Jailbreaking an iPhone unlocks its full potential, but it can also make it more vulnerable to malware, which can be hidden in apps on unofficial app stores or exploit default root passwords. This fact alone discourages many people from jailbreaking, as they believe an unjailbroken iPhone is impervious to malware. Apple tries to ensure this by forcing apps into a sandboxed environment and by requiring all apps to be approved before they are made publicly available on the App Store.

Nicolas Seriot recently demonstrated in his talk to an iPhone developers community in Geneva that an app can in fact steal users’ e-mail account information, address book entries, keyboard entries, past GPS data and browser history using only official APIs, reports The Register. Seriot demonstrated how this can be done by demoing SpyPhone, an app he created which uses only Apple-approved APIs but, can steal information from a user’s phone.

Apple’s main tool to combat malware is then its rigid approval process which all apps must pass through before they can be downloaded via the App Store. While the process has been criticized for seemingly arbitrary decisions, even resulting in an inquiry by the Federal Communications Commission when Apple removed all Google Voice apps from the App Store earlier this year, it can also be used to screen for malware hidden in apps. In his talk, Seriot noted possible ways to get a malicious app approved by Apple, including encrypting the payload and keeping the malware in the app dormant and deploying it at a later time. Nevertheless, Apple is able to weed out most, if not all, malicious programs through its approval process.

Unofficial app stores, such as Cydia, lack the funds to hire staff to approve individually every app and so their response to malware must be mostly in reaction to complaints from users. Nor is it desirable to implement an Apple-like approval process for alternative app stores, as most people jailbreak their phones to get away from the App Store, which blocks many legitimate apps. Those who do jailbreak their phones should be conscious about this risk when they download apps, but in my opinion the pros of jailbreaking definitely outweigh the cons. People that choose to jailbreak their iPhones should also use MobileTerminal to change the default root password as well, as this is used by most malware to gain access to the phone. While a user of a non-jailbroken iPhone need not worry much about malware, a user with a jailbroken iPhone should exercise the same caution as he does when installing programs for his computer.

Seriot has released his slides (PDF) from the talk. SpyPhone is available on github.

[Image by akosma – CC BY-SA 2.0]