iphone

iphone

Openness versus consumer protection? Android, iPhone, and transparency

Posted on January 30, 2009 - 16:22 by egeorge

If you follow news about the Android mobile phone platform, you may have seen recent allegations of malware against a third party application available on Google's Android application market. It's unclear whether or not the application in question, MemoryUp, was actually capable of any of the reported claims against it - Google's own testing showed no malicious behavior - but the application disappeared from the Android Market anyway.
Elisabeth Oppenheimer, of StopBadware director Jonathan Zittrain's "Future of the Internet" blog, writes:
[I]f Google is going to have the kind of open marketplace they want, they’re going to have to be more clear about what they’re doing. No one seems to know who pulled the app—the developer, Google itself, or perhaps some automatic system based on customer complaints. If Google is silently pulling disputed apps while the developers protest … they’ve replicated the iPhone’s App Store. There hasn’t been much protest about the Android kill switch, and people might well be okay with pulling apps that pose security problems from the Market (especially since there are alternative distribution methods). But Android users ought to know who pulled the app, and why.
Contrast the Apple iTunes App Store, which pre-screens applications. It's unlikely for malware to get through, but the high level of gatekeeping also can keep legitimate applications out - including, controversially, competitors to some applications designed by Apple.
Elisabeth continues:
Professor Zittrain argues for solutions that engage the community of users and don’t assume a zero-sum game. Having users test and rate applications—as they do on Android—is a certainly a step in that direction. (Google removing apps without explanation would be a step in the opposite direction, and would make developers nervous.)
Do we really need to choose between openness and security? Professor Zittrain argues that, with the help of the community of internet users at large, we should not need to. For companies in a position to act as gatekeepers seeking a balance they can live with, a high level of transparency and communication with users can help mitigate any restrictions on openness - and can help foster a more secure internet for us all. 
Disclosure: Google is one of StopBadware's sponsors.

iPhone users should beware of mail links

Aviv Raff, a security researcher, released "an advisory":http://aviv.raffon.net/2008/07/23/iPhoneIsPhishableAndSPAMable.aspx indicating that the iPhone is vulnerable to a URL spoofing attack.

bq. By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).

bq. When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

He reports that both version 1.1.4 (and possibly older versions) and version 2.0 of the iPhone firmware are affected.

Apple has acknowledged the vulnerability and is reportedly working on a patch. Meanwhile, be especially wary of clicking on links in iPhone Mail.

Hat tip to Ryan Naraine at the "Zero Day blog":http://blogs.zdnet.com/security/?p=1541.