Some of us (Ollie Whitehouse, Eduardo Tang, and myself) are happy owners of the iPhone. However, not because we are constantly listening to music or using a pinching motion with our fingers to see pictures zoom and shrink, but because we get to analyze the attack surface. While the iPhone itself will surely evolve via new models, software, and patches, this blog will consist of a rundown of our initial thoughts.
In the default out-of-the-box configuration for the average user, you can not run code on the device. This makes the platform less risky than other mobile platforms and desktop operating systems like Windows. If you can't run code, you can't run malicious code. Further, the AJAX/Web 2.0 applications that can utilize the phone's services (such as the ability to make calls) normally prompts the user before the action takes place. This prevents automatic dialing and things like SMS worms.
These factors greatly limit the attack surface. However, one could still execute code on the device in a few different ways. The first is via a vulnerability that allows unauthorized code execution. Unconfirmed reports of vulnerabilities of iPhone software have already surfaced. Some appear to be old well-known vulnerabilities found on the Mac that just weren't patched before the shared code was released on the iPhone. One example of this is vulnerabilities in Safari.
While vulnerabilities may be found and 0-day exploits may be released, chances of widespread infection are currently low. Surely, they won't reach the level of some of the historic threats we've seen on Windows in the past. The device is ARM-based and any code would thus likely be crafted specifically for the iPhone, and the number of iPhones is still far less than the number of Windows desktops in the world. Also, the iPhone itself can synchronize and be updated via iTunes. Many users would likely sync semi-frequently and forced patches can immediately stop a threat that is spreading via a patched vulnerability.
Another vector of infection will come from those who have modified their devices. A variety of individuals are working to enable running third-party applications on the device, if not replacing the whole operating system altogether. We've seen similar efforts for a variety of other devices, especially game consoles. Once the device is modified to allow third-party software to execute, malicious code will also be able to execute on the device. Generally, this means that only those who have specifically modified their device will be vulnerable. A good example of such a threat is Trojan.PSPBrick for the Sony Playstation Portable (PSP).
So, while the iPhone itself is not 100 percent secure (what is?), the current device won't be a petri dish just ripe for infection. If anything, one should be more concerned about the multiple reports of iPhone-related threats we saw recently, including Trojan.Pandex. This Trojan would pop-up fake iPhone advertisements and attempt to trick the user into providing financial credentials. Also, we have seen SPAM messages that mention the iPhone to convince one to run some sort of malicious executable or visit a malicous Web site.
Of course, we owe a special thanks to Eduardo who had to stand in line to buy the thing.