What's worse than a lost or stolen iPhone? Uh, hello? Nothing! That's why Apple invented Find My iPhone--and charges $99 per year for it as part of the MobileMe service.
If you're not willing to spend that much but want some kind of insurance against an iPhone that goes missing, check out Orbicule's Undercover.
This $4.99 app covertly transmits your phone's location and IP information to your browser-based Undercover account (free), thus allowing you to bust in on the thief and, guns blazing, take back your precious.
By which I mean, of course, work with local authorities to recover your iPhone in a safe and law-abiding fashion. Of course.
You can learn a lot more in the above video. However, there are a couple caveats that aren't mentioned.
For one thing, your iPhone won't transmit its location unless the finder/thief runs the Undercover app or its companion Found app, or taps any of the push notifications you send. (I love the fake bank-account message Orbicule uses to entice thieves.)
Also, unlike MobileMe, Undercover offers no way to remotely lock or wipe your iPhone.
And let's not forget that all such recovery methods are dependent on your iPhone having a charged battery. If it's outta juice, you're outta luck.
That's why I recommend supplementing an option like this with an analog solution like a StuffBak sticker, which at least will help an honest person track you down.
That said, Undercover may not be perfect, and it offers no guarantees, but for five bucks it's almost a no-brainer for anyone looking for cheap insurance. I'm sold.
Well, this hacker has quite the sense of humor.
Reports started spreading this weekend that iPhone users in Australia had been falling victim to "ikee," a worm that replaces default wallpaper with a picture of Rick Astley, the British pop singer whose song "Never Gonna Give You Up" has gained eternal infamy thanks to the mainstreaming of the "Rickrolling" prank craze. The photo is accompanied by the message "ikee is never gonna give you up," and it's apparently quite difficult to remove. According to security firm Sophos, this is the first worm detected that targets the iPhone.
The vulnerability is pretty specific: the phones must be jailbroken in order to be affected, and it appears to spread by searching an infected phone's contacts to find other jailbroken-phone users who have installed the Unix software SSH (secure shell) but haven't yet changed their passwords from Apple's default root password, "alpine."
Sophos says that it has not heard of any occurrences of the worm outside Australia, and that while it doesn't appear to do anything worse than irritate and embarrass affected users, that it highlights the vulnerabilities that jailbroken phones face.
(Credit:
CNET / Josh Lowensohn)
The iPhone has many applications that let you view Web cams from around the world, but what about turning your phone into a remote camera of its own? A new app called IP Camera (warning: iTunes link) does just that. This $1.99 tool takes a photo from your iPhone's camera every 12 to 15 seconds, then posts it to a local Web page that can be accessed from other computers on the same network.
All that's needed for setup is to make sure your phone is on Wi-Fi, then to jot down the special local HTTP address it gives you. It will keep running until you quit the application manually or get a phone call; although like any good iPhone app it starts right back up when you're done with a call.
While there are very few bells and whistles, this app worked really well in my testing with an iPhone 3G. Although one big thing that's missing is a way to archive the photos it takes. You can temporarily stop its stream of photos, then save whichever one it's on, but it does not keep a "recents" on its Web page, or on your phone's camera roll.
I'd also like to see a way to change the frequency in which it takes photos, which could keep it from zapping too much juice if you're using it while disconnected from a power plug. And a way to run it with the display off would be nice too, since hitting the sleep button freezes the app into re-sending the same shot over and over again.
Tip: the iPod universal dock and iPhone 3G dock are both angled in such a way that makes it incredibly easy to perch your phone on a bookshelf or on top of a coworker's cube and get a great view. They'll never suspect you're watching their every move.
Related: DIY home surveillance with a Webcam
The IP Camera app turns your iPhone into a mini server, taking photos every 15 seconds and posting them almost-live to a Web page.
(Credit: CNET)Apple has issued an advisory regarding security enhancements included in iPhone OS 3.1 and iPod Touch OS 3.1.1.
(Credit:
Apple, Inc.)
Here is a synopsis of the 10 iPhone security vulnerabilities addressed by the latest operating-system update for the iPhone and iPod Touch. As expected, many of these security patches focus on the Web-browsing framework WebKit.
CoreAudio Changes to CoreAudio prevent maliciously crafted AAC or MP3 files from causing unexpected application termination or arbitrary code execution.
Exchange support Changes were made to prevent a person with physical access to a device from being able to use it. Previously, if the user has "Require Passcode" set to a value higher than the "Maximum inactivity time lock" setting, this would allow a window of time for a person with physical access to use the device, including Exchange services. This update addresses the issue by disabling user choices for "Require Passcode" values greater than the "Maximum inactivity time lock" setting configured by the Exchange administrator. (Read more about the complexities of Exchange security in OS 3.1.)
Mobile Mail Changes to Mobile Mail prevent a person from using Spotlight search to view deleted e-mails.
Recovery Mode Changes to Recovery Mode command parsing prevents another person with physical access to a locked device from bypassing the passcode and accessing the user's data.
Telephony Changes made to improve the handling of incoming SMS messages prevent the receipt of a maliciously crafted SMS message that may lead to an unexpected service interruption.
UIKit Changes to UIKit fixed a problem wherein passwords may be made visible when a person with physical access to the device deleted a character (i.e. backspace) to make that character briefly visable.
WebKit--disclosed user names and password in URLs Changes were made to prevent the disclosure of user name and password via referrer headers for Web site linking; the user name and password are no longer included in the URL in the referrer header.
WebKit--numeric character references Changes were made to prevent an unexpected application termination or arbitrary code execution after visiting a maliciously crafted Web site; a memory corruption issue was to blame for this and it was fixed through improved handling of numeric character references.
WebKit--cross-site scripting attack Changes to WebKit improved the handling of parent and top objects, thus preventing a cross-site scripting attack when visiting a maliciously crafted Web site.
WebKit--lookalike characters in a URL Lookalike characters in a URL could be used to masquerade a Web site; International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains lookalike characters; users could then be directed to a malicious Web site that is a spoofed site visually appearing to be legitimate domain. WebKit will now replace those characters with its own characters rendered in Punycode in the address bar of Mobile Safari.
Previous coverage: Security updates in iPhone OS 3.0 and Security updates in iPhone OS 2.2.
iPhone and iPhone 3G users hit a roadblock last week trying to login to Exchange 2007 servers after upgrading to iPhone OS 3.1.
(Credit:
Apple)
Because the problems began with the latest update, it may seem reasonable to assume that the update is to blame, but it's not. In fact, everything is working exactly how it's supposed to be, according to Apple.
"iPhone OS 3.1 is working properly with Exchange Server 2007," Apple representative Natalie Harrison told CNET News. "We added device encryption information to the data that can be managed by IT administrators using Exchange Server 2007. The policy of whether to support iPhone 3G, in addition to iPhone 3GS, which always has on-device encryption, on Exchange Server 2007 is set by the administrator and can be changed at any time."
What this means is that iPhone OS 3.1 now properly identifies itself to Exchange 2007 as having hardware encryption, and that's what is causing the problems for iPhone and iPhone 3G users.
iPhone OS 3.0 did not identify itself properly to Exchange 2007 on any iPhone. This means that if you had a 3G and Exchange 2007 was configured to require hardware encryption, you could still login, even though the device does not have hardware encryption.
With iPhone OS 3.1, all iPhones identify themselves properly to the server, essentially fixing a glitch in the previous operating system. However, now iPhone and iPhone 3G users that upgraded to iPhone OS 3.1 cannot login to Exchange 2007 servers that require hardware encryption.
If you use the new iPhone 3GS, you won't notice any change. Apple's newest phone is equipped with hardware encryption, so it will meet the requirements of the Exchange server when identifying itself.
If you already upgraded to iPhone OS 3.1 on an iPhone or iPhone 3G and connect to an Exchange 2007 server, you can ask that the IT admin turn off the hardware encryption requirement for those devices.
Company IT administrators who require hardware encryption to access Exchange 2007 will need to decide whether they want older iPhones to access their servers. If so, they will need to configure Exchange to not require encryption from the iPhone and iPhone 3G.
Of course, if you haven't upgraded your iPhone, it will continue to access Exchange 2007 as it always did.
(Credit:
Matt Hickey)
So Apple on Friday released an update to the iPhone OS (3.0.1) that takes care of an SMS vulnerability. It's a fairly important patch, and usually when Apple updates the iPhone OS, jailbreakers have to wait until the Dev Team comes out with a new version of jailbreaking software before they can update.
But according to the iPhone Dev Team's Twitter, this is not the case with the 3.0.1 firmware. In fact, the current versions of redsn0w and ultrasn0w work the same with the 3.0.1 firmware as they do with the 3.0 firmware that came out a few weeks ago. In short, the jailbreaking software already works. I checked with the Dev Team community and had this confirmed. "Restore to 3.0.1, run redsn0w, select the 3.0 file... Bang zoom."
So go ahead, iPhone hackers, and secure your devices soon. You don't have to worry about losing Cydia and other rogue apps.
The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" as far as protecting sensitive personal data like credit card and social security numbers, according to a forensics expert and iPhone developer.
"I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security," Jonathan Zdziarski told Wired.
With physical access to a 3GS iPhone and some free software data can be extracted within two minutes and an image of the entire raw disk in about 45 minutes, he said. The iPhone decrypts the data on its own once the extraction has begun, he explains in a video demonstration.
Apple has been touting the encryption and other features to entice corporate users to the device. And it seems to be working. Nearly 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones per company, the company said on its financial results conference call on Tuesday.
RSA, the security division of EMC, has released RSA SecurID Software Token for iPhone (iTunes Link), a free app that lets you supplement typical user log-ins with an extra, cryptographically strong ID confirmation. The app turns your iPhone or iPod Touch into a SecurID authenticator.
(Credit:
RSA)
The app works with a SecurID token seed and RSA's Authentication Manager; together they can provide a one-time password that changes every minute. This password is used to securely access a VPN, WLAN, or Web application. Although the SecurID Software app is available at no cost from the iTunes App Store, you must purchase the required SecurID token seeds (part #SD820) from RSA. Plus you'll need the RSA Authentication Manager for token and user management.
The app itself is configured by sending the user a unique software token seed, which is imported with just one tap. Users then can use their iPhone to securely access various systems and software. Additionally, the app replaces the traditional key fob token. The tokens can just as easily be revoked and reissued if an iPhone is lost or stolen.
RSA key fob token
(Credit: David Martin)RSA's approach is a lot different than the approach used by VeriSign's VIP (VeriSign Identity Protection) Access for Mobile (download on iTunes), a free app that also lets you supplement typical user Web site log-ins with an extra, cryptographically strong ID confirmation. However, it is geared more towards the consumer by supporting popular sites such as eBay, AOL, GEICO, and PayPal at no extra cost. You can read our previous coverage of VeriSign's app for more information.
This type of credential-based security technology is a clear win for businesses, employees and consumers. It shows another innovative use for the iPhone and it makes me wonder again what my iPhone can replace next.
Apple has issued an advisory regarding security enhancements included in the iPhone OS 3.0 release Wednesday.
(Credit:
Apple)
Here is a synopsis of the 46 iPhone security vulnerabilities addressed by the latest operating-system update for the iPhone and iPod Touch. As may be expected, many of these security patches focus on the Web-browsing framework WebKit.
CoreGraphics Changes to CoreGraphics prevent maliciously crafted image and PDF files from causing unexpected application termination or arbitrary code execution; vulnerabilities causing the same problems in FreeType v2.3.8 were also patched.
Exchange Changes were made to prevent a user from connecting to a malicious Exchange server that could lead to the disclosure of sensitive information by adding improvements to the handling of untrusted certificate exceptions.
ImageIO Changes to ImageIO prevent the use of maliciously crafted PNG images from causing unexpected application termination or arbitrary code execution.
International Components for Unicode Changes to Unicode prevent the use of maliciously crafted content that may bypass Web site filters and result in cross-site scripting.
IPSec Changes to IPSec patch multiple vulnerabilities in the racoon daemon that may lead to a denial-of-service attack.
Libxml Changes to XML library Libxml patch multiple vulnerabilities in Libxml2 version 2.6.16.
Mail Changes were made to the Mail app to give users control over the loading of remote images in HTML messages (see below). Additionally, the app was changed to prevent an application from causing an alert to appear that may be used to initiate a phone call without user interaction.
MPEG-4 Video Codec Changes to the MPEG-4 Video Codec will prevent the viewing of maliciously crafted MPEG-4 video files that may lead to an unexpected device reset.
Profiles Changes to Profiles will prohibit the installation of a configuration profile that may weaken the passcode policy defined by Exchange ActiveSync.
Safari Changes to Safari support the clearing of Safari's history via the Settings application, allowing prevention of disclosure of the search history to a person with physical access to the device. Now search history is actually removed. Additionally, if a user were to interact with a maliciously crafted Web site, a patch has been put in place to prevent unexpected action on another site such as "clickjacking."
Telephony Changes to Telephony address a problem in which a remote attacker may cause an unexpected device reset.
WebKit Changes to Web-browsing framework WebKit were very numerous in this release, given how popular the iPhone has become for Web use. They included many fixes to prevent arbitrary code or script execution, when visiting maliciously crafted Web sites. Some of these vulnerabilities could lead to app crashes and unexpected device resets, or the disclosure of sensitive information.
Previous coverage: Security updates in iPhone OS 2.2.
An inexpensive StuffBak label may help a lost iPhone find its way home.
No doubt about it, Apple's just-announced Find My iPhone app is pretty cool. If your precious goes missing, you can remotely transmit a "Help, help, I'm lost!" message in the hopes that whoever found it will return it.
If that doesn't pan out, you can send a Mission Impossible-style self-destruct command that'll wipe the iPhone's memory, thus protecting any sensitive data from falling into the wrong hands.
Unfortunately, the price of this nifty recovery/security service is a subscription to Apple's MobileMe, which costs $99 annually. That's fine if you're already a subscriber, but way too pricey if all you want is an iPhone safety net.
Fortunately, there are alternatives. On the low-tech side there's StuffBak, a coded recovery label you slap on the back of your iPhone. The finder dials a toll-free number or visits the StuffBak site; the service arranges return shipping at no cost to the finder.
The good Samaritan also gets 20 bucks' worth of StuffBak stuff and any cash reward you want to add to the pot. As for you, recovery costs vary depending on the service plan you choose, but they won't be more than $30.
Getting closer to a MobileMe-style solution, GadgetTrak is a free app designed to help you locate a stolen iPhone (so you can recover it vigilante-style! Or, if you're boring and law-abiding, with the police's help). Check it out:
All you do is install and configure the app--then hope that the thief is dumb enough to tap the "Trak" icon (which, admittedly, looks not unlike the Safari icon). Doing so will bring up the URL of your choice (Google is the default) while secretly transmitting the phone's location to GadgetTrak. Login to your account to see the report.
Obviously the app needs the option of working in the background, without manual activation. GadgetTrak plans to "add additional functionality and triggers as Apple makes them available to us," but for now it's of limited value.
What do you think? Is Find My iPhone worth a $99 Mobile subscription, or are you better off with cheaper, third-party alternatives. I'm hoping that the arrival of OS 3.0 brings a lot more options for locating a lost or stolen phone.
