Picture: Kitra Cahana/The New York Times
I’ve confirmed that the iPhone no longer runs software applications as “root” — but the iPhone is still insecure, a security expert says.
As reported on Wired.com, the iPhone used to run all software applications as “root” until recently, a flawed architecture that could give hackers complete control of the device. If hackers found a hole in any application, they could take over other functions, using the iPhone to make calls, take pictures or read and send email.
But last month Apple released a firmware update, version 1.1.3, that put most of the major applications in a new account called “mobile.”
While this is better than running all applications in root, it still lumps the applications together, which doesn’t much improve things: The same vulnerability still exits. If any one application is compromised, they are all vulnerable — and the iPhone can still be taken over, says Charlie Miller, principal analyst of software security at Independent Security Evaluators.
Dr. Miller was one of the first security experts to document the iPhone’s flawed architecture.
In a response to an email query sent yesterday, Dr. Miller writes:
Actually, the important apps have not been running as root at least since 1.1.3. See below. This is obviously better than running everything as root.
However, now they seem to run everything unimportant as the user “mobile”.
This doesn’t really solve their security problems because, for example, someone gaining access through a web server attack will still be able to access emails, dial the phone, etc. (At least it appears this way, I haven’t verified this).
A better approach would have been one like the folks at Google took with their Android SDK.
There, every application runs as a separate user in their own directory.
Therefore, each application cannot access the data of another application without the system having explicitly been told to allow it.
In the above example, an attacker who gains access to an Android phone through the web browser could only access things the web browser deals with, such as bookmarks.
They would not have access to mail contacts, saved messages, SMS messages, etc. (at least without doing a second type of attack).
Hope that helps.
Charlie
# uname -a
Darwin Charlie Miller’s iPhone 9.0.0d1 Darwin Kernel Version 9.0.0d1: Wed Dec 12 00:16:00 PST 2007; root:xnu-933.0.0.211.obj~2/RELEASE_ARM_S5L8900XRB iPhone1,1 unknown # ps aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
mobile 62 2.8 20.3 325440 24080 ?? Ss 9:36AM 1:15.31 /System/Library/CoreServices/SpringBoard.app/SpringBoard
root 1 0.0 0.4 272956 444 ?? Ss 8:56AM 0:01.06 /sbin/launchd
mobile 12 0.0 1.4 286128 1604 ?? Ss 8:56AM 0:00.37 /usr/sbin/BTServer
root 13 0.0 1.3 282168 1556 ?? Ss 8:56AM 0:03.43 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter
root 16 0.0 1.3 275864 1516 ?? Ss 8:56AM 0:15.53 /usr/sbin/configd
root 17 0.0 0.5 273404 592 ?? Ss 8:56AM 0:00.09 /usr/libexec/crashreporterd
mobile 18 0.0 1.4 284764 1632 ?? Ss 8:56AM 0:00.86 /System/Library/Frameworks/IAP.framework/Support/iapd
root 19 0.0 0.7 273732 880 ?? Ss 8:56AM 0:01.69 /usr/sbin/mDNSResponder -launchd
root 20 0.0 1.1 284208 1296 ?? Ss 8:56AM 0:01.25 /usr/libexec/lockdownd
root 21 0.0 0.4 274000 432 ?? Ss 8:56AM 0:07.57 /usr/sbin/syslogd
root 22 0.0 0.2 264644 276 ?? Ss 8:56AM 0:00.66 /usr/sbin/update
mobile 23 0.0 0.7 273576 792 ?? Ss 8:56AM 0:00.12 /usr/libexec/ptpd -t usb
mobile 24 0.0 1.7 290148 2072 ?? Ss 8:56AM 0:03.31 /usr/sbin/mediaserverd
root 26 0.0 0.4 273456 428 ?? Ss 8:56AM 0:01.14 /usr/sbin/notifyd
mobile 64 0.0 2.0 309600 2340 ?? S 9:36AM 0:00.93 /Applications/MobilePhone.app/MobilePhone –launchedFromSB –firstLaunch —
mobile 65 0.0 2.5 309112 2940 ?? S 9:36AM 0:02.78 /Applications/MobileMail.app/MobileMail –launchedFromSB –firstLaunch –su
root 81 0.0 7.8 315532 9324 ?? S 9:43AM 0:37.71 /Applications/Installer.app/Installer –launchedFromSB
mobile 82 0.0 12.7 321948 15036 ?? S 9:45AM 0:21.86 /Applications/MobileSafari.app/MobileSafari –launchedFromSB
root 97 0.0 0.6 273276 764 ?? S 9:54AM 0:00.81 /usr/sbin/sshd -i
root 98 0.0 1.0 274168 1164 p0 Ss 9:54AM 0:00.14 -sh
root 100 0.0 0.3 272876 332 p0 R+ 9:54AM 0:00.01 ps aux
Why was the iPhone architected like this, I asked Dr. Miller? His reply: “I think they did it that way because it was the easiest and quickest way to do it. They had a deadline, they had a great product and they wanted to get it out the door and start making money. Clearly, by not running things as root, they are going back and trying to make the things more secure now that the phones are out and in use. However, adding security after the fact if much more difficult (and expensive) then designing it in from the start.”
6 responses to “Confirmed: iPhone Security Better, But Still Not Perfect”
How is this different from the Mac OS X desktop running all of the user’s apps under the privileges of that one user?
All else being equal, additional segmentation (as in Android) sounds good, but is this a real issue, or is just another in the long line of articles trying to piggy-back on iPhone popularity for the purposes of self-promotion?
My Mac doesn’t run every application as an individual user and that is considered secure. It is by design that an application can access the data of another e.g. the maps application accessing the phone application. Running as separate users would seem to require the removal of that kind of functionality which is what Dr Miller suggests.
Dr Miller admits he hasn’t tested the attack he is suggesting therefore, I am not sure it is correct to make comments about the iPhone security purely based on a comparison to the user/application model used between iPhone and Android. It doesn’t seem valid since the model used in the iPhone seems to be similar to the OSX model which is considered pretty secure by most standards.
Flawed? Get off your high horse and get real. That’s why Apple has insisted no one hack their phone and hasn’t released the SDK until their ready. Any developer writing iPhone apps already know about this ‘flaw’ and as your own article reports, there slowly working towards higher security and public applications.
Do the internet a favor and read Steve Job’s statement on iPhone security and stop wishing that the world could be like what you want in your head. There are many developers still working on the iPhone and they still need time to work. By writing articles like this it only makes your site look foolish and ignorant, or possibly that your being paid by google to write bad iPhone news. There is already enough bad reporting out there.