iPhone Security Whinging
figure 1: Munir Kotadia of ZDNet Australia.
The good folks of MYiTablet found an article from ZDNet Australia where Munir Kotadia lambasts "greedy Apple users" for trusting anyone.
"There is no evidence to suggest that this particular jailbreak utility is at all malicious but how long will it be before copycat sites appear that have less honourable intentions?"He then goes on to say that malevolent data thieves and identity swipers could steal passwords, credit card numbers, and entire online identities. They could use the iPhone as a gateway into your home network, they could do any number of things. He even manages to cast their patching of the TIFF vulnerability in a negative light.
But, the one thing that he doesn't address is this: unless I hack my iPhone, I couldn't know if malevolent hackers were doing that anyway. You can't trust the security of a black box. Preaching paranoia doesn't solve any security problems. Indeed, most security problems are solved by establishing trust. For those of you on Windows machines, you fix (or at least partially alleviate, wink) your virus problems by trusting that Norton AntiVirus will keep you safe from viruses. You trust that Ad-Aware will remove spyware from your computer. You trust that patches from Microsoft are legitimate. You trust that ZoneAlarm is a decent 3rd party firewall. And so on.
For many people, Installer.app is the one tool that they have to actually verify that their iPhone is in decent order. Without it and the access to other apps that it provides, I can't tell where the iPhone is connecting to when I'm on EDGE networks, I can't find out what's sitting there on the iPhone's filesystem, and more importantly, I can't find out what shouldn't be there.
It's one thing to preach that users shouldn't trust every website. He's right in that, but the circle of trust has to start somewhere. It's security as preached by "Meet the Fockers," but the circle of trust doesn't do anybody any good unless someone is in it.
p> The Apple hacking community has really been excellent so far. For most of the work they've done, they've aimed for open source so other programmers can view the code and verify that it's legitimate. This begins the circle of trust between programmers. Once they build a network of trust with each other, it then spreads into the journalism world, via one of the programmer's blogs. In terms of negative stuff, there's just been a few tiffs between developers, and one instance of possible intellectual property infringement, and for this I'm very thankful.