iTWire - Why has Apple not fixed well known iPhone security problems?

IT&T JOBS|Discussion forum|Technology Events|IT Education|

Today on iTWire IT News Telecommunications People Our Blogs Tech Lifestyle Releases Science Sustainability MyProfile Whitepapers

Daily ICT Newsletter FREE TRIAL

Submit your industry releases to iTWire

iTWire wants to hear from you. In Industry Releases we’re offering you the opportunity to spruik the latest news and announcements about your company, organisation, products and services. We’ll look at your submission and, if we think it’s appropriate information to give our readers, we’ll publish it. We reserve the right to reject your submission for publication. Submit press releases to iTWire

Follow iTWire on Twitter

About iTWire

iTWire is all about technology news, information, jobs and community for the IT and telecommunications industry professional. Subscribe to our free ICT daily newsletter

Press-release

Submit your news here

Why has Apple not fixed well known iPhone security problems?

E-mail

by Davey Winder
Friday, 03 October 2008
Page 2 of 2 The first vulnerability is a phishing one involving the iPhone's email application which can be used to view both HTML and plain text messages. In HTML mode, link text can be set so that it is different to the actual URL behind the link. Featured Whitepaper 5 Best Practices for Smartphone Support Most email clients avoid the obvious dangers this poses by displaying a hover tooltip showing the actual destination link no matter what the text itself may say. Not so the iPhone, which instead of a hover requires the user click the link itself for a tooltip. Raff argues that "because the iPhone screen is small, long URLs are automatically cut off in the middle. So, instead of hxxp://www.somedomain.com/verylongpath/verylongfilename, you will get in the tooltip something like www.somedomain.com/very...ilename." If an attacker sets a very long subdomain, which is cut off in the middle, it can look like a trusted domain and Safari for iPhone also shows what appears to be a trusted domain in the address bar when launched. Then there is the spamming vulnerability, which Raff is adamant is not just a trivial bug but a "pretty dumb design flaw" and one that was fixed by most every other mail client ages ago. Anyone remember the whole 'web bug' thing of many years back now? It also involves the viewing of HTML mail messages, this time which contain images. When you view that message a remote server request is made to grab the image. Best practise requires most clients to get user approval before such a remote image download is requested. Not the iPhone. Why is this a problem? Because, says Raff, if the images are downloaded automatically "the spammer who controls the remote server will know that you have read the message, and will mark your mail account as active, in order to send you more spam." Unfortunately there is no work around for the web bug spam issue, and Raff simply advises people not to use the iPhone mail application until it is fixed. The same advice applies to the phishing vulnerability, but if people insist on using iPhone mail they should be very "careful with the links" they click... Tags See All Tags Apple Davey Winder Phishing Security Spam Vulnerability iPhone Powered By Joomla Tags Please enable JavaScript in your browser to post your comment! << First page < 1 2 Next page > Last page - Post your comment >>

< Next story in category		Previous story in the category >

	Visitors last 30 days	694,279
	Subscribers	15,210

#1 independent technology news advertise here

Submit your press release for publication here

free hit counter

- Advertisement -

Featured Whitepapers

	5 Best Practices for Smartphone Support Worldwide shipments of smartphones reached a high of nearly 40 million units in the third quarter of 2008, helping to grow the category by 28% from the same quarter last year.
	Legacy Tools: Not For Today’s Helpdesk Why applications like RDP, VPNs and VNC may be costing you time, money and end-user satisfaction.

Vendor submitted press-release