iOS4 from a Security Point of View

iPhone Hacker
(source: iphoneusers.net)

The brand new firmware for the iPhone announced by Apple a few weeks ago is publicly available since yesterday. Called “iOS4” (special dedicace for cisco.com), it includes more than 100 new features like multitasking, folders, etc. I won’t review them here, there are multiple complete reviews already available online. Google is your best friend!

But, let’s focus on security. What did change with this new release? You remember the recent security hole found when connecting the iPhone to an Ubuntu host? (the “auto-mounting” issue)

Yesterday, in parallel to the iOS4 release, Apple also issued a security update dedicated to iOS4 (article HT4225). This document contains 64 (!) vulnerabilities fixed by the new firmware. If you check the homepage of the iOS4, there is no information about the security fixes and new security features introduced with this new release.

iOS4 comes with a “data protection” feature. From Apple website: “Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages and attachments.“.

Good point: Developers have access to an API to use this data protection. Guys, it’s up to you to build secure applications from now! But, on the other side, why Apple only encrypts e-mails and contacts and not the whole set of users data? Smartphones contain so much sensitive information today!

Two important remarks:

  • The “data protection” feature is only available for devices that offer hardware encryption (iPhone 3GS and iPod Touch 3rd Generation).
  • If you upgrade from a version 3 to iOS4, you’ll need to restore your data to benefit of the encryption

To conclude: upgrade to the iOS4 not only for the transparent background and folders but also for your security!

Leave a Reply

Your email address will not be published. Required fields are marked *