We’ve all heard more than enough about the iPhone’s features, revolutionary user interface, and so on, right? Perhaps my optical grep isn’t what it used to be, but I sure don’t recall even seeing the word security in that myriad of coverage about this new must-have gadget. Are we all being drawn into the functional specification trap that so many software developers fall for also? Are we paying too much attention to what this thing does and not enough about what can go wrong? Seems likely to me.
I’ve been an IT junkie for years, ever since building my first Heathkit computer back in college. Like so many of us, I’m irresistibly drawn to new stuff as it hits the markets. In all these years, I can’t remember one single product announcement that has had the same level of buzz as the iPhone does now. That’s likely to be a great thing for Apple’s shareholders, but there’s a side effect to it as well. Along with buzz comes a veritable “kick me” sticker on the iPhone’s back.
Recent Alignment Articles
Oh yes, make no mistake about it. The moment the first iPhone ships off the assembly line, there’ll be a line of people who are going to want to be the first to break it.
But we shouldn’t be concerned, right? After all, the iPhone is built on Apple’s formidable OS X (and thus UNIX) operating system, which is pretty rock solid over all. Isn’t it?
I’m a big believer in UNIX in general, but even I want a solid mechanism for quickly and easily installing security patches and updates as they’re made available. Has there been any mention of an “iPhone Update” icon in all the functional discussions we’ve heard about in the iPhone? I must have missed that discussion.
I do hope, though, that there’s a quick and easy way of installing software updates in the device. Given Apple’s track record, I do expect that to be the case. But will it be opt-in or opt-out? Will it automatically run every night and keep my iPhone up to date with security patches or will I have to connect to some Apple website and download the latest firmware and install it – long the status quo among smart phones from other vendors.
If the latter is the case, how will the users find out about the security patches? From an email sent out by Apple? (I sure hope they digitally sign that email!) From a press release? And then, what percentage of the iPhone users do you think will actually read that email/release and go out and grab the patch? If history serves as an accurate predictor of the future, that percentage won’t be very high.
And then there’s the security configuration of the base operating system. In the desktop version of OS X, the user can turn on and off firewalling, for example. What’s the default configuration on the iPhone, and will the user have any ability to change it? Again, I’m hoping for an opt-out configuration that defaults to secure and requires the user to override if she chooses to.
Recent Alignment Articles
After all, the iPhone speaks Wi-Fi and runs UNIX – it is an Internet-connected host just like any other when connected to a network at your favorite coffee shop or airport lounge. Many of the same issues regarding safely configuring a UNIX server on the Internet are entirely relevant to configuring this little hand-held device, but we know precious little so far about it.
By all accounts, the iPhone sure looks like it’s going to be an incredible device. Indeed, if it were available on my mobile provider, I’d be getting one myself. My concern, however, is that there are so many security unknowns here that there could be trouble ahead.
I should point out that, up until about a month ago, I was using a Linux-based smart phone for my own mobile needs. It seemed to me to be quite secure from a network standpoint, but lacked any consumer-level mechanism for installing security updates. That was one of the primary reasons why I moved to a different device. But in popularity terms, that phone paled in comparison to what the iPhone is likely to hit in its first week in the market.
I, for one, hope our security expectations are in line with our functional expectations. I also hope that the smart folks at Apple have thought these issues through thoroughly and they’re ready to knock our socks off on all fronts. It’ll be an important lesson for the entire mobile device community to learn from.