So here it is, iPhone month. At last. It’s been on the mind of many a gadget geek ever since Steve Jobs announced it in January. That’s a long time to make us wait, by the way, Steve. But will it be worthy of our expectations? Of course I’m referring here to our security expectations. Weâve all heard more than enough about the iPhoneâs features, revolutionary user interface, and so on, right? Perhaps my optical grep isnât what it used to be, but I sure donât recall even seeing the word security in that myriad of coverage about this new must-have gadget. Are we all being drawn into the functional specification trap that so many software developers fall for also? Are we paying too much attention to what this thing does and not enough about what can go wrong? Seems likely to me.
Iâve been an IT junkie for years, ever since building my first Heathkit computer back in college. Like so many of us, Iâm irresistibly drawn to new stuff as it hits the markets. In all these years, I canât remember one single product announcement that has had the same level of buzz as the iPhone does now. Thatâs likely to be a great thing for Appleâs shareholders, but thereâs a side effect to it as well. Along with buzz comes a veritable âkick meâ sticker on the iPhoneâs back.
Oh yes, make no mistake about it. The moment the first iPhone ships off the assembly line, thereâll be a line of people who are going to want to be the first to break it.
But we shouldnât be concerned, right? After all, the iPhone is built on Appleâs formidable OS X (and thus UNIX) operating system, which is pretty rock solid over all. Isnât it?
Iâm a big believer in UNIX in general, but even I want a solid mechanism for quickly and easily installing security patches and updates as theyâre made available. Has there been any mention of an âiPhone Updateâ icon in all the functional discussions weâve heard about in the iPhone? I must have missed that discussion.
I do hope, though, that thereâs a quick and easy way of installing software updates in the device. Given Appleâs track record, I do expect that to be the case. But will it be opt-in or opt-out? Will it automatically run every night and keep my iPhone up to date with security patches or will I have to connect to some Apple website and download the latest firmware and install it â long the status quo among smart phones from other vendors.
If the latter is the case, how will the users find out about the security patches? From an email sent out by Apple? (I sure hope they digitally sign that email!) From a press release? And then, what percentage of the iPhone users do you think will actually read that email/release and go out and grab the patch? If history serves as an accurate predictor of the future, that percentage wonât be very high.
And then thereâs the security configuration of the base operating system. In the desktop version of OS X, the user can turn on and off firewalling, for example. Whatâs the default configuration on the iPhone, and will the user have any ability to change it? Again, Iâm hoping for an opt-out configuration that defaults to secure and requires the user to override if she chooses to.
After all, the iPhone speaks Wi-Fi and runs UNIX â it is an Internet-connected host just like any other when connected to a network at your favorite coffee shop or airport lounge. Many of the same issues regarding safely configuring a UNIX server on the Internet are entirely relevant to configuring this little hand-held device, but we know precious little so far about it.
By all accounts, the iPhone sure looks like itâs going to be an incredible device. Indeed, if it were available on my mobile provider, Iâd be getting one myself. My concern, however, is that there are so many security unknowns here that there could be trouble ahead.
I should point out that, up until about a month ago, I was using a Linux-based smart phone for my own mobile needs. It seemed to me to be quite secure from a network standpoint, but lacked any consumer-level mechanism for installing security updates. That was one of the primary reasons why I moved to a different device. But in popularity terms, that phone paled in comparison to what the iPhone is likely to hit in its first week in the market.
I, for one, hope our security expectations are in line with our functional expectations. I also hope that the smart folks at Apple have thought these issues through thoroughly and theyâre ready to knock our socks off on all fronts. Itâll be an important lesson for the entire mobile device community to learn from.