p2pnet news view | Mobiles:- “We’re going to have to go with the old imperative of ‘Trust no one. And unfortunately part of that is, don’t trust Apple.”

That’s the final quote from Jonathan Zdziarski (right), an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. And it comes in a Wired story which kicks off with »»»

Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware.

“It is kind of like storing all your secret messages right next to the secret decoder ring,” the story has said Jonathan saying.

“I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

He says it’s just as easy to access a user’s private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first generation iPhone, “both of which didn’t feature encryption,” says the story, continuing »»

If a thief got his hands on an iPhone, a little bit of free software is all that’s needed to tap into all of the user’s content. Live data can be extracted in as little as two minutes, and an entire raw disk image can be made in about 45 minutes, Zdziarski said.

Wondering where the encryption comes into play? It doesn’t.  Strangely, once one begins extracting data from an iPhone 3GS, the iPhone begins to decrypt the data on its own, he said.

To steal an iPhone’s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install an Secure Shell (SSH) client to port the iPhone’s raw disk image across SSH onto a computer.

Not only but also, there are other weaknesses, says Jonathan. “Pressing the Home button, and even zooming in on a screen, automatically creates a screenshot temporarily stored in the iPhone’s memory, which can be accessed later,” says the Wired story.

“And then there’s the keyboard cache: key strokes logged in a file on the phone, which can contain information such as credit card numbers or confidential messages typed in Safari. Cached keyboard text can be recovered from a device dating back a year or more.”

So when you get right down to it, it’s up to the app developers to add an extra level of security to their apps because Apple’s encryption feature is so poor, he says, stating:

“If they’re relying on Apple’s security, then their application is going to be terribly insecure. Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward security.”

Follow p2pnet on Twitter.

Wired – Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses, July 23, 2009

---

Use free p2pnet newsfeeds for your site. It’s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php

---

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.

This entry was posted on Friday, July 24th, 2009 at 10:43 am and is filed under Mobiles. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

HOME

Viewed 2545 times