iPhone Security: Prepare for the Worst

Let me start off with a reverse disclaimer: I’m something of an Apple fanboy. I camped for the first iPhone and I’m camping for the next one. So that tells you where my heart is.

But I’m a logical and open-minded fanboy (if there is such a thing). In between my Steve Jobs worship rituals I take time to work in the information security field, and that’s the role I’m in for this post.

So, let me be forward:

The new iPhone is going to get owned. And not just a little bit — a lot.

This will come from two main causes:

Unprecedented Functionality

The iPhone is about to be the phone to have. Between the new SDK and the AppStore it’s going to make all other platforms look downright silly. And in the security world functionality is often a bad thing — especially when it’s not thoroughly tested.

I believe this to be the case with the iPhone. I don’t think Apple fully comprehends how powerful a platform they’re releasing. I think it’s too much power in the hands of too many developers and users, and the outcome is going to be serious and widespread exploitation.

Massive Popularity = Extreme Hacker Scrutiny

The Apple security zealots can claim marketshare doesn’t matter all they want, but it isn’t true. Next to security design, nothing matters more than exposure. In the mobile world the roles are going to be reversed from that of the desktop. Apple will be the big target, while relatively few people will spend time developing malware for Windows Mobile.

In short, attackers go where the users are, and they’re about to all be on the iPhone.

We’ll See

This is my prediction; let’s hope I’m wrong. If anyone’s capable of pulling off something this big without mucking it up it’s probably Apple, but I remain skeptical. I think it’s going to be an absolute mess.

Right, so I’ll see you in line on the 11th.: