LAS VEGAS (CNNMoney) -- The iPhone's baked-in security has improved
dramatically over the past few years, which is great for Apple fans.
In a weird way, it's good for hackers too.
With the "bring your own device" phenomenon in full-swing, Apple
(AAPL, Fortune 500) has been successful at getting its iPhones and
iPads into the hands of Fortune 500 companies and even many government
agencies, including the White House and the U.S. military. To make
those sales, Apple had to update its iOS mobile operating system with
some of the industry's most robust security features.
That had a nasty unintended consequence: Many app developers no longer
put their own safeguards in place, relying instead almost exclusively
on Apple to ensure the security of their applications.
With thousands of apps in the iTunes App store all featuring the same
exact security features, one single vulnerability could have a domino
effect.
"Security is now an afterthought for many app developers," said
Jonathan Zdziarski, senior forensic scientist at viaForensics, in a
presentation at the Black Hat cybersecurity conference in Las Vegas on
Thursday. "That means if you hack one, you can hack them all."
Apple declined to comment.
The tech giant made its first official appearance at Black Hat this
year with a session on iOS's security features, but the dry
presentation was little more than a public reading of a white paper
Apple recently released. Presenter Dallas De Atley, Apple's platform
security team manager, took no questions after his talk and quickly
escaped out a side door.
A few rooms away, Zdziarski simultaneously delivered his workshop on
"The Dark Art of iOS Application Hacking."
The scenarios Zdziarski outlined are scary, but they're also far-fetched.
To hack all the apps on your phone, a hacker would need to: 1) steal
your iPhone, which isn't so hard, and 2) discover and exploit an iOS
vulnerability before Apple does. That's proven to be very hard. It has
happened before -- most notably when serial Apple hacker Charlie
Miller found a way to sneak a rogue app into Apple's fiercely guarded
iTunes store. (When he publicized the hack, Apple yanked his developer
license.)
Still, so-called "zero day exploits" on iOS have been extremely rare.