Dialing for Trojans
Many people have said that the lack of attacks upon Apple’s operating systems and devices can be attributed to a lower market share than Microsoft Windows-based PCs. With the shift towards malicious code being written for financial gain, it makes more economic sense. (I know that there are other arguments to be made, but bear with me.) Why write a Trojan that only runs on about 10% of computers when you can write one that is capable of affecting closer to 90% of them? Far more bang for the buck.
At the same time, there haven’t been many attacks on cellular phones and mobile devices. There have been several proof of concept Trojans, worms, and viruses for Symbian Smart Phones as well as a few for the Windows Mobile platform. Some of these have even resulted in small, localized outbreaks. Again, the lack of attacks on these devices has been attributed to a smaller user base.
On June 29th, however, these two platforms will converge when Apple’s iPhone is released in the US. The release will potentially make writing malicious code for both an Apple product and a mobile device irresistible to some attackers. The iPhone will represent a robust mobile device platform based on OS X that allows users to send and receive HTML email and surf the Net with the Safari Web browser.
Projections made by various analysts suggest that iPhone adoption will be quite high. This allows attackers to target a larger audience with malicious code designed to run on the devices. The Safari browser and HTML email capabilities of the device could present an ideal attack vector. As recently demonstrated, Safari can be affected by vulnerabilities just as easily as other browsers on the market. While Apple may patch these holes on both the desktop and mobile platforms, the question is will users who have to pay for data transfers be willing to download large security updates on a regular basis?
I doubt that anyone will read this and decide against their iPhone purchase (in fact I’ll probably look into getting one myself). Just remember to keep the same best security practices you would use on any other computer in mind.