Whitelisting and the iPhone

The much reported/blogged iPhone worm does not affect all iPhones. Specifically it affects SOME iPhones that have been jailbroken. A significant part of the iPhone and iPod Touch security model is a technique called “whitelisting”. This is not new and is known to be a very effective security technology that can be used to prevent malicious software from running on all kinds of computers or to only allow access to specific web sites. Fundamentally, network access control is a type of whitelisting.

When an iPhone or Touch is jailbroken, the whitelisting technology that has kept the rest of these devices pretty darn safe is removed. Estimates I have seen published put the number of jailbroken devices at close to 10%. I suspect this number has not yet topped out. So you have a security model that honestly is pretty darned effective and people are removing it. Why is this?

People love choice and functionality. There is a significant amount of overheard involved in most whitelisting implementations. An employer can deploy a whitelisting solution and mandate it’s use, but when you get out into user-land and personal property, people like choice and Apple does not provide the level of choice that a significant number of users desire.

Usability and security are often at odds. In the case of the iPhone malware, there was a really simple security step that protected some users of jailbroken devices. A default password that was changed by security savvy jailbreakers protected their devices from the latest round of jailbroken iPhone vulnerabilities while still allowing them a wider choice of software.

While whitelisting has some strong security advantages, there’s a reason why adoption has been limited.

Randy Abrams
Director of Technical Education

Author ESET Research, ESET

  • Darrick Decoux

    Cool, that was a great article. You make some really great points.

    I personally think Apple is going too far with the secrecy about their new products. Case in point, the 4th gen iPhone. One gets lost in a bar by a drunk employee, and the person who finds it tries to return it. Apple won’t take it because they don’t believe him, so he sells it to Jason Chen, and they’re in hysterics about it and are charging him with a felony. I personally find it ridiculous.

    Anyway, I’ve written about it on my site. Check it out at Thanks for the read!

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic

2FA

25 Nov 2009
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.