What is Digg?19 Comments
- sholt, on 10/26/2007, -1/+151) "The only time running apps as root is a risk is when you have third party apps or you haven't sandboxed your filesystem." WRONG! Any remote code execution vulnerability in an app run as root will allow the arbitrary injected code to run with root privileges. Sandboxing, as you mean it, is irrelevant in this case.
2) You assume that simply because an update is released that it will reach 100% coverage. This is a faulty assumption.
3) You presume to know the planned implementation for Apple's 3rd party application infrastructure, then draw conclusions from your assumptions. You have no basis for any of this.
Security issues are real. They are by no means reason to panic, but they do need to be addressed. - grumpyrain, on 10/26/2007, -1/+7> If the same criteria were used for Vista, then you would say Vista has no better security than Win95.
Not true. On Vista, IE7 runs in protected mode, which means it has no access to the file system except for its 'temporary internet files' folder. It does not have sufficient rights to change any system settings, and to install anything needs to use an elevated process as the broker. What that basically means is that if IE is compromised, really the worst thing that it can do is to crash the browser or read/delete your cookies. The iPhone runs Safari as root, which means that if Safari is compromised, they can do whatever they want.
I am absolutely puzzled why Apple did not use the underlying OS-X ACLs to design a proper security model for their iPhone. Security101 - don't run a process with higher credentials than they need.
Now I agree to compare the iPhone it to Win9x on any other basis is just stupid. - sholt, on 10/26/2007, -0/+6I'm the only person that ever logs into my Mac at home. It connects to the internet but has no services enabled, and the only data stored on it is mine and mine alone; but it's still considered a bad idea for me to run as root. How is the iPhone diferent from my personal computer in any signigant way, in this regard? (And why enable a root password at all, if it's never going to be used?)
Look, if we're going to keep getting more powerful and functional mobile devices, we should increase our standards for device security accordingly. Why do we continue to give mobile devices some special status like their security stance doesn't matter? - deadbaby, on 10/26/2007, -2/+6I really hate these "security" articles obviously written by someone who doesn't understand security.
1) All the personal data; SMS, contacts, e-mail, etc would always have read/write access by even a limited user account.(duh)
2) Non-root apps would still have access to the network.
3) Apple delayed the SDK specifically to address security. If you install unofficial third party apps you're putting yourself at risk (duh) - Four20, on 10/26/2007, -2/+6When you let the phone run at root level. . .and then set all passwords to alpine. . .it's obvious that something is going to happen.
- sholt, on 10/26/2007, -1/+4true, but that doesn't mean the iPhone's security couldn't be improved, and that we shouldn't push for it.
- grumpyrain, on 10/26/2007, -0/+3How so?
You either don't understand the 9x architecture or don't understand the Vista architecture. As a software developer, here is a tip. ALL software written by ANY developer is potentially vulnerable to at least one security failing. Securing your software is NOT just about writing good code. It is equally about limiting the potential for damage if the inevitable occurs.
9x (and specifically FAT32) does not have the concept of user level security. Heck, you can delete the corresponding pwl file from the windows directory in safe mode if you want to reset the password. There is no concept that one user has permissions to write to the Windows folder but another doesn't. There is no concept that an application be not allowed to put itself into startup.
NT based OSes like 2K, XP, 2003 and Vista running on NTFS do have reasonable ACLs. As a limited user on any of these systems, you can NOT write files or change registry settings, nor can any application you run. There is a 'run as' concept that works a bit like sudo, allowing you to launch a single process with elevated security. Vista has a further level again in LUA which at the moment only IE7 has implemented (from what I can tell). There is no technical reason that any application written in such a way could not also make use of that feature.
9x has no firewall, Vista does, and it is switched on by default. Even if you are an 'administrator', you still need to 'Allow' the system wide changes. I mean apart from the boot screen and positions of the taskbar, there is not a whole lot that Vista has in common, and certainly not the security model.
Let us presume that Quicktime's H.264 codec has a buffer overflow vulnerability on all platforms. On the iPhone, a malicious user could craft a video that exploits this vulnerability, and gain root (ie completely unimpeded) access to the device. On Vista, a malicious user could craft a video that exploits this vulnerability, but they are still stuck inside the LUA sandbox.
So no, I can not agree that the iPhone security model is as good as the Vista security model, and there are a lot of similarities between the everything runs as admin 9x security model and the everything runs as root iPhone security model. OS-X does have a really good (and proven) security model, but sadly they didn't employ it on the iPhone. - sholt, on 10/26/2007, -0/+3Not necessarily.
If, say, only the applications that needed to access /dev/modem (Phone.app and SMS.app) were sgid to the modem group, and no user explicitly in the modem group, and dev/modem was set so that only members of the modem group could read/write to it, then some random buffer overflow in Safari or an image library could never gain access to the modem. This is still not perfect, however, as a bug in the phone or SMS apps could allow the same threat - but the attack surface would be greatly reduced.
Care would need to be taken to ensure every app function was partitioned correctly, and permissions dolled out properly, of course. - streak, on 10/26/2007, -0/+3Not true. You're not seeing the twisted logic of the original post. If Vista and Win95 share any type of _potential_ vulnerability, which I expect they do, then the twisted logic would say "Vista security rivals Win95".
- fanboydcs, on 11/04/2007, -4/+7wow what BS, "Once you've already got it out in everyone's hands, it's a little harder to go back and add security. And that's really what they need to do at this point." The only time running apps as root is a risk is when you have third party apps or you haven't sandboxed your filesystem. Apple will easily be able to update their OS on the iPhone by launching an update, this update will be required to install any third party apps with their SDK and that update will most likely run everything as non root in a sandbox. Hell the iPhone is already sandboxed since you need to jailbreak the chroot to get into the OS partition of the device.
- rspeed, on 10/26/2007, -0/+2"It might, for example, cause a phone to call numbers without the user's knowledge, seize text messages and a list of received and sent calls, turn the phone into a listening device, track the user's location through nearby WiFi access points, or instruct the phone to snap photos of the user's surroundings -- including any companions who may be in view of the camera lens."
Wouldn't a process running as a normal user be able to do any of those things? - sholt, on 10/26/2007, -0/+2They can, however, open up a email with a .tiff attached, which MobileMail.app will automatically download and display, and have that image file exploit a buffer overrun in the tifflib used on the iPhone. (Substitute this case for any remote code execution vulnerability. They're common on systems as complex as OS X.) That code, if clever enough, can modify any system resources - including programs that *watch* for new emails and sms, or ones that record phone calls, or .
That's why running as root is bad. Sure, it's harder to find an exploit on the iPhone, but far from impossible (just look at the iPhone Dev Team's progress, almost all of it is from exploiting known vulnerabilities). This isn't some over zealous "run for the hills" type message, it's a valid concern that Apple should address. - geminitojanus, on 10/26/2007, -2/+4Almost every embedded box on the planet runs in single-user mode, regardless of whether or not it's running $UNIX_CLONE or some other custom, wonky OS. Setting the root password to "password" is considered legal for these boxes, mainly because /nobody's ever going to log into them/.
Furthermore, the iPhone is quickly becoming a Trusted Platform, one update at a time. As soon as they've squashed enough bugs that finding the next one takes exponentially longer than the previous, they've done their job, same as the Xbox devs. Any code that runs from that point on is Signed code, which Apple has given their Trust, locking you out of the platform.
So no, this is a complete security non-issue by wanabee reporters without the ability to do any research. A few iPhones may become vulnerable at some point to real security problems; instead of updating, a certain few hackers will leave their phones at older firmwares or write firmware downgrading code for future models with the intent of keeping these exploits open. And they very well may get burned for it if someone is clever enough to pull it off without the hacked phone users noticing.
Buried for more stupidity. Digg is becoming a breeding ground for ignorance. - inactive, on 10/26/2007, -1/+3It's depressing that everyone and their mother is trying desperately to spread FUD about the iPhone. It is also depressing that the people doing it have almost no background or knowledge in the technical fields they write about.
First of all, the Melissa worm, which this idiot mentions in the article, was spread by e-mail, not by "root-access." Similarly, the Storm trojan has nothing to do with privilege escalation either. It is also sent by email, with provocative messages designed to entice the user to open the attached script. Windows runs the malware upon opening it, and it installs a hidden Windows service that acts as part of a distributed spambot network, forwarding itself out by email at hundreds of messages per minute.
Root access or administrative privilege is not required for sending out emails or deleting one’s own files. In contrast to Windows, the iPhone won’t run scripts you send it in emails and it won’t execute ActiveX plugins as Internet Explorer does, even the most determined user can’t run software of any kind on it without using other hardware and the Unix command line to break down its security skin first.
In addition, there are no SD card slots that offer to automatically execute any code that might be copied to a memory card, and there’s no provision for installing software downloads of unknown origin, as Windows Mobile and most Symbian phones do. There’s simply no way to run code on the iPhone, outside of its web application platform within Safari. And of course, that is exactly what hackers have been complaining about. - graiz, on 10/26/2007, -1/+2If Apple can do for phones what Windows 95 did for PC's I would call that a huge success.
Security wise there have always been holes in every product that has ever shipped. It's never perfect and there are always ways to improve. If you get alarmist about security it takes 6-7 years to ship and you annoy the user with security warnings (Vista). - Gantos, on 10/26/2007, -2/+2"...on the same flawed security model that took rival Microsoft a decade to eliminate."
It's eliminated? - streak, on 10/26/2007, -2/+2The comparison to Windows 95 is only accurate as far as running every app as root is concerned, and this is very old news... i.e., no news. The iPhone certainly doesn't have anywhere near the holes (both accidental and designed-in) that Win95 has, and iPhone isn't an open platform. Big differences => Inaccurate comparison. If the same criteria were used for Vista, then you would say Vista has no better security than Win95.
- iNunchuk, on 10/26/2007, -2/+1Not like the US government isn't doing anything of a similar nature...
- TritonX, on 10/26/2007, -4/+1Wouldn't it be funny though if no exploits ever surfaces. It would just prove Microsoft's incompetence in making OS.
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is