Apple has released information on the security updates that were covered in the recent release of iOS 5.1.1. When it was originally released yesterday, all that we knew was that there were various bug fixes. This update actually covers some important security fixes too for Mobile Safari and WebKit based browsers in general.

• Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2. Impact: A maliciously crafted website may be able to spoof the address in the location bar.
• Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2. Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack. Description: Multiple cross-site scripting issues existed in WebKit.
• Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Description: A memory corruption issue existed in WebKit.

Given that, with iOS 5, Apple introduced over-the-air (OTA) updates to the iPhone, iPod touch, and iPad, it's interesting that they're still waiting and bundling security patches into larger software updates. OTA updates are done via bit-differential (delta file), and happen on-device and without the need to backup, re-install, and restore, so they're small and incredibly efficient. Apple could choose to push out security updates far more frequently. It's possible they think more frequent updates could annoy users, or their numbers tell them too many users are still updating over USB with iTunes for it to make sense right now. Hopefully, however, they're moving in that direction.

If you haven't yet updated to iOS 5.1.1 and you're looking for some help to get started, here’s where to go:

• How to update your iPhone, iPod touch, or iPad over-the-air using iCloud
• How to update your iPhone, iPod touch, or iPad using iTunes on Mac or Windows
• iOS 5 help and discussion forum

AT&T has announced a new home security and automation service called Digital Life that comes with an iPad and iPhone app with a bunch of security and remote control options. With it, you can change the temperature, switch the lights, manage the alarm system, control the window blinds, shut off the water main, and even remotely unlock doors. Here's the full feature list:

• Professional installation of the platform, sensors and other devices
• Integrated, wirelessly enabled platform that combines home security and automation capabilities
• AT&T owned and operated 24/7 security monitoring centers
• A state-of-the-art user interface application, which allows customers to customize a solution based on individual needs, and the ability to manage and control their services from the U.S. or while traveling abroad
• The option to experience and purchase the service in AT&T’s distribution channels, including AT&T company-owned retail stores. The service will also be made available for purchase on att.com when available commercially.
• The ability to add more features and services after the initial installation, hassle free

Trials for the system are kicking off in Atlanta and Dallas over the summer. Want to sign up? Hit the link below.

Source: AT&T's Digital Life registration page

Recent data from the New York Police Department shows that the theft of iPhones and iPads has increased by 44% since last year. From the beginning of the year to April 15, 1,196 iOS devices have been stolen, while 831 were swiped during the same period in 2011. These stats are surfacing shortly after a 26 year-old chef named Hwangbum Yang was shot and killed in the Bronx for his iPhone. His wallet was left alone, however. The NYPD advises against flashing your iPhone or iPad while on the subway, which is common sense for the vast majority of us, but a good thing to remember for those long trips when you're bored.

U.S. carriers have recently announced that they're working on forming a shared database of IMEI serial numbers of stolen mobile phones, which should allow them to remotely lock devices that have been blacklisted. While determined thieves are likely to find a work-around, the process will at least act as a deterrent to less-informed criminals.

I would be curious to see if this rise in iPhone and iPad theft is consistent across the U.S., and how it differs internationally. At the very least, let this be a reminder to have Find my iPhone installed and running - it has been known to save the day before. Our own Rene Ritchie was the victim of a smash-and-grab last fall, but do you know anybody that has had their iOS device or other smartphone stolen?

Source: New York Daily News

A metal parts manufacturer in Japan called Marudai has cooked up an iPhone case that offers protection against a .50 caliber bullet from the the rear. The inch of armor plating weighs a whopping 2 kg all told. Both white and black versions are available, and there's even a little hole so you can still use the camera. The manufacturer warns that the front won't take a bullet, and that the armor plating can easily scratch tables you place it on. Oh, and because of the weight, you'll probably want to call using both hands. Despite all of the protection, there's no guarantee that your phone will still work after getting hit, but at least the round probably won't make it through to whatever fleshy bits are on the other side.

Practical? No. Hilarious? You betcha. It's available now for 52,500 Yen, or $US 650, shipping included. Marudai will even throw in a 12.7 mm bullet casing so you can show how badass you are.

Source: Dvice via Gizmodo

Apple has recently started prompting iOS users to create three security questions and answers to make sure nobody's breaking into their account. The additional measure is stanadard practice, and considering your credit card information is associated to your account, this is a solid move to make. Some users may be understandable worried that this is a sneaky phishing attempt, but apparently the prompt checks out - some users are reporting iTunes is asking users for security questions too.

We got asked for them yesterday when setting up a new account in iTunes desktop, and The Next Web has seen them pop-up on the iPhone as well.

Has anyone received this prompt yet? Are they asking for any other security info? Are you happy about going through this extra step if it means better security or is it just one more annoyance between you and getting your apps?

Source: TNW

Popular iPhone social network, Path has been updated again, this time to version 2.1.1 to further address the privacy concerns that gained widespread media attention over the last couple of months. The new version of Path will hash your Contact data including names, e-mail addresses, Twitter handles, and Facebook profile IDs. Hashing basically takes the data and applies a cryptographic algorithm to it that renders it unintelligible to anyone who might try to intercept it as it's transmitted between your device and Path's server. (A so-called "man in the middle" attack.)

We take privacy and security seriously, and we believe your data deserves to be well-protected. That’s why, with the release of Path 2.1.1, we are enhancing our security by hashing user contact data so that it is anonymized. This means last names, phone numbers, email addresses, Twitter handles and Facebook IDs. We collect this data to connect you with those who are closest to you.

The extra precautions are welcome, and if it increases sensitivity to privacy in general, well worth the controvery and attention it got a while back. It wasn't the first time, it won't be the last, but hopefully it will become even less frequent going forward.

Although developers should be responsible with how they store and utilize people's data, it's also vital for us to understand how our data can be used online. Apps like Girls Around Me used data in a way that can be described as just plain scary. The worst part is they weren't really pulling anything that the entire world didn't already have access to. This is why it's so important for users to understand how to change and edit their privacy settings across all social networks. And the best rule still applies -- if you don't want the whole world to know or see something, just don't post it to begin with.

Free - Download Now

Source: Path

Additional resources:

• How to review your social network privacy settings
• iMore social networking forums

Foursquare has revoked API access to the iOS app Girls Around Me, forcing them to take their tracking app down from the Apple App Store. This follows a scathing editorial on Cult of Mac in which the privacy implications of the app were called into question. The Russian developer, i-Free, has since issued a statement claiming  that they've done nothing wrong, and that they're only using APIs on Foursquare and Facebook to enable users to find the names and locations of girls and guys nearby.

We are absolutely convinced that it is good and important to educate the users to take care of their privacy and what they share publicly. But we believe it is unethical to pick a scapegoat to talk about the privacy concerns.  We see this wave of negative as a serious misunderstanding of the apps’ goals, purpose, abilities and restrictions. Girls Around Me does not provide any data that is unavailable to user when he uses his or her social network account, nor does it reveal any data that users did not share with others. The app was intended for facilitating discovering of great public venues nearby. The app was designed to make it easier for a user to step out of door and hang out in the city, find people with common interests and new places to go to.

We have a policy against aggregating information across venues using our API, to prevent situations like this where someone would present an inappropriate overview of a series of locations.

There are ways to implement location-based dating without getting creepy -- namely, providing a layer of anonymity that can protect people from being spied on unless they explicitly allow access. That said, people who don't want to be tracked down shouldn't be checking in on Foursquare, and if they are, they should take some time to figure out the privacy settings.

Was Foursquare right to revoke API access to Girls Around Me? Will doing so actually improve awareness of online privacy concerns or prevent abuses?

Source: WSJ, Cult of Mac

An eight-year-old kid from Tennessee was able to track down some burglars that had broken into his home and stolen his iPad by using an Apple-made location-tracking app. The Find my iPad app helped police locate the hotel where these thieves were staying, and their stash of $350,000-worth of stolen loot amassed over other break-ins. The kid, Landon Crabtree, is going to get the key to the city for his help.

We hear stories like this every so often, but I think the real news here is that apps like Find my iPad and Find my iPhone are still a surprise to a lot of people. Google has a similar system in place with Latitude, and BlackBerry has a security suite called Protect that not only can track down via GPS, but also remotely lock and wipe devices, much like Find my iPad. For those of us steeped in mobile tech, the fact that location of your phone or tablet can be remotely pinpointed is kind of old hat, but I know plenty of late adopters that are freaked out by the idea. Stories like this definitely serve to combat those Big Brother anxieties.

Apple's products tend to be hot commodities for muggers... Have any of you new iPad owners had to deal with theft? Is there really anything to worry about if you've got Find my iPad or Find my iPhone installed?

Add your experience to our True tales of Find my iPhone in the iCloud Forum.

Source: MSNBC via 9to5Mac

Sweden-based Micro Systemation recently demonstrated on video just how easily their desktop software for military and law enforcement can crack into an iPhone. With a few quick reboots, XRY can not only dig out the phone's unlock code, but can also personal data, GPS locations, messages, and a log of keystrokes. Though Micro Systemation wouldn't go into specifics on how they go about doing all of this, they said the process is similar to jailbreaking, and they're constantly keeping up to speed on the latest iOS and Android updates. Though the video below shows the process happening pretty quickly, more complicated passwords can make the crack take infinitely longer - sometimes too long to be worth it.

Of course, this kind of software is used exclusively by law enforcement agencies of various kinds around the world, so there's no need to worry about some random hacking into your phone with this software. Likewise, Micro Systemation isn't responsible for how police and military use the software once they've been certified by local governments.   In California, cops don't even need a warrant to search your phone.

We all know that our iPhones are highly personal items and can store a lot of sensitive information on them. As scary as it might be that the cops can get access to it in a heartbeat, it's only really an issue if you've done something wrong, isn't it?

Source: Forbes

A new security vulnerability has now been exposed pertaining to how Apple's Safari web browser handles site names entered into the address bar. The exploit, discovered by David Vieira-Kurz of MajorSecurity, involves spoofing (faking) the name of the site the user thinks they are going to in Safari while secretly redirecting them to a different, potentially malicious website without their knowledge.

The vulnerability has been reproduced on every device running iOS 5.1 including the iPhone 4, iPhone 4S, iPad 2 ,and the new iPad. Given the reproducible results, the Dutch Ministry of Security and Justice has issued a warning.

A proof of concept has been provided by Vieira-Kurz and the results have been acknowledged by Apple as far back as March 3rd. That said; it stands to reason that an update from Apple is being worked on to close the hole.

If you're looking to test out the proof of concept yourself, you can visit the Vieira-Kurz website in the source link below. If you test it, you can see how simply pushing the demo button will load a new site but the address bar would have you believe it's still apple.com.

Until an update is pushed from Apple, ensure you do not go clicking on any random links you don't trust and also avoid offering up any personal details on sites you're not 100% sure about. When it doubt, type in the address yourself rather than clicking a link to better make sure you're going to the right place. These are common safety measurements for the internet, but certainly worth repeating with this new found exploit now known to the masses.

Source: The Next Web; Via - Vieira-Kurz

A bug found in iOS 5.0.1 may allow an unauthorized user to access your contacts, make phone calls, or use FaceTime on your passcode-protected iPhone. But stop panicking, this bug isn't easily reproduced -- it requires someone else to have access to your phone, with either no service or the sim card removed. Your average snoop won't find it worth their time.

To trigger the bug, someone must confuse the phone after receiving a missed call by one of two methods -- doing it while you have no network coverage or actively inserting and ejecting the SIM card. This will eventually lead to the iPhone unlocking to the phone app and allowing you to place phone calls. Once you hang up, you'll be locked out again.

It seems a bit silly as this process obviously needs to be performed numerous times, as shown in the demo video below, in order for it to confuse the phone. As long as you aren't leaving your iPhone unattended for long periods of time with shady people who actively carry around a SIM removal tool or paperclip, I don't see this becoming a popular way of hacking into someone's iPhone.

A similar bug was discovered a while back under iOS 4 which also allowed access to contacts, favorites, and voicemail on a locked device. Another recently discovered timestamp bug in iOS 5 allowed access to your camera roll.

No word yet on whether or not this specific issue is patched in iOS 5.1. If it isn't already, it probably will be before the public release of iOS 5.1.

Source: iPhoneIslam

After the whole mess with social networking app, Path, uploading Contact data from iPhone users without asking, the U.S. Congress has started to get involved. Energy and Commerce Committee member Henry Waxman and Commerce, Manufacturing, and Trade Subcommittee member G. K. Butterfield issued an open letter to Apple CEO Tim Cook asking some probing questions regarding the iOS developer agreement.  Most of them center around the agreement's reference to transmitting "data about a user". Some of the juicier questions include:

• "Do you consider the contents of the address book to be 'data about a user'?"
• "Do you consider the contents of the address book to be data of the contact?  If not, please explain why not.  Please explain how you protect the privacy and security interests of that contact in his or her information."
• "How many iOS apps in the U.S. iTunes Store transmit information from the address book?  How many of those ask for the user’s consent before transmitting their contacts’ information?"

In response, Apple's Tom Neumayr said in a statement that they intend on requiring explicit permission to access address book data in a future release, much like how location data is handled now.

"Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."

There's no mention of whether or not that will be in iOS 5.1, which Apple has been testing for some time, and may release alongside the iPad 3 in March.

The letter from Congress sought a formal reply by the end of the month, though I doubt we'll get to read that response. Apple has had some hiccups with location privacy in the past, but their corporate line has consistently been to treat private data with the utmost respect. While it's tricky holding Apple accountable for the snakey stuff that developers do in the App Store, it is their job to curate and approve submissions, and if a bad app slip through the cracks and reaches the public, it's the iPhone's reputation on the line.

At first glance, Android seems to have a better privacy system in place, as it ensures that you provide explicit permission for an app to access different types of data, but I definitely worry that the folks at Google don't look as closely at submissions as Apple does.

iMore put up a concept piece on how we'd like to see contacts, and permissions in general, handled in iOS 6. Would a popup make you feel more secure about your iPhone's personal data? Will it legitimately change a user's behaviour, or will they approve it as absent-mindedly as they do location permission now?

Source: Congressional letter, via The Next Web, AllThingsD

Apple has always been known to heavily curate their App Store, like Walmart, while the jailbroken alternative, Cydia, has always been looked at as more open, like a market. It turns out, however, official App Store apps may leak your data far more than their unapproved, jailbreak counterparts.

An on-going study by the International Security Systems Lab and the University of California at Santa Barbara reveals some startling information about apps that leak your private data to their developers. The most surprising part of this survey for many may be the fact that jailbroken apps actually leak your personal data far less often than their Apple-approved counterparts.

Using a tool named PiOS, USCB took a sample of 825 free apps from the official App Store and 526 free apps from the Cydia repository, Big Boss, the largest and most popular of all the repositories available. What they discovered may make people rethink their bad connotation about jailbreaking.

Data from UCSB showing app data leaked from official and jailbreak apps

• 21% of official App Store apps leaked some kind of personal data to their developers
• Only 4% of jailbroken apps sent personal data to developers

The most common form of data leaked was the user's device UDID. This is not something I'd say users should be specifically concerned with. Your UDID number identifies your individual device. It's most likely what Apple uses to build user profiles and gauge your interests in order to offer you more relevant iAd information or App Store recommendations.

Further, official apps leaked location and address book information more often. One official app also revealed your actual phone number to the developer. No jailbreak apps gave developers access to your phone number and only one gave access to your address book and location data.

In the past jailbreak developers have developed patches for security exploits before Apple addressed the issue. Cydia also plays host to several apps that actually provide jailbreakers more control and protection over their private data than what iOS offers stock.

Jailbreak apps such as PrivaCY, developed by Cydia creator Jay Freeman, actually gives user a toggle that will block apps from uploading private data and usage statistics to remote servers. After it was discovered that Path was transmitting user's address books, Ryan Petrich created a jailbreak apps called ContactPrivacy which warns users when an app is trying to access data.

Jay Freeman thinks jailbreakers are concerned with their data and privacy even more so than stock users (that's probably true) -

“If you care about this kind of thing, you should jailbreak your phone,"

"Instead of Apple making decisions about what’s good and bad, you decide. People think jailbreaking is about deciding that things Apple doesn’t like are good. But it also allows you to decide that things Apple likes are bad. We provide you the tools to block the functionality you don’t believe apps should have on your phone.”

The difference may simply lie in the user base. Anyone who decides to jailbreak is pretty much classifying themselves as a power user. These users don't want Apple to make decisions for them. Beyond that, they greatly care about their data and security.

Over 10 million users are currently running jailbroken iOS devices. They have more options when it comes to protecting their privacy and user data than the millions of devices that aren't jailbroken. Many users have a negative connotation when it comes to jailbreak. Yes a jailbreak uses an exploit in the device to inject code that Apple doesn't let you run by default. But keep in mind these security holes are already present, stock or not.

What you decide to download from unofficial sources like Cydia after jailbreaking lies strictly with you. Could jailbreak leave your device open to malware attacks? Sure. But only if you're downloading packages that contain malware. Reading release notes and making sure you know what you're downloading eliminates 99% of these problems.

And again, most users that seek jailbreak are a bit more technologically inclined. They know what they're downloading and what they should stay away from.

Whether you are #TeamJailbreak or #TeamPure, does it surprise you that official apps leak more data than their unauthorized counterparts? Has any of it made you rethink any negative opinions you have about jailbreaking?

Source: Forbes via UCSB

What do some popular iOS apps to with your Contact data? Do they grab it without permission, transmit it without protection, and store it without regard to privacy? Or do they treat it right, with respect and responsibility? That's the question both Dieter Bohn of The Verge and Matthew Panzarino of The Next Web sought to answer today.

The reason for the sudden interest -- in a years old problem -- is because a popular app, Path, was discovered taking users Contact data without asking, and uploading it in an insecure way to their servers. It wasn't nefarious; as with other apps that do likewise, they were trying to provide a service -- match users with friends who are also users. They just coded first, asked questions never.

For more background, and the solution iMore would like Apple to implement, see our recent editorial: iOS 6 and privacy: How Apple should draw inspiration from Android for better app permissions

The Verge spent the day packet sniffing popular apps, basically running their own man-in-the-middle attack, to see if any Contact data was being transmitted and if so, how it was being handled. The Next Web received an assist from Tweetbot developer Paul Haddad, who ran his own, similar tests.

Of the apps found to be on the naughty list, or in the gray-zone, it sounds like the publicity will be causing swift updates.

Hit the links below to see the results.

Source: The Verge, The Next web

Foxconn, the Chinese company that manufactures iPhones, iPads, and Macs for Apple, and electronics for many others in the industry, has recently been hacked by a group called Swagg Security. They're currently sharing the fruits of their labour on The Pirate Bay. In a statement accompanying the leaked files, Swagg Security laid out their intentions (or lack thereof).

"We switched on BBC Radio, the leading source of unbiased material. A short segment on the manufacturer giant Foxconn, came up reporting on the inhuman conditions the workers experience. A few days later an almost viral rumor about an Iphone 5 with a 4-inch screen being manufactured, as claimed by an employee from the infamous Foxconn. Now as a first impression Swagg Security would rather not deceive the public of our intentions. Although we are considerably disappointed of the conditions of Foxconn, we are not hacking a corporation for such a reason and although we are slightly interested in the existence of an Iphone 5, we are not hacking for this reason."

So Swagg is doing it all "for the lulz", or just for the fun of it, in typical anonymous hacker fashion. According to their anarchist philosophy, screwing things up for big companies and corporations is a reward in and of itself. After flipping through the files, I didn't see anything much beyond a few hundred username/password combos which will likely be useless information once Foxconn resets everybody's credentials. CEO Terry Gou's e-mail address is in the files, which may have been used among other addresses to place fake orders through services.foxconn.com, but the site has for now been taken down. Beyond that, the only lasting effect I could imagine from the whole affair is improved attention to security on Foxconn's part.

Despite bruised pride, I see hacking that points out security holes without doing permanent damage to the company as fairly productive, once the victim patches up its system. If those behind the hacking get a good laugh out of it too, all the better. What do you think? Is anarchist hacking good to keep tech companies on their toes, or do these attacks need to be political in nature to be justified? Or is disrupting the operations of companies in any way ethically wrong, no matter how much of a philosophical spin you put on it?

Source: Swagg Security statement via Electronista

There was a bit of noise yesterday about a popular mobile social networking app, Path, taking the address books of users wholesale, and storing them on their servers. Despite being transferred over SSL, and the data only being used to notifications when friends signed up, Path has apologized profusely and wiped any personal address book information from their servers. A patch to their iPhone app now provides a prompt if you're interested in receiving notifications when friends sign up.

It's good to see Path is being clear, prompt, proactive, and apologetic about the whole thing, but the whole situation still serves as a reminder that many of these mobile apps have access to a lot of personal information, and if you're uncomfortable with that situation, it's probably best not to go crazy signing up for every trendy new service to come along.

Personally, I've already surrendered to the fact that Google has an obscene amount of insight to my life, and if a few smaller software companies do too, fine. The worst they can do is deliver ads that are more relevant to my interests, and that doesn't sound like such a bad thing.

Source: Path

Do you love Path, the slick, simple, moment-sharing social network app for iPhone? Well, you get ready to dial it back a notch, because apparently they're storing your entire address book, e-mail addresses and all, on their servers, and in plain text. What kind of evil deeds does Path have planned for all that data? Well, the CEO, Dave Morin, said that the data is used exclusively to notify you when your friends sign up for Path. He also claimed that it's the industry standard to transfer that personal information in plain text, even though, as one commenter points out, it could be done with representative hash codes instead. Morin also said that they intend to update the iOS version with an opt-in dialog for the feature, which is a tweak they've already rolled out on Android.

If you're not cool with the data Path already has stored on their server, you can e-mail service@path.com and they'll wipe everything out for you.

The whole mess was discovered by the developer of an iPad news app called Denso. He was toying around with a new tool from mitmproxy.org that monitors the API calls made by apps by setting up a man-in-the-middle HTTP proxy.

This isn't the first time we've seen this issue on iOS. Nuance's popular Dragon Dictation faced and addressed similar concerns back in 2009. While we're prone to just hit the "allow" button on just about any app we download when prompted for access to personal data, you aren't currently getting that message when downloading Path on iOS. Even if you were, it's still pretty sketchy that this data is being transferred without being hashed, even if it's transferred over SSL. What if Path's servers got hacked? We wouldn't get much more than a "whoops" from Path. What worries me even more is that there are still a ton of other services out there just farming up personal data from not only you, but everyone you know, without your express or implicit permission.

It certainly makes me think twice when signing up for new services...

Source: Read Write Web, Denso, mitmproxy.org

We're now fully into 2012 and already, we've been hearing about some great things to come from Apple. Of course, we'll have to wait and see what turns out to be true and what turns out to just be rumors but that's part of the fun. Looking to discuss all things Apple? We've got a spot just for you in the TiPb forums, you can register now to get started today:

• iPhone 4S Forum: So.. I did a hard reset and.....
• iPhone 4 Forum: Getting control of auto sync activity
• iCloud Forum Calendars issue With iPhone 4S and iPad2
• iPad 2 Forum Email security in WiFi zones
• Jailbreak and Unlock Forum Positives and Negatives about JailBreaking your iPhone?

If you're not already a member of the TiPb Forums, register now!

The guys from Applidium claim to have cracked Siri’s security protocol and it could open the floodgates to third party developers and of course other hardware too. There is a downside, in order to use Siri on one of these other devices; you still need to have a UDID of an iPhone 4S device. A UDID is a Unique Device Identifier and is a 40 character unique number assigned to every iPhone.

The iPhone 4S sends identifiers everywhere. So if you want to use Siri on another device, you still need the identfier of at least one iPhone 4S. Of course we’re not publishing ours, but it’s very easy to retrieve one using the tools we’ve written. Of course Apple could blacklist an identifier, but as long as you’re keeping it for personal use, that should be allright!

Source: Applidium

A potential security flaw involving the iPad 2 on iOS 5 and Apple's Smart Cover's ability to bypass the Passcode Lock is making the rounds this week.

a Smart Cover can essentially unlock an iPad 2. The person who unlocks your iPad 2 will not have complete access to your iPad, but will be able to gain entrance to whatever you locked your iPad 2 on. If your iPad 2 went to sleep in Mail, Safari, Messages, Contacts, or Maps, you can imagine the sorts of personal information that can be viewed on your iPad.

A temporary solution here would be to simply disable Smart Cover unlocking from within the Settings app on your iPad 2. This is the latest in a series of Siri, Camera and Photo Stream related security issues with iOS 5. Here's hoping Apple directly addresses them with an update soon.

Source: apfeltalk.de via 9to5Mac

Thanks to the quick Camera access and power of Siri as a virtual assistant, iOS 5 and iPhone 4S are more convenient than ever -- but they also leave you open to everything from pranks to data theft. We've talked about this extensively on the iPhone Live podcast but it's worth repeating here.

Double clicking the Home button and tapping the Camera icon bypasses a Passcode Lock and instantly lets you take pictures. You can't access anything else, but if you leave your iPhone unattended, a friend or passerby can easily prank you by taking an inappropriate picture (from innocuous "funny faces" to to full on "junk attacks" -- don't ask.) If you have Photo Stream enabled, that prank picture can quickly propagate to all your other iOS devices, your PC, and your Apple TV, and the only way to remove it is to delete the entire stream.

You can't currently disable the fast Camera access. You can disable Photo Stream by going to Settings, iCloud, and toggling Photo Stream to Off.

Holding down the Home button to activate Siri also bypasses the Passcode Lock, and while Siri is prohibited from doing things like deleting contacts or performing web searches without the lock code being entered, Siri can still call numbers, delete alarms, and perform other tasks unencumbered. If someone knows a contact's name, they can get access to their email address(es), phone number(s), etc. Even if they don't know a contact's name, because relationships can be set, they can simple ask for "mom" or "boss" and get the data that way.

Friends and strangers alike can also prank you by telling Siri to address you by some funny or rude name.

You can disable Siri's Passcode bypass. Go to Settings, General, Passcode Lock and flip the Siri toggle to Off.

Convenience and security are always at opposite ends of any feature list. Each individual has to decide for themselves how much convenience they want and how much security they're willing to give up for it. (Some people choose to not even use a Passcode Lock, after all.)

Disabling Siri's Passcode bypass reduces its speed and ease of use but increases its security. You can't just hold a button and start talking to have Siri take an email, for example, while you're driving. You have to enter the unlock code first, and perhaps each time depending on your settings.

Unfortunately, Camera access and Photo Stream need to wait for Apple to provide an easy off-toggle, and a way to delete individual pictures from the stream. Disabling Photo Stream contains any pranks, but means you lose the backup and multi-device replication of the feature.

In the meantime, the best practice is, of course, to never leave your iPhone unattended, especially around people you don't know -- or people you can't trust not to prank you.

Yesterday I drove to my local Apple Store to pick up my Mac Pro, which had had it's processor board repaired. I got there about 6:20pm, picked it up, and returned to the parking lot at 6:40. I opened the rear driver's side door, eased my Mac Pro onto the floor, and then wondered why there was broken glass on the seat. It took a moment to realize the answer -- the rear passenger side window had been smashed open. It took only a moment longer to realize the worse news -- my laptop bag, containing my MacBook Pro and iPad 2, and my camera bag containing my Canon T2i, fast 50mm lens, and 35mm lens had been stolen. Looking around I saw several other adjacent cars had been similarly broken into, and a few minutes later the owners returned and discovered similar theft of their laptops and other valuables.

I called the police. They took a report. They marked it as "will not investigate" due to the lack of cameras in the parking lot. I called my insurance company. Twice. They took a report. Twice. I called all the IT people I work with and had my passwords reset and my keys revoked and replaced.

Because I use Find my iPhone, I could try to track my iPad. (Unsuccessfully; it had been powered down.) I could also issue a remote wipe (though it would be helpful if Apple recorded the location just before it wiped). Because I keep most of my home directory in Dropbox, I didn't lose any data. (Though I dearly wish Dropbox could remote wipe the files of a lost or stolen computer -- or can it and I'm just unaware?) Because I use 1Password I can quickly replace any logins with new ones that are just as gnarly, just in case.

I wish I could just watch GDGT to see who adds my gear, then use Gowalla to track them down, but the truth is most stolen property is never recovered.

My car window will be replaced, good as new. Some portion of my gear will be covered by insurance, though probably not enough to replace it all. The loss of time and the feeling of violation will frustrate for a long time to come.

It did serve to remind me that, despite the inconvenience, security and redundancy are urgently important.

If you haven't installed Apple's free Find my iPhone service, do it now. If you don't have both a local backup (iTunes is fine), make one now. If you don't have a remote backup (iCloud might be fine come iOS 5), make one now. And make it a habit to run it every day or couple of days so you never lose too much data. Unlike gadgets, that's irreplaceable. (I'd also suggest a good password manager.)

Skype has stated they are aware of a serious cross-site scripting vulnerability within the chat feature for Skype on the iPhone. The security hole could allow for malicious JavaScript code to access to your address book and is known to affect versions 3.0.1 and below.

Skype reached out to TechCrunch to say they're hard at work on getting an update pushed to the App Store.

We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.

The funny thing is, Skype has known about the issue for a while now. AppSec Consulting security researcher Phil Purviance helped discover the problem and let Skype know about it almost a month ago. Skype responded saying they would release an update earlier this month, but we're nearing the end of September and there's no update to be found.

Here's hoping Skype gets on this quick and pushes out an update soon, but in the meantime check out the video below detailing how the vulnerability works.

[superevr, TechCrunch]

Business Insider talked with a developer who had early access to an iPad, before it was even announced, and he revealed a intriguing tale of physically chained down devices, hidden behind frames, subject to spot checks.

Apple flew the iPads to the developers destination accompanied by at least one engineer. They had to be kept in a room with no windows. Apple changed the locks on the doors and took the names and social security numbers of the four people who were allowed access to it. The iPads were fixed to the desk with high strength security cabling, similar to the material used for cycle locks.

They had these custom frames built around them so we couldn't even tell what the iPads looked like. We could plug into them so we could code to them and we could touch the screen and play with that, but we couldn't see the form factor. Then they took pictures of the wood grain. If any pictures leaked out, they could trace it back to which desk they came from.

Not really all that surprising to me; you don’t keep a product like an iPad under wraps with very little leaked information, without taking some major precautions. Apple are extremely successful with minimizing product information leaks. We still have no idea what the iPhone 5 will feature, so the system certainly seems to work.

(Now all it needs is a way to lock down all the bars in San Francisco...)

[Business Insider, Image via Creation Security]

Anti-virus maker McAfee has released a report saying that iOS devices, including iPhone, iPad, and iPod touch were pretty much unaffected by the growing mobile malware attacks facing platforms like Google's Android. Jailbroken iOS devices were slightly more vulnerable, having had to deal with 4 variants of the same attack, but still far less than the 44 affecting Android (a 76% increase.)

The difference seems largely explained by how Apple runs their platform -- as a closed, closely inspected garden that makes it far more difficult for malicious apps to make it into the App Store and through to consumers. Google, meanwhile, has a far more open ecosystem that allows far more types of apps in the Market, including some that ought not be allowed.

In other words, if you live in the Apple bubble, it might be a bit stuffy but you won't get rained on. Depending on how much you value mobile security, that might be a tradeoff you're willing to make.

Note: Anti-virus companies no doubt would love to get more heavily into the mobile market, so read any reports they put out in that context.

[Electronista

Your iPads’s secure passwords could be at risk from a new breed of thieves that peer over your shoulder as you enter passwords into your device. They could then steal your bank log in details, PayPal password or anything else that you have secured by a password.

The technique known as “Shoulder Surfing” could become a whole lot easier to carry out as demonstrated by a South African security research company. It has built an app that can decipher the key presses you make on your iPad. It works on a jailbroken iPhone, iPad or even on Mac OS. All you need to do is stealthily capture a video of a users key presses with your chosen device. The software can then get to work and reveal the password. In fact it gets even worse than that, the software can even be used with surveillance cameras or long distance lenses; making it even easier to capture the information without being spotted!

When a user types on an iPad’s touchscreen, each key glows blue for a fraction of a second after it’s struck, a helpful bit of feedback for any virtual keyboard. ShoulderPad’s image recognition algorithms, based on Open CV’s open source image recognition software, look for that flash of blue. “At any distance, if the blue is distinguishable, shoulderPad can detect that keystroke.

[thinkst via Forbes]

As expected, Apple is preparing a software update -- likely iOS 4.3.4 for most devices, iOS 4.2.9 for the Verizon iPhone -- to close the PDF exploit behind JailbreakMe.com. While JailbreakMe.com uses the exploit to Jailbreak current iOS firmware and install the Cydia app store, the same exploit could be used by a hacker to easily gain access to a user's device for malicious purposes.

Apple spokeswoman Trudy Muller said Thursday, “Apple takes security very seriously. We’re aware of this reported issue and developing a fix that will be available to customers in an upcoming software update.”

Currently, the only way to fix the vulnerability is to Jailbreak and install PDF Patcher 2.

[Washington Post]

A few interesting patent applications from Apple have recently surfaced, showing they have some bold ideas surrounding Find My iPhone, social-matching, and a way to lock the camera so we can't make bootleg concert recordings and plaster them on YouTube (?!).

Reminder: Apple, like any big company, routinely patents just about anything and everything they dream up, and there's no way to know when, or if, they'll use any them in actual, shipping products. Still, it's interesting to see what they're working on deep inside the secret Cupertino labs...

Follow on after the break for the roundup!

Find My iPhone

First off, Apple has applied for a patent describing a much more control-oriented Find My iPhone feature with additional security and deeper system integration. Find My iPhone currently lets users remotely lock their iPhone, wipe their data, locate the iPhone on a map or send a personalized message to the device.

This is all nice, but Apple may decide to up the ante and provide much deeper control for the corporate and enterprise environment and better assistance for recovering a lost iPhone.

• Selective data scrambling and wiping lets users define whether to scramble certain data or to wipe specific data instead of clearing the entire device. Users can avoid wiping all data by scrambling emails, contacts etc making the data unusable, or selectively wiping only sensitive data while keeping other data intact.
• Unauthorized user detection is a method of detecting when someone other than yourself has tried to access your iPhone after a certain number of incorrect passcodes have been entered. Once the threshold has been met, the iPhone puts itself into a higher security mode with surveillance options for transmitting audio and video from the front-facing camera, thus giving the owner a higher probability of recovering the lost iPhone.
• Limited functionality allows for locking down an iPhone by turning off certain features, letting an unauthorized user perform tasks with limited capability and functions. The owner can the device to disable cellular data, phone, SMS and other capabilities as to not incur charges on their monthly phone bill. It also offers a function to disable VPN capabilities for better protection of corporate data if the device is lost or stolen.

Making friends just got easier

A second new patent application reveals that Apple has some ambitious ideas to make the process of finding friends with similar interests a lot easier. Tapping into location data, interests, books and other data stored on the iPhone will help match you up with other iPhone users with similar interests.

Social networks are a well known phenomenon, and various electronic systems to support social networking are known. Growing a social network can mean that a person needs to discover like-minded or compatible people who have similar interests or experiences to him or her. Identifying like-minded people, however, often requires a substantial amount of and time and effort because identifying new persons with common interests for friendships is difficult. For example, when two strangers meet, it may take a long and awkward conversation to discover their common interests or experiences.

Common interests and experiences of two or more users located close to each other can be identified from content, including automatically created usage data of the mobile devices. Usage data of a mobile device can be created based on activities performed on the mobile device (e.g., songs downloaded), a trajectory of the mobile device (e.g., places traveled), or other public data available from the mobile device (e.g., pictures shared).

All of this would be opt-in to help avoid privacy concerns, but the location-based services are quite interesting to say the least. As an example, if you tend to visit a specific coffee shop in your town, your iPhone could match you up with another iPhone user who also frequents that location. The idea is to make it easier to discover like-minded people and help spark up friendships that wouldn't otherwise be as easy to start.

Recording at concerts is a no-no

Lastly, Apple plans to build a system that will determine when users are trying to record or stream live video at concerts and events, and subsequently turn off camera functionality on the device. It works by using infrared sensors that can tell when people in the crowd are recording and sends a signal to the device to disable the camera. Users would still be able to send and receive text messages, calls, data etc.

That... seem a little "Big Brother" to anyone else?

[Patently Apple, MacRumors, The Sun, thanks Steven!]

Ever wanted to unlock your iPhone simply by having it look at you and recognize who you are? A jailbreak mod called RecognizeMe will be hitting Cydia soon and promises to bring biometric facial recognition security to the iPhone 4. The mod will allow you to unlock your iPhone by scanning your facial features with the front-facing camera and verifying who you are before giving you access.

The tweak offers settings for dialing up the level of security (facial matching), which we're assuming requires a bit more processing time, but the app definitely appears to deliver on its promise of facial recognition security for the iPhone 4. The mod looks a little slow at the moment, but hopefully the developers are able to optimize the code before an official release.

Check out the video after the jump, and let us know what you think in the comments!

[Thanks @adamelter]

If someone manages to take physical possession of your iPhone and keep it long enough to Jailbreak it, enable SSH, and get access to the root, they can compromise Apple's Keychain password management system and get to your data in roughly 6 minutes.

The attack works because the cryptographic key on current iOS devices is based on material available within the device and is independent of the passcode, the researchers said. This means attackers with access to the phone can create the key from the phone in their possession without having to hack the encrypted and secret passcode.

Using the attack, researchers were able to access and decrypt passwords in the keychain, but not passwords in other protection classes.

In other words, Exchange, Google/Gmail, LDAP, VPN, Wi-Fi, and some app passwords. This assumes you -- or the company for which you have passwords -- is a high enough level target that an attacker will go through the time and effort of stealing and breaking into your iPhone (or you lose your phone and a bored hacker finds it and decides to do it for the lulz.) It's also currently being shown off in the lab, not in the wild (that we know of).

In any case, common sense and best practices dictate that if you ever have your iPhone stolen -- or you lose it -- you immediately use Apple's free Find my iPhone service to remotely wipe it (you can always restore via iTunes if you find it again or it gets returned). You should also change your account passwords and inform your IT department so your enterprise access can be changed if/as needed.

Note: None of this has anything to do with you Jailbreaking your own phone or not. This is an attack on an iPhone, regardless if it's Jailbroken or not, that uses Jailbreak to gain access to the iPhone to steal data. Same exploit, evil intentions.

Hopefully Apple's new security muscle gets more serious about protecting the Keychain in future versions of iOS.

[PCWorld]

According to AllThingsD Apple has hired David Rice as their new Global Security Director. A 1994 graduate of the US Naval Academy with a masters in Warfare and Systems engineering, he's worked for the NSA, the US Cyber Consequences Unit, and Neohapsis. He's also the author of the book Geekonomics:

In it he argues that software is modern infrastructure–just like a bridge (hence, the picture on the cover)– and if it’s poorly made or insecure, it constitutes a public hazard.

Those who buy software–consumers, corporations and governments–end up being “crash test dummies” for an industry with no accountability for losses incurred by their customers, he argues.

Rice joins Window Snyder, former head of security at Mozilla, Ivan Krstic, former head of security at One Laptop per Child, and Jon Calla, former CTO of PGP among Apple's recent security hires.

Based on his background, it seems his "ounce of prevention is worth a pound of cure" view would entail making Apple software more secure so they'll waste less money on patching security exploits later. That's good news for Mac and iOS users when it comes to protecting us from malicious exploits like viruses, especially as Apple's market share increases and they become a larger target. It's not great for Jailbreak users who depend on the non-malicious exploits to gain root access to their iPhone, iPod touch, and iPad in order to customize and run apps beyond what Apple allows.

[AllThingsD, thanks Anthony!]

The TiPb forums are naturally a great place to talk, commiserate, celebrate, get help, and offer advice to your fellow iPhone users. In order to create a new thread of your own or reply to any of the existing threads, you must be a registered member. Becoming a member is easy and free so if you haven’t already, head on over and register now!

• Skype recently released an update to support video calls via 3G. Have you used this feature and do you think it spells doom for Apple's FaceTime?

• There are so many good IM clients for the iOS platform, which one is your favorite?

• Apple's App Store is filled with some truly amazing games compatible with Game Center, what are some of your current must-have games?

• How many of you take advantage of the security features in iOS? Do you prefer to use a PIN or password?

See you in the forums!

In an effort to make your iPhone more secure, security analyst and jailbreak developer Stefan Esser is releasing Antid0te on December 14th. Address Space Layout Randomization (ASLR) is a security technique which involves randomly arranging the positions of key data areas. This usually includes rearranging the base of the executable and position of libraries, heap, and stack, in a process' address space. This makes it difficult for someone trying to execute shellcode injection on the stack by requiring them to have to first find the stack. Many of the most popular and sophisticated Operating Systems already use ASLR, including Windows, Linux, and Mac OSX (10.5+).

Just how secure is your iPhone? Earlier this year at the Pwn2own hacking competition the winners of the event, Vincenzo Iozzo and Ralf Weinmann, took home first place for hacking an iPhone 3GS and downloading all its stored SMS messages in only 20 seconds. This past summer, jailbreak developer Comex used a PDF exploit that allowed an integer overflow in IOSurface.framework to get root access and privilege.

While Comex used this exploit to jailbreak the device and install Cydia, someone more malicious could have used the same exploit to steal personal data and download it remotely. Jay Freeman, also known as the jailbreak developer and Cydia creator Saurik, released a patch to plug this exploit weeks before Apple released their patch.

Although some would want you to believe otherwise, jailbreaking a device does not in and of itself make a device less secure. It merely uses existing security holes to give root access and privileges in order to allow the user to make desired changes, including patching security holes and making the device more secure than a jailed and stock iPhone. Like Saurik, Esser believes that iOS does have serious security limitations and that Antid0te will go a long way in resolving some of them.

Is Apple doing enough to make our devices secure? Would you jailbreak for a more secure iPhone? Let us know by leaving a comment below!

It looks as if there's yet another Phone.app security hole, this time in iOS 4.1 that allows someone to get around a passcode locked iPhone, gain access to the owner's contact list, make calls and send emails to anyone in said contact list.  From MacStories:

"To reproduce the bug, make sure to have a passcode lock turned on and lock your device. In the lockscreen, tap on Emergency Call in the lower left corner. Now type a non-existent emergency number, I tried #946494. Start the call, and as soon as the red button appear hit the sleep button. You’ll be brought to the contact list."

The issue will most-likely get patched by Apple in the 4.2 update coming later this month, but it's not the first time the emergency call screen has been exploited. Both iOS 2.1 and iOS 2.0.2 suffered from passcode lock bugs. Hopefully Apple pays extra attention and really secures Phone.app this time.

We were able to recreate the issue in the video above.  Any readers out there seeing the same results?  Let us know your thoughts on this in the comments below!

UPDATE: This bug appears to already be fixed in iOS 4.2 beta, which is due to be released in November.

[MacStories]

by Andrew Wray

I think we all generally assumed this, but it's nice to see Apple going on record as saying they'll patch the PDF font exploit that currently allows the Jailbreakme.com jailbreak -- and potentially any malicious hacker out there -- to run code on an iPhone with just the tap of a web button. CNET scored the quote from an Apple spokeswoman:

"We're aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update."

That might not be great news for Jailbreakers in the waiting, but this is a really bad security vulnerability and Jailbreak or no Jailbreak, Apple needs to fix it as soon as possible. Apple of course currently only provides updates in the form of complete firmware re-writes, which means we're likely going to have to wait for an iOS 4.0.2 (and hopefully a proximity sensor fix), or iOS 4.1 this fall when Apple introduces iPod touch 4.

If they could somehow work out a way to patch iOS, especially OTA, without having to wait until an entirely new firmware is ready it would go a long way towards speeding up their security response time for situations such as this.

[CNET]

Apple is aware of the web-based exploit used to Jailbreak iOS 4 and iPhone 4, but also potentially able to allow malicious access to any iPhone -- Jailbroken or not -- and are investigating it.

While many users were thrilled at the rapidity and simplicity with which Comex et. al. delivered an iOS 4 and iPhone 4 Jailbreak, that same exploit could just as rapidly and simply be used to hack any iPhone for any reason -- including malicious ones like stealing your data.

Tapping on a web link is far easier to get someone to do than downloading and running a program, and with this exploit being zero-day and in the wild, Apple will need to get it patched and fast.

Until they do, the usual advice applies -- don't go to websites you don't trust completely, and don't click on links in emails if there's any chance they're malicious (go type the URL in the browser yourself).

[Reuters]

UPDATE: An insider from AT&T has contacted Gizmodo with information in regards to accounts being compromised when customers login to pre-order the iPhone 4. It turns out that AT&T updated their systems over the weekend and it's likely the cause of the security issue.

Over the weekend there was a major fraud update that went down on all of AT&T's systems, from Saturday overnight to Sunday early morning. All systems were down and agents were unable to use any systems.

The issues people are seeing at AT&T stores and online are most likely related to this update that went wrong.

I do know that there was absolutely NO TESTING of this system done before the launch of the new iPhone. I know it's just heresay at this point, but I can confirm that there was a major outage over the weekend that impacted all ordering systems and programs, and I can confirm that there were multiple systems being upgraded/updated, with some updates being related to fraud.

Head on over to Gizmodo to read the full letter.

Original: We are getting reports in our forums that when trying to pre-order the iPhone 4 on AT&T's website, the account information displayed is not their own, but a total stranger's.

ugahairydawgs reports

Logged in and was looking at the account for some guy from Wisconsin who works for IBM. I thought I had hit the jackpot and that the AT&T computers had messed up and given me full upgrade pricing, but then I realized that the name at the top of the page didn't quite match the one on my drivers license.

jtimmerm says

It's 3:10 pm Chicago time and I just had the same thing happen. Got info for a different guy and company. I realize the servers are busy, but this is unacceptable.

This is a huge security issue on AT&T's part. It may explain why there are so many server issues today. Perhaps AT&T is aware of the problem and prevented access so they could fix it. Perhaps not. We'll be interested to hear what AT&T has to say in regards to this security problem. AT&T is not doing a great job of building customer's trust, especially when something like this happens a week after they were hacked, compromising the email addresses of iPad owners.

Is anyone else receiving access to a stranger's account?

Hackers found a way in to AT&T's iPad 3G registry and, using a brute-force attack based on unique ICC-ID numbers, managed to pull down corresponding email addresses for those users -- who include members of the US military, executive branch, and media companies.

AT&T has since closed the vulnerability and issued the following statement:

"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

The person or group who discovered this gap did not contact AT&T.

We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.

We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."

So once again it's the convenience of the cloud vs. the security of customer information. Increasingly we're trusting online accounts and services with our personal and financial information, and high-profile incidents like this, if nothing else, force everyone to re-examine what we trust and with whom.

How serious is this loss of data to you? Does it make you hesitant to signup online or on-device?

[Gawker, who curiously call it an Apple security breach in the headline.]

It's not surprise that Apple likes to keep things top secret when it comes to their new products not only from all of us but also from their very own employees as Reuters has just found out by interviewing current and past Apple Store employees.

"We haven't seen it; we never do" before a product is launched, said one employee, who asked not to be identified because workers are barred from speaking with the media. "Every store employee I know, including the managers, they haven't seen it."

Now we understand why Apple is this strict when it comes to their new product launches - to avoid leaks. But there is a flip side to that coin as even Apple Store Geniuses are clueless as to how to fix the product let alone get their hands on it until the day of it's release. Apple has reportedly even gone as far as having store managers guard pallets of new products the night prior to launch day.

So if you happen to go into your local Apple Store and start asking questions about a soon to be released product and you are not getting the answers you are seeking, cut the employee some slack as they truly are kept in the dark and more than likely don't know much more than you. In fact, sometimes you are better off visiting our forums for more information.

[Via Mac Rumors via Reuters]

Lots of movement on the Apple jobs (as in employment, not Steve) front lately, so here's a look at the recent loss of a music exec to Thumbplay, the gain of a security chief from Mozilla (and before that Microsoft), and they're hiring a Mobile Advertising team and an iBooks Store lead for Canada, Australia, and New Zealand.

Thumbplay, a company formerly noteworthy (or not) for ringtones is getting into mobile music says MediaMemo, hiring Pablo Calamera. MacRumors tells us Calamera was most recently Director of Apple's Engineering division, overseeing MobileMe. (Yeah, the troubled-launch jokes write themselves, right?)

Apple gains a security chief from Mozilla in Window Snyder according to PCWorld. Prior to that she started the Blue Hat program at Microsoft which helped them engage with security researchers. Please let that be her roll at Apple. Anything that creates faster security responses, actually.

Mobile Advertising, meanwhile, is being staffed up beyond even the Quatro Wireless purchase says Silicon Alley Insider. An iPhone advertising SDK manager is being sought and a team is being built.

Also being sought after is a manager for the iBooks Store says MacRumors, specifically one for Canada, Australia, and New Zealand. Does that mean those countries will be getting iBooks as well at some point? We certainly hope so!

Any other insightful Apple job postings out there? Let us know!

In the wake of the latest act of terrorism attempted on a US airplane, the TSA has enacted what appear to be deliberately unpredictable new security measures that seem to include a complete ban on the use of electronics like the iPhone or iPod touch, and even the use of the bathroom for the last hour of any plane trip in-bound to the US.

"Seem" is the operative word, as there looks to still be a lot of confusion as to how, when, and where the new policies are being implemented. We could joke about the come back of non-tablet paper books, or the train and automobile industries in the face of skies being so friendly, but missed flights and connections, mass confusion and sustained minor panic aren't too terribly funny. Likewise we'll side step the whole "eternal vigilance" vs. "deserve neither" debate.

The current policies seem to be effective until Jan. 1, 2010, and then we'll see what happens next. With gadget-lovers coming into the US for CES in just over a week, and with no doubt plenty of Americans with return flights planned from the Vancouver Olympics (and countless other places) thereafter, let's hope everything stays safe and and secure while returning as quickly as possible to functionality.

Meanwhile, Gizmodo has the TSA memo which basically lays out that if you don't run your own country, get in line way early and be prepared for anything. You'll likely get patted down once or twice. Your carry-on baggage may be restricted to one item and will be visually inspected. You'll likely not be able to use any electronics or go to the bathroom for the last hour of the flight. The in-flight entertainment system may be completely shut down, or may just not show live location information or news. Everyone is going to be tired, frustrated, and on edge.

[Much of this via PCMag's @saschasegan who's doing a great job passing along information via Twitter]

If you own either an iPhone or iPod touch along with a Mac computer then Airlock may just be the security OS X application you've been looking for. For only $7.77 you can have a very effective lock for your Mac computer with just your iPhone or iPod touch.

How does Airlock work? It's pretty simple, the program determines when you are near your computer. If you leave your computer's Bluetooth reach with your iPhone or iPod touch, your computer locks itself. As soon as you are back within Bluetooth range it unlocks your computer. If your iPhone/iPod touch is in a place that is out of range and you need access to your computer, simply set Airlock up to allow for your user name and password to gain access.

If any of you give Airlock a try let us know how you like it!

[Via Gizmodo via Unplggd]

Apple is currently hiring and is in search of an iPhone OS platform security manager. What does the particular job consist of? Here is the low down:

The team is responsible for secure booting and installation of the OS, partitioning and hardening of security domains within the OS, cryptographic services, and risk analysis of security threats. The team is made up of a variety of security experts with backgrounds in system security and reverse engineering.

The more secure Apple makes the OS the harder it will become to find and use a particular exploit -- for good, like our beloved jailbreak, or for evil, like we've seen with computer viruses, malware, etc.

Now don't get us wrong, we are pretty sure that one person will not do away with our beloved jailbreak but this does raise some questions. Is Apple really concerned popular mobile devices will get attacked the way PCs do today? Or are they just done putting the practice of preventing jailbreaking (and the unlocking and app piracy that sometimes goes with it) on the back burner?

What do you think this may mean for the future of the jailbreak if anything? Sound off in the comments below!

[Job listing via Ars]

We've warned you previously about some of the security vulnerabilities that come with jailbreaking your iPhone. Turns out a Dutch hacker has gone and made a point to a countless number of jailbroken devices by using a port scanning technique along with some networking smarts. Then after he gained access to the jailbroken iPhones the rest was easy. All of the devices that were hacked had unchanged root passwords along with SSH enabled. You'd know if you were hacked if the following message popped up on your screen:

If you don't pay, it's fine by me, but remember, the way I got access to your iPhone can be used by thousands of others-they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It's just my advice to secure your phone.

Like promised, no harm was done or will be done. It turns out the hacker just wanted to teach people a simple lesson - change your root passwords and disable SSH. He's even been nice enough to post directions on how to make sure your jailbroken iPhone is not at risk.

[Via Gizmodo]

The cracking of GSM "encryption" has been making the inter-rounds lately, and this week on the Security Now! Podcast, Steve Gibson takes a look at how badly it's broken, and what the potential risks are. In simple terms, it means what you say on your iPhone -- or any GSM phone, which includes all phones on AT&T, T-Mobile, Rogers, and almost all phones internationally -- can be intercepted, decrypted, and listened to if a person has several thousand dollars worth of equipment and the motivation to do it. In more complex terms:

So again, we're now at the hobby level. We're at the level where the hobbyist with a couple thousand dollars can - needs to know nothing about radio and even hardware. And even all of the preprocessing steps for demultiplexing the data and analyzing it and performing spectrum analysis and finding the channels and everything, all of that's been done. There's even some people have taken - they're not at the GPL licensing, but they are - so they're proprietary licenses, but free, but they're open source and free for personal use, where turnkey packages to pull all this data together have been produced. There's even one which abstracts this USRP, this Universal Software Radio Peripheral, making it look like a network device so that Wireshark, our favorite packet capture utility, is able to capture GSM packets and decode them and show you all the bits and all the protocols and everything going on in a stream that you capture.

So, I mean, we're way far along in making this possible. In my opinion, this GSM Alliance is - they're saying what they have to say politically; but, if they really believe what they're saying, that they're in serious denial because this is no longer James Bond government-level sci-fi stuff. It would be entirely possible for a company who wanted to do some surveillance of a competitor to equip a van with some of this equipment, spending only tens of thousands of dollars, park it across the street from a competitor, aim their antennas at the competitor's building, and spend a day just streaming in, sucking in all of the cellphone traffic that is being transacted by the employees within the building, and then drive the van off and decrypt those conversations offline afterwards and find out what was being said. I mean, it is no longer difficult to do. It's entirely possible.

It should be noted that the GSMA (GSM Alliance) seems to consider this attack theoretical and impractical for now. If you're interested in more, check out the audio podcast [MP3 link] or the transcript.

The Jailbreak and Unlock wizards behind the iPhone DevTeam are off to DEFCON 17, the security/hacking convention that juxtaposes Black Hat 2009, and have provided a set of tips to help those at the conferences (or anywhere really) avoid getting their iPhone hacked into. The tips are really targeted at Jailbroken iPhones, but some cross over to regular iPhone users as well.

Disable all your login cookies in Safari. If you use the hotel or conference wifi, it is 100% guaranteed that your traffic will be sniffed. If you allow a web site (like twitter.com) to store your login info in a cookie, and if you connect to that site through a normal http connection, your login info will be exposed. At the very least, you'll end up on the Wall of Sheep. But you'll be giving up your password to anyone else sniffing too.

They also advise avoiding any public Wi-Fi at hotels, conference centers, airports, etc. (and to tether instead), and either uninstalling or disabling SSH access, or at the very least changing the root and mobile password from Apple's default.

They also provide their suggestions for talks that might interest the iPhone jailbreak community. If anyone attends, let us know how it goes via our iPhone Jailbreak and Unlock Forum. And If you have more pro tips, send them our way!

Apple has updated their MobileMe News "blog" with a helpful tip for added security, and for when that security necessitates the need for a helpful little reminder.

First up, Apple reminds everyone that even good passwords, left static for too long, grow old and stale.

One simple way to increase the security of your life online is to change your account password periodically.

You can change your MobileMe password via the Account icon, and Apple provides some suggestions for picking good passwords. (Here's ours -- use something long and with lots of numbers and symbols thrown in. Pseudo-random is the best. Use GRC.com to generate it, or use a good password manager (I use 1Password on the Mac, my PC friends recommend RoboForm) to both generate and store lots of logins).

Next up is what to do if you forget your MobileMe password, and it's fairly standard stuff, involving a secret question:

Should you ever forget your MobileMe password, go to the MobileMe login page at me.com and click the Forgot password link. You'll be taken to a page and given the option of resetting your password by answering a secret question to establish your identity.

Pro tip: If you're even a semi-public figure, or just "don't trust anyone" make up a fake history, with fake maiden names, pet names, etc. or anyone who knows your background can hack your account as easily as they did Salma Hayak's.

Wired.com talks to Jonathan Zdziarski, iPhone developer, hacker, forensics teacher, finder of the iPhone kill switch, creator of the AMBER alert app, about the iPhone 3GS' new hardware encryption, recently touted as giving consumers "enterprise-class" security. His take? It's implemented so poorly it can be cracked in two minutes, “like storing all your secret messages right next to the secret decoder ring”.

To steal an iPhone’s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install an Secure Shell (SSH) client to port the iPhone’s raw disk image across SSH onto a computer.

We've heard before that Jailbreaking strips away security layers on the iPhone, though that's been in the context of the users own device. This is using the Jailbreak process to actively get at another device's data.

Is Apple going to change the way they implement their hardware-based iPhone 3GS encryption in light of this? Can the current model be made more robust? And what, if any, changes made to keep bad guys out of the iPhone will effect users who simply want to gain access to their own iPhones?

[Thanks to Antony for the tip!]

No word yet on whether you get a pocket Hasselhoff to push it for you, but it sounds like Opera Mobile 9.7 is set to bring back the "Turbo" boost in an effort to take it to Mobile Safari (and, we presume, WebKit in general as found on the iPhone, Google Chrome lite for Android, Palm Pre, some Nokia devices, etc. etc.... etc...)

Ganging up on the "real internet" browser are our good friends Matt Miller from NokiaExperts.com and Phil Nickinson from WMExperts.com. Matt explains the concept behind Nokia's blast from the past via his ZDNet blog:

Turbo mode that supplements the native Opera Mobile browser with the proxy functionality found in Opera Mini. So, with Opera Mobile 9.7 and Turbo mode enabled you get a fully functioning web browser with proxy/server side lifting going on to provide the FASTEST browsing experience currently available on a mobile phone.

TiPb vaguely remembers proxy and cache tricks from those old spamvertisements promising to quadruple our old dial-up modem speeds. Phil tries to pip us to the proxy post, however:

OK, this isn't exactly a fair fight, but forget about that for a minute. To the average user it probably doesn't matter whether your browser is being rendered through a proxy, security and privacy implications be damned.

And he's absolutely right. When those users are stuck on the equivalent of dial-up. Once they -- like iPhone, Android, and Palm Pre users -- get with the equivalent of broadband, well... let's just say we don't get those spamvertisements anymore...

Holding the snark for a moment, it's great to see Opera providing stop gaps for users with slow connections who don't care about privacy or security. Here's hoping the gap stops being necessary to fill quickly, however, and Opera can focus on forward-looking browser technologies, since WebKit doesn't look to be slowing down any time soon.

[Tip o'the browser to Phil for the image inspiration as well!]

SplashID [$4.99 - iTunes link] is an app for the iPhone and iPod touch that provides a great  place to store your data securely with a password. Just how secure is it? Super secure. 256bit Blowfish secure.

I have used SplashID for years on the Palm OS. I was so excited to see that SplashData brought SplashID to the iPhone last year as I was easily able to port my old files over to the iPhone using their desktop companion app.

So what does SplashID do for you? A lot, let's take a look after the break!

First, you can choose what type of password you would like to use; a simple 4 digit pin or  a longer password; it's your choice. Of course, there is nothing more irritating as you go back and forth between SplashID and another app for you to keep entering your password into SplashID. There is a feature that allows you to suspend the locking feature for a period from 1 minute to 30 minutes.

You can organize your data in SplashID into several categories from software serial numbers to airline frequent flyer miles to your families social security numbers for quick reference. When you are dealing with sensitive data, you can also choose to mask certain fields to hide the data from the roaming eyes of casual observers.

Not only do you have the ability to customize your categories, but you can choose a theme and view for your data as well. You can pick row colors and choose between a list or panel view. I am personally partial to the panel view as it groups your items by category type instead of a list. Depending on the volume of entries you have, the list get get a little unyieldy. In an effort to help manage those that store a lot of information in SplashID, there is a very convenient "Most Viewed" button to access the info you view most frequently. If you have a hard time viewing the information in portrait mode, you can rotate to landscape too!

If you need to share any information, you can quick do so my using the email feature. With the tap of a button on screen, you can send information via email. One way I use this feature is to email my SSID information and password to friends that are visiting my house so they can get on the network (no I don't have the new Airport Extreme with guest access ). You can also send the information as a secure file to another SplashID account!

I could really go on and on about SplashID since I have been using it for years. The added value of the companion desktop app ($19.99) is of additional benefit as your data is always safe, backed-up and accessible from your Mac/PC and your iPhone.

If you need something more than a simple password manager and need a tool to manage all of your sensitive information, look no further than SplashID for iPhone!

TidBITS has an interesting write-up on the various security features of iPhone 3.0 in general, and the 256-bit AES hardware encryption of iPhone 3GS in particular, and how combined together:

consumers can now experience enterprise-class security.

They cover passcode lock, data erase, remote wipe, lack of insecure external data cards, frequent and easy to install software updates/security patches, and (encrypted) backups that can restore your data if your device is accidentally wiped. Definitely worth a read if you tend towards the security conscious.

Turns out that if you jailbreak your iPhone you remove most of the Apple's security protections -- 80% to be exact -- and are vulnerable to attacks. At least according to Charlie Miller:

“If you care about security, don’t use a jailbroken iPhone,”

Miller, speaking at SyScan in Singapore, believes that by jailbreaking you open your device some major risks. The operating system on an iPhone is basically a watered down version of Mac OS X. For those of you who are unfamiliar with Macs, Mac OS X is the latest OS that Apple computers run. Macs are generally known for pretty risk-free machines with a few exceptions. Those exceptions being Java, Adobe Flash, and PDF files. The major risk on the iPhone is opening your device up to any application available on Cydia/Icy. iPhones will generally only run applications that are digitally signed by Apple, this is not the case when jailbroken. So if you don't know what you are installing, there is a possibility you can be in for a world of hurt.

Of course just a few hours ago Rene told you about the huge vulnerability within the iPhone's SMS application that Charlie found, so nothing is completely safe.

Does this scare you away from jailbreaking your iPhone? Perhaps you are thinking about doing a restore and going legit from now on? Let us know if this warning from Charlie sways you to avoid the jailbreaking life!

[Via Macworld]

In an ideal world, Mac and iPhone hacker Charlie Miller would discover vulnerabilities, inform Apple, and Apple would then patch them before they had any chance of being exploited "in the wild".

Miller, however, prefers to keep them to himself so he can win MacBooks and detail them at Black Hat conferences. The good of the hacker obviously outweighs the good of the users, every one. So be it.

Miller's latest iPhone-related find was disclosed at SyScan in Signapore:

a hole that would let attackers "run software code on the phone that is sent by SMS over a mobile operator's network in order to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet."

Apple, for their part, is hoping to have this patched before Miller's upcoming Black Hat gig.

We hope so too.

[via Engadget. Thanks Travis for the tip!]

I've said it before and I'll say it again (and again), 1Password is the first app I launch when I (re-)install a Mac, and the first iPhone (and iPod touch) app I go to any time I even think about logging in to a secure website or using credit card data. It's one of my all-time favorites, and it's just gone Pro.

The video above shows off the new iPhone 3.0 support in 1Password Pro 2.1, and the ability to extend secure logins out of the embedded browser and into Mobile Safari is very welcome. Better yet, the fine folks at Agile Web Solutions promise even more features are coming soon.

Available now via the iTunes App Store at a special introductory price of $5.99, and because Agile is awesome, they've given us ten (10) promo codes to give away to you.

Want one? Get over to the forums and tell us the lamest, most insecure, and useless password you can imagine. And ten of you will get free copies of the strong, secure, incredibly useful 1Password Pro in return.

Frequent user of sites like eBay, PayPal, AOL, or GEICO, paranoid about security, understand terms like multi-factor authentications, and don't want to carry a football, card-based generator, or other extra dongle around with you? If you live in the US, VeriSign has an iPhone App for you.

Verisign iPhone (VIP) Access is available for free via the iTunes App Store. If you're using it, let us know how it's working for you...

[via Security Now!]

Very little code is bullet-proof. Hackers will always find holes. The worst holes will be critical. The worst hacks will be zero-day and found in the wild -- catching companies and users both by surprise.

Not sure we have any of that here. Macworld does report that, at the Black Hat Europe Security Conference, former NSA number cruncher Charlie Miller -- who has rolled his ability to find exploits in the Mac version of Apple's Safari Browser into tens of thousands of dollars and a couple free MacBooks at the annual Pwn2Own contest -- claims to have:

...found a way to trick the iPhone into running code that enables shellcode. To run shellcode on an iPhone, however, an attacker would first need a working exploit for an iPhone, or a way to target some software vulnerability in, for example, the Safari Web browser or the mobile’s operating system. Miller said he doesn’t have one now.

Miller previously gained attention for a Mobile Safari exploit that made for some quick early jailbreaking and led to Apple patching the problem in firmware 1.0.1.

What's particularly disturbing, however, is that Miller also says he's unsure whether or not Apple knows about the potential vulnerability.

He should know that absolutely dead cold, of course. He should have told Apple long before he made the information public, and only made the information public when Apple had a fix rolled out or ignored his warnings for so long that public pressure could reasonably be considered the only option in getting them to roll out a fix.

Either way, Miller should know that Apple knows because he told them first. Or do we no longer warn people in a house when we see a potential fire starting, but wait and see how much attention and cash we can get for the info first?

Looks like another desktop Safari 4 Beta feature has found its way into the iPhone 3.0 version of the browser. Now, when you go to a site with an enhanced security certificate, the text on top of the browser turns green (like the green bar, we get it!), with little green lock icon beside it, and the name of the certificate's trusted organization. For example, the above screenshots show how Apple's order status page looks on iPhone 2.2.1 (top right) and iPhone 3.0.

What does this mean for users? In an age of increased phishing attacks, where bad sites try to trick you into thinking they're your bank or shop and steak your login or credit card info, this is one more visual cue in your assessment process for determining if you can trust that the website is what it says it is.

Come iPhone 3.0, look for the green text on top of Safari and carefully check to make sure the company it identifies is the one you want to be dealing with.

No, not unlocking the iPhone from AT&T (JAR!), unlocking the iPhone so you can use it. Slide to unlock, passcode unlock, that kind of unlock. Okay, now if you're still reading, Apple Insider has found some patent filings that suggest Apple is exploring things like biometrics (i.e. it reads your fingerprint while you slide to unlock), facial recognition (i.e. uses the camera to analyze who you are/might be) and pattern matching (i.e. choose unique shape combinations as a passcode). But it doesn't stop there:

Apple goes so far as to suggest the possibility of recognizing the user's distinctive voice or even collecting DNA samples to recognize a user's genetic sequence. Biometrics could also be context-sensitive and detect the shape of a user's ear before allowing a call to go through, for example.

Of course, many, many Apple iPhone patents have yet to see the light of day, so there's no telling when, if ever, this functionality will be built into future iPhones. Still, it's always nice to Apple is working on possibilities for those future iPhones.

But we have to admit, some of this is just so sci-fi we kinda want to see if they can really do it...

Pwn2Own is a hacking contest which in previous years demanded OS exploits on day one, allowed browser vectors on day two (how OS X was compromised last year -- thanks Safari!), and opened the floodgates with 3rd party bugware on day three. First person to successfully hack a machine won it as a prize, along with a nice cash bounty for their troubles.

This year, Ars Technica says Pwn2Own is doing something a little different: they're bringing in the mobiles!

Apple's iPhone is front and center on their target list, along with the Google Android G1, and devices from the BlackBerry, Symbian, and Windows Phone families. Pwn the mobile and you not only win it, but $10,000 to boot!

Not a lot of solid info on the rules yet, but we'll keep a look out. Any white hats out there eager to try their luck?

Stealing credit card information is big business so perhaps it should come as no surprise that we're seeing so many phishing attacks targeted at even niche services like MobileMe. We've reported on a bunch of them already, and this latest one is just more of the same.

If you get an email warning you about the status of your account, asking you to verify billing info, or basically asking you anything at all, NEVER click on the link. Always launch your web browser and type in the main URL by hand (i.e. don't click on the email's "Login" button, go to Firefox or Safari and type in "http://www.me.com/"). (And yes, DNS can be cache poisoned and localhosts can be over-written, but depending how valuable a target you are and how much time you want to invest in proofing yourself, manually entering URLs is a good compromise between convenience and security.

Apple Insider has all the details for those who want them. Surf safe!

Macrumors is quoting Spiegel.dewww. as saying that both a new security flaw has been found in iPhone OS 2.1, and that a patch will be included in iPhone OS 2.2 due to drop... tomorrow?!

[A] newly announced iPhone vulnerability that can force a (potentially expensive) phone call to be made simply by visiting a webpage in Safari... SIT reports that they notified Apple of the issue a month ago and that a fix will become available on November 21st through a firmware upgrade.

We've already run down the other new features rumored to be included in 2.2, so now we just sit by iTunes, hit the Update button, and wait (unless you've jailbroken, then remember to steer clear!)

Forbes.com (via TUAW) is claiming Ziphone jailbreak author Piergiorgio Zambrini has found a way to crash the iPhone (and other computer systems, according to Zambrini's own website) using specially crafted video files:

The bug Zambrini found is in the audio portion of Apple's video format. Knowing the bug exists, someone could write a program that incorporates the bug into a video file and trigger a crash whenever an iPhone attempts to run that file. The bug, which is located in a shared code library that is used across most Apple operating systems and some Linux ones as well, doesn't appear to cause any permanent damage, but immediately sends the device into a panic that leads to a lengthy reboot.

Since it crashed the device and not just the app, one security expert quoted feels it's a kernal vulnerability that's been discovered. Zambrini, who paradoxically claims to have both applied for a job with Apple's security team, and that working for Apple is not his goal, is apparently exploring the vulnerability as a way to inject malicious code.

Lovely.

Howsabout next time we be a little more responsible and keep the information confidential, alerting only the OS makers involved, giving them a reasonable amount of time to patch the problem before we put real world end-users at risk by alerting bad guys to potential exploits, b'okay?

Reader Karl writes in to let us know his twelve year old son discovered a glitch in SMS security:

Being security conscious he turned on the passcode lock and disabled SMS Preview. [...] If a message is received during the passcode entry or while the screen is locked, a generic message of “New Text Message” appears, to prevent viewing of messages without unlocking the phone. [...] If however the phone is placed in emergency call mode, any incoming SMS messages are previewed instead of presented as the generic messages.

Next comes two issues concerning the implementation choices Apple made in the iPhone Mobile Mail client. According to Ars Technica, as disclosed by Aviv Raff, the first involves the way Mail truncates URLs for display on the iPhone. If a malicious URL is properly crafted by an attacker, the truncation can cause a fake URL to be non-obvious to the users, and thus more likely to result in phishing.

The second results from the lack of an option to display images in the full HTML Mobile Mail client. Since images are automatically displayed, spammers can gain confirmation that the email account that received it is active and ripe for spam attack.

As always, malicious attacks evolve and propagate at an alarming rate, and while we hope Apple fixes these immediately if not sooner, the onus is ultimately and always on we end users to pay attention and do everything we can to avoid them.

eWallet

Ilium Software offers their popular eWallet app for Palm, Windows Mobile Pro and Windows Mobile Smartphone. Now, you can have this useful app on your iPhone or iPod Touch.

How does eWallet for the iPhone measure up? Read on for the full review!

Credit cards, bank accounts, memberships, passwords, PIN numbers, health information -- I'm a bit ashamed to admit that this is the kind of information I used to store unsecured in Memos on my Palm or, more recently, as a Note on my iPhone. Now, I've stepped up my game and am trying eWallet.

First Impressions

The app is fairly easy to use, complete with Get Started for help, Sample Cards, and more samples to choose from. The interface is simple to use and it's great to make virtual cards to store all my personal data. 

Filling Your Wallet

With eWallet, you first must create a new "wallet" for storing your data. You can name it whatever you wish. Once a wallet is created, you assign a password to protect the data you are about to store in your wallet. Create different wallets for different categories of data, if you wish. For example, create a Credit Card wallet for all your credit cards, a Bank Accounts wallet for your bank accounts, etc. For security, eWallet provides 256-bit AES encryption to ensure your data does not fall into the wrong hands, even if your iPhone does.

After assigning a password, you can begin making virtual cards. For example, if you want to store a credit card in your wallet, you can create a virtual card complete with all your credit card data: credit card number, expiration dates, name as it appears on your card, PIN number, verification number, contact phone number, security questions, and more. After creation, you can edit your card information by tapping the "gear" icon in the lower left corner of the screen.

eWallet allows for quite a bit of customization for your virtual cards. There are several different formats to choose from, from credit cards to your driver's license, from health numbers to insurance policies. Customization doesn't end with the type of card or data you can input. eWallet gives you other options, like selecting the color for your card, the type of icon displayed on the card face, gloss effects and rounded corners. You can even select a photo from your iPhone as the background.

Whatever your data may be, it's very likely that eWallet has a way for you to store it securely on your iPhone. If you are a Windows user, good news -- you can download a desktop version so you can backup and sync your eWallet wallets to your PC. If you are a Mac user, like me, you have to wait a bit longer for a Mac desktop version. Ilium informed me that it's coming soon, so I'm looking forward to adding that feature when it's available.

Final Thoughts

Pros

• Simple interface and easy to use
• 256-bit AES encryption security
• Create several wallets
• Customizable cards for all types of data

Cons

• No Mac desktop for syncing and backup

Rating:

TiPb loves answering your emails, but we also love sharing our answers with the community in hopes that more people will benefit, and even better answers will present themselves (hey, that's why we have them forums!). For today's debut TiPb Answers, reader Ryan asks:

I've installed some apps on my phone from itunes, one being facebook mobile. What concerns me is that once i've entered my user/pw the first time it is never required again and anyone who simply "slides" the phone unlocked will have full access. I assume this is true for email as well (although I haven't set that up yet.)

My question is, is there any way to passcode a particular icon on the iphone? Or put a security lock on it?

TiPB answers, after the jump...

Unfortunately, Ryan, there doesn't seem to be any facility to lock or password protect individual Apps on the iPhone (unless the individual App in question provides that on their own, like 1Password for example). Two options you may want to consider are:

1. Enable the Passcode on the iPhone (Settings - General - Passcode Lock), so you have to input a 4 digit Pin in order to unlock the iPhone, and therefore launch any App or access your data.
2. Use WebApps (website based applications) instead, which you log into via MobileSafari on your iPhone and typically won't store your credentials unless you check a box (and even then you can clear cookies to remove the login info). In some cases, like Facebook, the WebApp is arguably even better than the native App as well.

Security and convenience are eternal enemies. The iPhone currently defaults more towards convenience.

Anyone have any other options for Ryan?

About a month ago Dieter reported about a fairly large security flaw in firmware 2.0.2 that gave access to Safari, Email, and a frightening amount of personal data. Apple patched it in 2.1. Or did they?

This could be a flaw, or feature, but it turns out you still have the ability to make a phone call, to any number, while the iPhone is locked with a passcode. Wasn't the "emergency" call feature meant to call "emergency" numbers such as 911 only?

Apple can you please put this on your "need to fix" list? Thank you!

(Via Macrumors, as discussed way back in 2.0.2 on the forums of iLounge.com)

Apple has past mastered using animation to aid both usability and fill transitions. An example of the latter is the "shrink" effect used when you hit the home button: whatever's currently on diminishes to nothingness and the home screen icons fly back into place. To do this effect, however, the iPhone takes a quick screen shot, and then uses the built in CoreGraphics/Animation layers to rapidly scale it down.

See the problem? No? Wired does: once a screenshot is taken, even if the iPhone immediately deletes it, those bits hang around inside your device. Current recommendations to properly destroy data involve multiple, pseudo-random overwrites. Absent that, forensics experts can often retrieve so-called "deleted" files. Including the screen shots the iPhone uses for animation. Including, potentially, any confidential or classified documents you were viewing -- or embarrassing Hello Kitty sites you were browsing --when you hit the home button.

Sure, this will likely never be a problem to most users. Passwords are obscured and not many of us have docs -- or look at sites -- that would be worth the significant forensic resources it would take to recover iPhone screenshot files.

But, a security/privacy concern is a security/privacy concern, and while this one doesn't trouble me personally, not knowing about it -- and making an informed decision based on knowing about it -- would.

And hey, at least it's not as tattly as Google Chrome...

It started innocently enough. Prince Mclean over at Apple Insider commented in passing:

Data transaction security in MobileMe’s web apps is based upon authenticated handling of JSON data exchanges between the self contained JavaScript client apps and Apple’s cloud, rather than the SSL web page encryption used by HTTPS. The only real web pages MobileMe exchanges with the server are the HTML, JavaScript, and CSS files that make up the application, which have no need for SSL encryption following the initial user authentication. This has caused some unnecessary panic among web users who have equated their browser’s SSL lock icon with web security. And of course, Internet email is not a secured medium anyway once it leaves your server.
If Apple applied SSL encryption in the browser, it would only slow down every data exchange without really improving security, and instead only provide pundits with a false sense of security that distracts from real security threats.

And the web went wild. Daniel Eran Dilger, took the crown off to retort them all over at Roughly Drafted:

For the record: Apple’s MobileMe desktop email can be secured via encrypted SMTP and IMAP; Apple presents details on how to ensure this is set up, as users may not have this enabled by default. Address Book and iCal sync on Mac OS X is secured automatically when it transacts with Apple’s server cloud. Windows apps use the same security when syncing their data via Outlook through iTunes for Windows. The iPhone and iPod touch also support encrypted email and all push messages are also secured via encryption.

Our take? If you're super sensitive about your data, only ever browse via SSL over a VPN while sending with a strong PGP key, and hope no intelligence service is willing to spend serious money and assets on snooping in your general direction.

Other than that, use common sense. Don't risk information you can't afford getting out, and take advantage of every security feature your chosen system implements.

Last week the UK ruled that Apple was misrepresenting the iPhone's provisioning of "just the internet" due to the lack of support for two ubiquitously popular 3rd party plugins: Flash and Java. We've previously covered the will they/won't they drama surrounding development and deployment of Flash and Java pretty much ad nauseum infinitum, as well as some seldom discussed yet surprisingly frightening concerns about Flash and its downright sneaky use of 3rd party advertising cookies.

More recently, however, another issue has come to light. Primarily concerned with Windows Vista security and how it can be circumvented, this issue throws a renewed focus on the danger of 3rd party plugins like Flash and Java, on how they interpret and run code on our machines, and how they provide an increasingly popular attack vector for bad guys (hackers, malware authors, identity thieves, etc.)

How does this all relate to the iPhone, and what about ZOMG! Can has my Flash vidz? Read on to find out!

Before we begin, I'll just mention again that I'm a long time (10+ years) web developer who works quite a bit with Flash. I'll also add that some coverage of the issues I'm about to get into has tended towards the sensationalistic. The sky is not falling. We're not doomed. Or, at least, not because of anything to do with Flash, Java, or the iPhone.

Caveat'd enough? Good.

Back in early August at the Black Hat conference, Alexander Sotirov and Mark Dowd presented a paper amusingly titled How to Impress Girls with Browser Memory Protection Bypasses. While Vista security proper is beyond the scope of this blog, as Operating Systems like OS X on the iPhone become increasingly hardened against security exploits, the web browser becomes the path of least resistance for hackers to get at us and our stuff.

The iPhone's browser, MobileSafari is currently the closest thing to a desktop-class rendering engine as can be found on a handset. It's based on the same WebKit core as Safari for Mac and Windows, and so it's not unreasonable to imagine it shares the same advantages (real HTML, CSS, and AJAX) and risks (can be exploited). This could potentially include buffer overruns, cross site scripts, and -- yes -- plugin vulnerabilities.

On a recent episode of the TWiT network's popular Security Now! podcast, Steve Gibson summed up the problems with Flash and Java:

Their technologies, especially in the case of Java, Java has, deliberately has readable, writable, and executable memory because of the way it operates. o it's a big target. And so many of these third-party things, which you could pretty much depend upon, you know, Flash player is installed in the high 90 percentile of Windows machines so you can count on it being there.

And what if we could likewise count on their being on the iPhone? What potential problem could that expose?

Certainly after this paper has come out where these guys demonstrate clearly the exploitability of Flash, which is not [Data Execution Prevention] compatible, it's like, okay, Adobe, if you want your code in my machine, you make it safe. Because we've seen a bunch of Flash exploits here in the last few months. And, you know, this wouldn't be possible if Adobe would do the work. I don't care how hard it is, it's certainly possible to code around this [...] Basically this is laziness. In this day and age, for Flash still not to be marked as DEP friendly when it is in a highly vulnerable environment, it's not like it's something down on your tray, it's in your browser. And we know what a target browsers are just by their very nature. I mean, in fact, the whole focus of this paper was specifically browser vulnerability. [...] It is very common applications like Silverlight, like Flash, commonly used components, or even Media Player, that are invokable by the browser and still not yet safe, that is really now the main target of exploitation.

We've already seen MobileSafari exploits in the wild (indeed, a TIFF-based vulnerability was one of the first ways people found to jailbreak the iPhone 1.1.1 -- just by entering a URL in the browser!)

Again, this is not breakworld stuff. No need to panic and lock your handset in a lead box. Future versions of Flash and Java (and similar plugins) will likely address these issues.

Just remember, for now, that the iPhone is tremendously popular, and thus will be a tremendously popular target for hackers. Apple already has to worry about securing the HTML, CSS, AJAX (Javascript), and Quicktime (which they own and can therefore rapidly address) components of Mobile Safari. Add to that the complications of 3rd party code interpreters with a very real history of not only exploits, but (in the case of Flash) for being bloated and buggy on the Mac (another thing Adobe has chosen not yet to prioritize fixing), and it begins to make more sense why we haven't seen Flash or Java on the iPhone, a device that knows who we are (all our date) and where we are (3G aGPS).

But wait, other smartphones run versions of Flash and Java, though, don't they? Sure, but I'd argue that the iPhone isn't really a smartphone, it's a mobile computer. Full darwin kernal, BSD networking -- pretty much a UNIX box in your pocket. To me, that's a far bigger target than Palm OS, the Java Micro Edition inside a Blackberry, and even Windows Mobile (which, despite the name, is a very different animal under the covers than Microsoft's desktop OS).

And isn't there a battle going on for the Rich Internet Application (RIA, aka WebApp) space? You betcha. Google didn't just drop Chrome for no reason. SproutCore, Flash/Air, Silverlight/.Net, Prism, Safari, Java, etc. all want to own what's likely the next major computing platform (the web "cloud").

Bottom-line: Both for Apple and for consumers, the advantages for Flash and Java currently do not outweigh the drawbacks, especially as standard web technologies continue to decrease the gap between proprietary plugin capabilities and the open internet (HTML, CSS, AJAX).

That's my opinion, at least. What's yours?

Dieter's already brought us up to speed on the nasty security bug Gizmodo found in the iPhone's current 2.0.2 firmware (which John Gruber points out Apple already fixed once for firmware 1.1 way back last year -- yikes!). Now Macworld (via MacRumors) reports that Apple has taken the unusual step (for Apple) of confirming the upcoming fix:

“The minor iPhone security issue which surfaced this week is fixed in a software update which will be released in September,” Apple representative, Jennifer Bowcock, said in an email to Macworld.

So add security to the list of what Apple's now promising, along with 3G connectivity and App stability, for the next update.

Will that update be the already in beta 4 iPhone firmware 2.1? Kevin Rose has rumored it for September 6th, but we've already seen push notification fall off the feature list. With more bugs to fix, will Apple pull a Vista, or settle for a less ambitious, more urgent 2.0.3 in the interim?

I'm favoring the 2.0.3 at the moment. I'd rather stability over features at this point. Nail 2.0.x, then move on. What's you preference?

Gizmodo has uncovered what can only be described as a gigantic, huge, and completely embarrassing security flaw on the iPhone.

If you have your iPhone 'locked,' it can be circumvented very easily with very little trickery aside. On the 'lock' screen, you can still make an emergency call. When you tap that, you can then double-tap the home button to bring up your favorites (assuming you have that set).

The issue is that your favorites are basically the keys to the kingdom. You can tap the blue arrow next to a favorite to gain access to a contact's information. From there, you can further tap email, a url, or sms to gain access to email, Safari and your bookmarks, or all of your SMSes, respectively.

Rene notes in an email that this is reminiscent of the old PalmOS bug wherein you could still search the device while it was locked. This, though, this is definitely worse.

Thankfully, Apple has the best ROM update system in the entire smartphone industry -- able to push out updates to every iPhone via iTunes with minimal carrier delays. Let's hope we see 2.0.3 very soon. Meanwhile Giz recommends you set that double-tap behavior to either 'Home' or 'iPod' to temporarily fix the issue.

Of course, this only applies to people who actually use the lock function on their iPhones, the rest of us just live dangerously.

Update: Macrumors reports that Apple is aware of the issue and has a fix on the way:

[...]this security flaw was already reported to Apple earlier this month and has been acknowledged as an issue. A fix will presumably be included in a future firmware update

So a new employment opportunity popped up at Apple's job listings the other day and Apple is looking for an experienced iPhone Security Engineer to create "proof of concept" attacks on current security mechanisms and provide risk analysis of potential security threats. Basically, Apple needs an iPhone Hacker to prevent future jailbreaks, unlocks, and security breaches.

So if any of you are good at what you do and want to work for the "good guys", go give it a try. Apple is trying to ramp up security to protect enterprises who are adopting iPhone 2.0 and more selfishly, protect their own App Store from competition ahem Cydia & Installer. Either way, Apple is getting serious about security and the iPhone.

What do you think?

ReadVia

Confession: I use 1Password on the Mac a lot. I just used it to login so I could write this preview. I use it (synced via keychain) to my desktop at home, and I've used the various incarnations of the 1Password javascript bookmarklet on the original iPhone 2G. But now they've gone native, baby!

Internet security is a a huge concern, and with mobile internet security we ain't seen nothing yet. Browsers the caliber of MobileSafari make it possible to do our transactions on the go, be it logging into our favorite social network, or doing some emergency banking on the road. But what if we get out of the cab and leave our iPhone behind? If it gets snatched? What if someone else takes possession of the tiny little device with all our precious logins on it?

Read on to find out!

The good: 1Password has us covered, proving as innovative on the handset as they've always been on the desktop. Breaking things out into 2 categories, they provide a simple 4-digit PIN to access lower security logins (i.e., for a forum), and a full blown master password for high security items (i.e. your credit card account). And the interface? Gorgeous.

If you haven't previously used 1Password, just start entering your credentials and you're good to go. If you've already built up a 1Password store on your Mac, setup looks a tad more involved, favoring security over convenience in the age old battle, but given the focus of the app that's certainly understandable. If you're familiar with how Apple's Remote app works, this isn't dissimilar -- search for networked 1Passwords on your Mac, establish trust, and then sync.

The bad: Due to Apple's SDK restrictions, 1Password doesn't work with MobileSafari the way it works with regular Safari on the laptop. Basically, Apple doesn't allow plugins. To get around that, 1Password has built in it's own web browser. That means you may end up using a different app to access your secure sites than you use for casual browsing. Not a deal breaker for some -- and there doesn't appear to be an alternative approach -- but it's something to consider.

Also, they apparently let their programmers sleep, so we won't get features like wallet items, identities, password history, folders, search, etc. until version 1.1. What about my pseudo-random password generator? I use that all the time on the Mac! (Or did I just answer my own sync-enabled question?)

The unbelievable: According to the fine folks at Agile Web Solutions, for a limited time the 1Password App Store app will be given away FREE!

Not able to try it out first-hand yet, I'll have to wait for Apple to clear 1Password for App Store launch to see if the reality lives up to the concept, but they've sure made it a no-brainer to download and try out.

Check out their Switcher's Blog for detailed screenshots and setup instructions.

When Steve Jobs took the stage at the iPhone SDK Roadmap event, it was with business eyes fixed squarely on market leader RIM's Blackberry device:

"Why aren't CIOs really worried about security? Every email message sent to or from a RIM device goes through a NOC up in Canada. Now, that provides a single point of failure, but it also provides a very interesting security situation. Where someone working up at that NOC could potentially be having a look at your email. Nobody seems to be focused on that. We certainly are."

And so is the Indian government it seems! Engadget sums up the current situation, which seems like it couldn't have been scripted better for Apple if El Jobso himself held the knife... er... pen:

Apparently the Indian government is demanding that RIM either allow it to snoop on its encrypted email service (or worse, drop down to 40-bit encryption), or shut down the entire Indian Blackberry network at the end of the month. That'll cut off an estimated 400,000 subscribers...

Unlike RIM's three-tiered true "push" model that routes everything through the NOC, Apple has licensed Microsoft's competing pseudo-"push" technology, ActiveSync, which relays mail directly between Exchange servers and the iPhone. This would mean that, rather than simply going after a single manufacturer like RIM to snoop on every user's email, a government would have to go after every single Exchange server in every single business in the country -- a potentially much more complicated and difficult process.

Is this a tempest in a teapot, or should Indian Crackberry addicts be worried? Would government "spying" on email lead you away from a Blackberry and towards an iPhone or even (merciful Buddha) a WinMob device? (Treo bone for completeness).

UPDATE (via Engadget):

Today the Indian government ruled out banning the BlackBerry service. Instead, the government will continue working with the Telecom Commission on security matters

figure 1: Munir Kotadia of ZDNet Australia.

The good folks of MYiTablet found an article from ZDNet Australia where Munir Kotadia lambasts "greedy Apple users" for trusting anyone.

"There is no evidence to suggest that this particular jailbreak utility is at all malicious but how long will it be before copycat sites appear that have less honourable intentions?"

He then goes on to say that malevolent data thieves and identity swipers could steal passwords, credit card numbers, and entire online identities. They could use the iPhone as a gateway into your home network, they could do any number of things. He even manages to cast their patching of the TIFF vulnerability in a negative light.

But, the one thing that he doesn't address is this: unless I hack my iPhone, I couldn't know if malevolent hackers were doing that anyway. You can't trust the security of a black box. Preaching paranoia doesn't solve any security problems. Indeed, most security problems are solved by establishing trust. For those of you on Windows machines, you fix (or at least partially alleviate, wink) your virus problems by trusting that Norton AntiVirus will keep you safe from viruses. You trust that Ad-Aware will remove spyware from your computer. You trust that patches from Microsoft are legitimate. You trust that ZoneAlarm is a decent 3rd party firewall. And so on.

For many people, Installer.app is the one tool that they have to actually verify that their iPhone is in decent order. Without it and the access to other apps that it provides, I can't tell where the iPhone is connecting to when I'm on EDGE networks, I can't find out what's sitting there on the iPhone's filesystem, and more importantly, I can't find out what shouldn't be there.

It's one thing to preach that users shouldn't trust every website. He's right in that, but the circle of trust has to start somewhere. It's security as preached by "Meet the Fockers," but the circle of trust doesn't do anybody any good unless someone is in it.

figures 2,3: "Meet the Fockers," the "Circle of Trust."

The Apple hacking community has really been excellent so far. For most of the work they've done, they've aimed for open source so other programmers can view the code and verify that it's legitimate. This begins the circle of trust between programmers. Once they build a network of trust with each other, it then spreads into the journalism world, via one of the programmer's blogs. In terms of negative stuff, there's just been a few tiffs between developers, and one instance of possible intellectual property infringement, and for this I'm very thankful.

figure 1: the "Grand Theft Auto" font is a nice, subtle touch

There's a story floating around about the iPhone being added to metasploit, which is a system used for making shellcode. Shellcode is code that takes advantage of bugs to run otherwise unauthorized code. Incidentally, the more stories I read about it, the more they all seem strangely familiar.

So what is the eventual impact? Well, it means that the iPhone is going to get hacked, likely by some of the best. If there are crippling bugs in the iPhone (and there are always crippling bugs), expect hackers to find them eventually. It could also lead to better unlocks (the official unlock, even), more secure software, and security software suites (unofficial, of course) for the iPhone. Granted, the other edge of the sword brings identity theft and spying, but like Nietzsche said, you can't have good without bad. If you think Nietzsche was godless swine, pretend the quote comes from The Facts of Life's opening song instead.

Bit by bit, information is coming out on how the syncing will work, and what it means to have to activate the iPhone before you can use it.

First, AT&T's return policy has changed: you now only have 14 days to try it out (it used to be 30 days). There's now also a 10% restocking fee for a return. Don't worry, though; the contract breakage fee ($175) is still the same if you miss that 2 week deadline. We knew the phone was going to be locked, though it's a surprise that it may be locked to one SIM card.

Second, you'll have to activate an AT&T plan before you can even use the iPod functionality of it. Crazy! Without a worth-$3000 2 year plan, that purchase is just a $499 or $599 pretty little brick. Hopefully it will reduce the reasons to steal them. It's going to be a hot little thing in my pocket, that's for sure.

The IBM research team is pretty sure that the iPhone will be targeted by hackers and malware. However, they think it will be a very secure device. Choice quotes:

"It's going to be challenging for the bad guys to exploit them like they do other [smart phones]
....
A lot of these attacks are going to be very hard to launch against the iPhone."

[via]