogGone

Is Android UNIX based like the iPhone OS?

This type of security issue is possible with any OS. Apple deal with it in the iPhone by preventing installation outside of the App Store.

It is really done to the User to make sure they don't do anything stupid. Provided that when an install is required the user as to give permission, this type of issue should be limit to people who have yet to learn about proper security.

The serious flaw found in Google’s Android phone OS is that it is NOT n iPhone.

I suspect that will be hard to fix

"Apple deal with it in the iPhone by preventing installation outside of the App Store."

You think the app store insulates you from Mobile Safari exploits? The App Store truly is magical technology - in your mind.

i thought that the G1 web browser was based on WebKit, the same package upon which Safari is based.

@ Almost Unbelievable

This exploit for Android relies on the ability of a webpage to install a keystroke-capturing program that can constantly run in the background and capture anything you type.

Webpages can't install software on the iPhone, so that's one down. And while you could conceivably install a nefarious app from the App Store, apps can't run constantly in the background on the iPhone. So this kind of exploit is, indeed, impossible on the iPhone.

Apple very clearly understood what they were doing from a security perspective when they designed the iPhone the way they did. Android's problems are the result of the way Google designed it, and not an indicator that the iPhone is somehow magically also vulnerable to the same design flaws.

Oct 26, 08 - 12:23 pm Comment from: Cubert

Damn security flaws! Always making it hard for us porn addicts.

@ dan

This has nothing to do with the use of WebKit – it's a fundamental flaw in the way Google designed the browser and the system around the web browser in Android. (Mobile Safari doesn't allow downloads, Android's browser evidently does.)

heck... If it can beat my iPhone 3G by actually being able to talk to someone without contiually dropping calls, then it will be a good start!!!

A serious flaw in all locks is that someone might persuade you to unlock it for them. This is bollocks.

"install a keystroke-capturing program that can constantly run in the background and capture anything you type."

Only within the browser, because it is sandboxed.

"Webpages can't install software on the iPhone, so that's one down"

Unless they exploit a bug in Mobile Safari, Duh. The andriod exploit uses a now fixed flaw in the Android browser to install itself.

"Apple very clearly understood what they were doing from a security perspective when they designed the iPhone the way they did."

No, they did not. They gave NO thought to security in the iPhone version of Mac OS X because Steve told them there would never be a "real" SDK so they built it as if only Apple coded applications would ever be run on the platform directly. Android's security model with sandboxed Java applications is much stronger than the iPhone's. Part of the problem with the iPhone is that everything runs as root and can access everything.

So why not come back when you've learned something about what you speak of?

I don't want to be the one to correct you but I am:
Steve knew all along they were going to eventually open up the platform, but regardless, safari is still an apple app! Of course that would have to be designed with security built in. Open platform or not.
"Part of the problem with the iPhone is that everything runs as root and can access everything." Um, actually everything cannot access everything, if you would keep yourself informed of the iPhone platform you would learn that this is not how Apple designed it.

I'm done.

Oct 26, 08 - 01:48 pm Comment from: HMCIV

The real question remains, which phone is going to fall victim to a widespread exploit first. My guess is it will be the Democrats.

(Aww crap I'm confusing my rants again.)

"Um, actually everything cannot access everything, if you would keep yourself informed of the iPhone platform you would learn that this is not how Apple designed it."

Not so, that's the case only if you respect the rules of the SDK and the App store. Voluntary non use of private APIs doesn't really count as a form of security. Anyway, even if it were, what's your plan again for getting hackers to do that?

Cue commercial: "Mac vs. Windows", substitute Android and cell phones.

Oct 26, 08 - 04:45 pm Comment from: Cubert

@More Misconceptions,

"They gave NO thought to security in the iPhone version of Mac OS X because Steve told them there would never be a "real" SDK so they built it as if only Apple coded applications would ever be run on the platform directly.....So why not come back when you've learned something about what you speak of?"

Ummm, how do you know that Steve Jobs told the iPhone developers (ie. Apple employees) that there would never be a real SDK for the iPhone? I'm sure that you aren't dumb enough to confuse Apple employees with third party developers, are you? Nowhere have I ever read such a statement from anyone who works at Apple, nor did Steve Jobs ever make such a statement. Actually, when he first discussed third parties developing web apps on the iPhone, he insinuated (and there were leaks from Apple confirming the same) that an iPhone SDK was indeed coming. I don't think you or anyone else seriously believes that a SDK wasn't always in the works.

So, YOU please come back when you've learned something about what you speak of.

I don't think you or anyone else seriously believes that a SDK wasn't always in the works."

Believe what you want, but it's clear security for native applications was one thing that was never part of the iPhone's design.

You wishing that were different won't make it different.

The real question remains, which phone is going to fall victim to a widespread exploit first.

It depends.

The iPhone has done pretty well so far, for being a high-profile and potentially high-value target. Knock on wood....

It's not good for the G1 to have such a serious (and basic!) flaw discovered so soon after launch. Surely this should have been caught in testing.

But to be fair to Google, the sky isn't falling, and I'm sure they'll resolve things. Every new gadget has its birthing pains.

The iPhone has done pretty well so far, for being a high-profile and potentially high-value target."

A similar exploit was shown on the iPhone back in August 2007.

"I'm sure they'll resolve things"

Yes, they did, already. T-Mobile needs to publish that fix.

@More Misconceptions:

Doesn't matter one bit if you can do things as root on your normal desktop computer. The iPhone is not a normal desktop computer.

Unlike a desktop computer, the only way to get an application on the iPhone without a jailbreak is to get it from the App Store. The only way to get on the App Store is to follow Apple's rules, and Apple's rules clearly include "no privilege escalation", "no escaping the sandbox", and "no accessing network ports outside the existing, provided APIs".

Once you jailbreak the iPhone you're on your own. You are responsible for your own security. Good luck with that.

Oct 26, 08 - 07:25 pm Comment from: silver surfer

So much for Google's G1 phone.

Apple rules period.

"Once you jailbreak the iPhone you're on your own"

Who said anything about requiring a jailbroken phone for that exploit I mentioned to work? It worked on the unbroken phone.

"only way to get an application on the iPhone without a jailbreak is to get it from the App Store"

Is it really? perhaps in a perfect world with no flaws in the iPhone software.

In fact that kind of the Safari exploit was a way by which you could jailbreak a phone. After all, what do you think Jailbreaking actually is? It's using flaws in the iPhone software to gain control beyond what Apple wants you to have.

So as you now understand you can exploit a Safari Flaw to remotely gain full control of an iPhone, Zeke when this happens to you, you should send an email to the remote Hacker asking him to look after your iPhone security for you. After all you seem to think that asking people to play by the rules is a good way to ensure security.

But I doubt that they'll be too accommodating.

Oct 26, 08 - 08:03 pm Comment from: Cubert

More Misconceptions,

"Believe what you want, but it's clear security for native applications was one thing that was never part of the iPhone's design. You wishing that were different won't make it different."

Way to ignore most of my argument and pick out one insignificant piece of it to comment on. You wishing that my statements were incorrect won't make them so.

Oct 26, 08 - 08:04 pm Comment from: Cubert

Oh yeah. Next time post some reasons for your viewpoint and not just pure speculation.

"Way to ignore most of my argument and pick out one insignificant piece of it to comment on"

What, the piece where you're totally ignorant about security in the iPhone OS and completely wrong in your comments? Sorry, I thought that was the most relevant piece.

"Jailbreaking" an iPhone requires you to have physical access to the device. To think that you can "jailbreak" an iPhone via a Mobile Safari exploit demonstrates that you have little, if any, actual technical knowledge on the subject.

To help counter, ahem, More Misconceptions , this article helps dispel the "Unavoidable Malware" myth, and this article from back on August 29th is why the discovery of serious security flaws in Android came as no surprise to me (starting at section "But Wait, There’s More (And Less)").

Oct 26, 08 - 10:03 pm Comment from: Cubert

More Misconceptions,

Actually, I never even used the word "security" in any of my posts. I disagreed with your assertion that Steve Jobs and Apple never intended to create an iPhone SDK. You made a baseless claim and then never backed it up. I assert that a SDK was always in the works - Apple just never talked about it in advance like many things that they do.

"To think that you can "jailbreak" an iPhone via a Mobile Safari exploit demonstrates that you have little, if any, actual technical knowledge on the subject."

Which explains why in August 2007 researchers were able to exploit a flaw in Safari to run arbitrary code on the iPhone in much the same way as this Android exploit. if you understand the jailbreaking process, the first step is to find a way to execute arbitrary non Apple approved code on the phone and expand your access from there. That's exactly what a browser flaw that lets you execute arbitrary code will allow you to do.

The one difference is once you're in on the iPhone you can do whatever you like. On Android you can do whatever you like within the browser's sandbox. Android is much better thought out in this area than the iPhone.

if you think this jailbreaking vector is hypothetical bullshit, you might want to google and read about http://www.jailbreakme.com

Gabriel, you're the one who doesn't understand what's possible. But feel free to keep showing your ignorance.

Wow... I've never seen anyone post here under that many names at the same time.

I don't think the M$ 15,000 buck payment works that way pal.

processes don't run anymore as root. They run now under the user account "mobile"
It's working that way since version 1.1.4

Get informed first dude!

"Get informed first dude!"

Get Informed yourself!

I think that no one has mentioned the 'KILL SWITCH' that each iPhone contains, I wonder why they installed one? or maybe I don't! DO YOU? wonder why?

Is there a kill switch in the Android software? If not, why not?

Is Java a secure platform? If it is, why has Apple inc. consistently refused to allow it onto the iPhone? If this is an over sight by Apple inc. why do you think it is?

If Apple inc do not take advice from the Microsoft's CEO with regards to licencing their iPhone OS and OSX, considering how much money Microsoft have made of the back of an OEM is that a mistake Apple inc. can afford? If they cannot afford to make mistakes (AAPL) how come they are now better capitalized than Microsoft?

iTunes is the World's largest online retailer, if iTunes OS is based on OSX & Safari is based on OSX + Webkit as is the iPhone, if you can access & make purchases from iTunes via the iPhone, how come not even one persons account details have been hacked or accessed from iTunes? or from the iPhone?

Sorry I went ahead of myself! Security for native applications on the iPhone were never in any of Apple inc.'s plans!!!!!!!!!!!!!!!!! Or so some would have us believe!

"One of the researchers, Charles A. Miller, notified Google of the flaw this week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers,"

What he meant to say was "I wanted to publicize myself as being the first one to hack an Android phone and if I waited someone might have beaten me to it"

It is with Google’s Android where security was an after thought.

Why there is only one store for iPhone Apps? Why is it that no Apps are allowed to run in the background? Why developers have to have their Apps signed? Why the “kill switch”? Why is iPhone a closed platform? Why sandboxing? Why why why???

Andriod = Windows, it’s a matter of time before that thing gets infested will malware, crapware and viruses. With Android even criminals are allowed to have their nasty Apps in the Androids Market, no vetting for you. It is entirely possible that when there are tens of thousands of Apps some malware could take weeks if not months before they get picked up by the Android community putting users at risk.

If you can about security, get an iPhone, Android is a “Swiss” cheese OS.

Oh wow, the first flaw in the Porno Phone, this is not going to be good.

"Is there a kill switch in the Android software? If not, why not?"

Yes, apparently there is.

"Is Java a secure platform? "

What do you actually know about the design goals of Java? You can't be seriously suggesting that more thought was given to security and safe language constructs in C, C++ and Objective C than in Java?

"why has Apple inc. consistently refused to allow it onto the iPhone?"

By it's nature it would not require the app store, and that would cut into Apple's revenue. The same reason is why Flash or any other language that you allow you to download non app store code is forbidden. Lets face it if you're allowing people to write Objective C code, you certainly can't claim allowing them to write Java code for the platform would make things any worse from a security perspective.

"how come not even one persons account details have been hacked or accessed from iTunes? or from the iPhone"

This is not so, a proof of concept attack, remotely through a Safari flaw was shown that gave full access to the iPhone contacts list and any other data on the phone.

"Security for native applications on the iPhone were never in any of Apple inc.'s plans"

Do you know who Dottie Alpine is? google the name, the result WILL suprise you. Then come back and talk about how much thought the boys at Apple gave to security.

Apple totally underestimated the hacker community, then when it looked like they were going to lose control over the future of iPhone development, rushed out a native SDK.

"how come they are now better capitalized than Microsoft?"

Not unless Microsoft dropped to a 3rd of it's value today they aren't.

"Why there is only one store for iPhone Apps"

So Apple can get their 30% cut. It has nothing to do with security.

"Why is it that no Apps are allowed to run in the background"

That has everyone mystified. It's certainly not for security reasons, and will be rectified no doubt in future SDKs.

"Why sandboxing?"

Because defense in depth and containing the scope of any exploit is good practice. Lack of sandboxing or any effective compartmentalization of apps in the iPhone is a bad thing, not a good thing.

"Android is a “Swiss” cheese OS."

It's just laughable to suggest that the iPhone's OS design is more secure than Android's, just laughable. About as funny as claiming that Java was designed without security in mind. But keep the chuckles coming.

Oct 28, 08 - 07:30 am Comment from: smyhre

Sooooo...that was an interesting read of arguing. Guys seriously you can argue till the world ends about this, whether Mac is better than Windows, whether Obama or McCain will be a better president...blah blah blah, etc. It doesn't change the fact that YOU ALL ARE GETTING NOWHERE with your argument. An arguement is only useful if it persuades the other to change their mind if it has no affect you wasted your time. That's why I have stopped arguing with strict Windows supporters they ain't changing and neither am I, it's a waste of my time. Let life take its course.

@ Dottie Alpine, Thank you for your reply. Apparently does not equate to definitely. Google have had the benefit of hindsight from Apple's development plus the use of Apple's Webkit. (Google's CEO sits on Apple's board, of you know this!).
A Proof of concept is not an attack if no iPhone/iTune customer has suffered financial loss from their personal information collected and misused.
What value can you attribute to property in today's economic climate as opposed to cash in the bank?
Does Apple inc. allow franchises to open up shops in their name & image like McDonald does? So why should they franchise the app store model?
Would you work for nothing? If you created a product to which you had the patent, would you give it to the world free? The creator of Linux tried, but he had to enforce his rights to prevent an individual from taking them and charging a licence fee for Linux.
Apps running in the background equate to lower battery life, also, you may accidentally run a product that would run up a very high fee for staying online.
Sandbox.....Is that not a form of security? while you are developing an open system that is secure? The sandbox as you have misunderstood it was a way for developers to create software for the iPhone using Safari before the SDK was tried, tested & complete.
As for your Google check, I did and this is what I came up with, hardly an endorsement for your argument is it? It just confirms that unless your iPhone has been jailbroken, you cannot perform the hack that you suggest is possible, they tried & tried & tried. http://www.modmyi.com/forums/os-x-specific-modding-discussion/14293-unknown-root-password-its-not-dottie-alpine.html

"Google have had the benefit of hindsight from Apple's development plus the use of Apple's Webkit."

Actually it's the world's Webkit, Apple didn't start from scratch.

And as you say, Google had the benefit of hindsight (or some would argue just better sight) to develop a more secure platform.

This is not a discussion about which company's phone you prefer.
It's clear you have a brand preference for iPhones. It's one about which is a more secure design secure, and that's Android.

As to Apple's business models, proprietary vs open, well the market will pass judgment on that, maybe for, maybe against.

As to a vulnerability not being an attack, the only difference is the intent of the person who discovers it. Back before you went to jail for hacking people would launch attacks to show their prowess, now you present your attack at a conference, or if you're planning to use it for criminal purposes, keep very quiet.

"The sandbox as you have misunderstood it was a way for developers to create software for the iPhone"

It's pretty clear that you misunderstand the technique and how the word is used in the context of security. Applets in browsers are a form of security sandboxing, but then the iPhone doesn't support applets in the browser, does it? I don't know anyone who regards viewing a remote page in a browser with all code run on the server as a security sandboxing technique.

"Apps running in the background equate to lower battery life"

Is it your argument that things that use a lot of batter on the iPhone should be banned? A background app that wakes up every 5 minutes and checks somethign is not going to use anywhere near the battery and data of Google Maps or Google Earth running in the foreground with the GPS on. So perhaps if battery use is the real problem (it's not) to protect customers, apps that make the battery go down at more than a certian rate should be banned, whether they run in the foreground or background.

In that case lets get that resource and bandwidth hog Google Maps off the phone tomorrow.

Personally I'd rather have the option of running a background app that used a little more battery, or even needs to be hooked to a car charger (like Google Maps does if you want to use it continuously) yet did something that was impossible otherwise.

"while you are developing an open system that is secure?"

No, I'm developing for the iPhone dumbass, I'm just not trying to pretend it's something it's not.

It is possible to use a platform and appreciate that it has strengths and weaknesses. I understand that's probably a completely foriegn idea to you. But try it, you'll come across as being smarter when you can intelligently discuss the pros and cons of a platform.

@ Dottie Alpine. The WorldWideWeb was made accessible to the public using NextSteps software.

Who was behind Next & NextStep? Who was were the puck should be before it got there?

Intelligence is nothing if applied badly!

"The WorldWideWeb was made accessible to the public using NextSteps software."

Not really, a few researchers may have used it that way, in total only 50,000 Next machines were ever sold.

The breakthrough was Netscape on Windows. That's when millions started using the web. So Netscape stole the puck from Next and actually scored.

Apple then spent a decade or so pucking themselves.

Over that decade, Microsoft took the lead from Netscape, proving that in the end, if you own all the rinks, it doesn't matter where anyone is skating.

Anyway what does that have to do with iPhone security? The iPhone can break new ground for a mobile device and still be not as well designed from a security point of view as Android.

Please excuse the marketing plug, but I think this is relevant to the discussion. My company, Mocana, just announced a security SDK for Google’s Android platform so that developers can build robust encryption, authentication, VPN, antivirus and antimalware features into Android Handsets. If interested, there’s more here about NanoPhone: http://mocana.com/NanoPhone-Android.html. Thanks for your indulgence.

@ Dottie Alpine, A few researchers??? Do you even know who designed the protocols that all web designer's & providers have to follow? The protocols that Netscape used? and everyone else is using and still has to use??? Do you know what IPV stands for? Do you know how many versions of IPV are in existence?

As for the number of NEXT computers that were sold, that is not the issue here, just as the number of OEM's that Microsoft sells does not equate to the same level of profit that Apple inc attains. The fact is that without NEXT & NextStep, the internet would have come to existence later, very much later.

The point though, because you will not get it even if you sit on it is that those protocols that govern web page development were based on the way NextStep worked.

Do you know how NextStep worked?

"Do you know how NextStep worked?"

Badly, that's why it's extinct.

Do you know what SGML is? Do you know the real origins of HTML? Do you know what a simple protocol HTTP is? Do you know you can write a Berners Lee level httpd in about a page of C code? Do you know other then providing an initial primitive implementation how unimportant Next was to the development of the web? To equate the modern web to Berners Lee's original work would be like comparing your obviously drug addled and walnut sized brain to that of a normal human.

@ Dottie Alpine. You now show your true colours!

I suppose in your opinion Graham Alexander Bell's invention is primitive & thus unimportant, would the same apply to Marconi? & Paul Gottlieb Nipkow, John Logie Baird, Alexander Flemming, Sir Frank Whittle and finally Charles Babbage.

@ Dottie Alpine, I feel sorry for you so here is some spoonfeeding to keep you healthy! From Wikipedia.

Influence

The first web browser, WorldWideWeb, was developed on the Nextstep platform. Some features and keyboard shortcuts now commonly found in web browsers can be traced to Nextstep conventions. The basic layout options of HTML 1.0 and 2.0 are attributable to those features available in NeXT's Text class.[1] The game Doom was also largely developed on NeXT machines,[2] as was Macromedia FreeHand, the modern "Notebook" interface for Mathematica, and the advanced spreadsheet Lotus Improv.
About the time of the 3.2 release, NeXT teamed up with Sun Microsystems to develop OpenStep, a cross-platform standard, and implementations of that standard (for Sun Solaris, Microsoft Windows, and NeXT's version of the Mach kernel), based on Nextstep 3.2. The implementation for NeXT's version of the Mach kernel was called "Openstep for Mach"; the 4.0 release of that was the successor to Nextstep 3.2. Following an announcement on December 20, 1996,[3] on February 4, 1997, Apple Computer acquired NeXT for $427 million, and used the Openstep for Mach operating system as the basis for Mac OS X.[4]

"I suppose in your opinion Graham Alexander Bell's invention is primitive & thus unimportant,"

That illustrates a key point about Berners Lee, Next and and the Web, it's hardly unique workor work that required a Next machine. For the telephone Elisha Gray was doing the same thing at the same time with other hardware.

Next's involvement in the process was as critical as the part that sandhills played in the progress of powered flight.

"would the same apply to Marconi?"

Perhaps the residents of Pontecchio should be credited with that invention because that's where it occurred.

"Paul Gottlieb Nipkow"

The people of maybe Lauenburg where he was born should be credited with that one.

"John Logie Baird"

Lets give the credit for that one to the owner of his favorite restaurant.

"Alexander Flemming"

Well that was just an accident.

"Sir Frank Whittle"

The credit for that goes to Coventry.

"Charles Babbage"

Well there's no question that Babbage invented the Mac, because on planet Crabapple we credit the invention to the first person who did something remotely related to the field, or the inhabitants of the place where something was invented.

Btw congratulations to Ada Lovelace for inventing Objective C and the iPhone SDK.

Congratulations! Augusta Ada King, Countess of Lovelace is indeed the first ever computer programmer.

If Charles Babbage had built his computer, her algorithm would have been able to calculate Bernoulli numbers!

The fact that The US defense department named the computer language they created after her does not mean her algorithm was Objective C, you could at an incredible push claim that her algorithm was the basis for the development it but you would be hard pushed to prove it since it was written for a mechanical computer as opposed to vacuum tubes, transistors and chips.

As for where she lived, you will be interested to know that that was the birth place of William of Ockham of Occam's Razor outlined in the fourteenth century. He also happened to be a mathmatician as was the Countess of Lovelace five century's later.

I think you are an intelligent person as you provide credible background to your arguments. Here is a tip for you:- putting words into somebody else's mouth as a means to descredit their argument only reflects badly on you, it portray's a restless mind that lacks temperament.