Why has Apple not fixed well known iPhone security problems?

Davey Winder
Friday, 03 October 2008 15:01

Your IT - Mobility

The first vulnerability is a phishing one involving the iPhone's email application which can be used to view both HTML and plain text messages. In HTML mode, link text can be set so that it is different to the actual URL behind the link.

Most email clients avoid the obvious dangers this poses by displaying a hover tooltip showing the actual destination link no matter what the text itself may say. Not so the iPhone, which instead of a hover requires the user click the link itself for a tooltip.

Raff argues that "because the iPhone screen is small, long URLs are automatically cut off in the middle. So, instead of hxxp://www.somedomain.com/verylongpath/verylongfilename, you will get in the tooltip something like www.somedomain.com/very...ilename."

If an attacker sets a very long subdomain, which is cut off in the middle, it can look like a trusted domain and Safari for iPhone also shows what appears to be a trusted domain in the address bar when launched.

Then there is the spamming vulnerability, which Raff is adamant is not just a trivial bug but a "pretty dumb design flaw" and one that was fixed by most every other mail client ages ago. Anyone remember the whole 'web bug' thing of many years back now?

It also involves the viewing of HTML mail messages, this time which contain images. When you view that message a remote server request is made to grab the image. Best practise requires most clients to get user approval before such a remote image download is requested.

Not the iPhone. Why is this a problem? Because, says Raff, if the images are downloaded automatically "the spammer who controls the remote server will know that you have read the message, and will mark your mail account as active, in order to send you more spam."

Unfortunately there is no work around for the web bug spam issue, and Raff simply advises people not to use the iPhone mail application until it is fixed.

The same advice applies to the phishing vulnerability, but if people insist on using iPhone mail they should be very "careful with the links" they click...