If all they do is monitor app output you just disable the malware potion of your app until it is approved. For example say I remake space invaders, the game connects to my server to access the hiscores list. Once approved and your target has downloaded your app, you rig the hiscores list to an unobtainable number which the program detects and promptly activates the malware. During the testing period, they could easily miss this piece of malware, and this method might be considered fairly rudimentary as far as hiding malware goes.
That being said I think the OP is pretty safe, infecting him with this malware would be pretty difficult if he doesn’t click random emails, disables active scripting, and uses various other security measures.
mittu, I have tried to present good arguments as to the plausibility of such an attack, and I believe I have done so effectively. I was abbreviating when I said that the PDF exploit works on 4.0.1. It also works on several older OS versions.
Not everyone upgrades immediately. Some people never hook their iPhone up to a computer again once it has been configured for them (!).
Furthermore, just because that hole is plugged doesn’t mean that there aren’t five more that will crop up next month.
Considering that Safari fell in ten seconds and the others were toast within a few hours, it should be clear that an expert hacker can get into any device. It all depends on how much he or she wants to.
I wouldn’t trust that a sharp hacker couldn’t get in.
And you cannot just wave your hand and dismiss the dangers of a modern hacker’s arsenal allowed private network access to a PC.
I believe that you have more faith in Apple’s processes and security by obscurity than I do, and I feel I have contributed what I can here and will move on.
It also doesn’t mean that there are. That could be it, end of story, iOS could now be 100% secure, you nor anybody else are able to show otherwise.
PWN2OWN is a nice competition and they include the iphone in their testing. So far all they have managed is to copy data off the phone, no installation of malicious code as the user they authenticate as does not have sufficient privileges. So the best hackers in the world have tried and failed to install their own software on an iphone and you can bet they all gave it their best, it would be one hell of scalp.
Apple’s app approval process is shrouded in mystery for the most part, nobody outside Apple knows how far they go in testing though it is reported that they search for undocumented function calls. One thing we do know is that no approved app has yet exhibited virus/malware type behavior. We can assume that this is for one of two reasons, either Apple are actually pretty good at ensuring apps only do what they claim to, or no hacker on the planet has thought that the 50 million+ iphones in the world would be a lucrative market to attack. The second doesn’t look very likely.
I agree that in a perfect storm of situations with assumptions based on no facts that the iphone can be hacked. But we don’t live in that world, we live in a world of facts and the facts are that, at present, there is no known way to install the software on an iphone, people have tried, and they have failed. I have tried (and failed) to find some evidence of a malicious iphone app that has made it past the review and into the app store. I found plenty of harbingers of doom, security experts that say ‘it WILL happen, it’s just a matter of time’, the one that appears most often was written in '04.
Do you know of every exploit that happens on the PC? What makes yhou think everything is advertised?
So far I can’t find even a grain of experience shading a single one of your posts in this thread. But I do note that you have refused to answer any of the questions put to you which might demonstrate wither what your level of experience is, or why you feel the need to issue imaginary apologetics for Apple. I think readers can conclude something from your refusal.
Or, as I have described, in routine circumstances, using existing approved apps, the iphone can be used as a bridge, which is one of the clearest and difficult to defend problems with any tcp/ip network.
The links the other poster provided you to actual apps that anyone can install are not “facts” enough to you?
Perhaps you can define “facts” for us? And maybe what “world” you live in?
And yet no one here is presenting a malicious app of the sort you are looking for as necessary to compromise the PC. You are wasting your own time because you seem to be having trouble both grasping what is being explained to you and asking for help since you have dug yourself in so deep.
To use a car analogy again, what you just positied is like saying that since in theory people keep saying they can take a motorized saw through a car body to get in the car, and that doesn’t happen, that no one can possibly break into a car.
When in fact, there are many ways to hack the locks without damaging anything. Details depend on the car of course, but surely you are not going to argue that there are elegant solutions are you? So why are you so certain there are not elegant solutions to an iphone when even you admit you have no evidence whatsoever regarding Apple’s approval process, and apparently no ability to state, in technical terms that would demonstrate an understanding of the nature of the data the approval team is tasked with reviewing either.
Their is not a grain of salt big enough on earth for me to think you have any experience in this matter at all. Maybe you sell iPhones or something like that, but my feeling is your level of network experience is about on that level, and so I accord your opinions the disdain they deserve.
But I do feel bad for others who might come here and believe what you are saying and come away with the feeling that if they let their neighbor use his phone on their network during a visit, that nothing can possibly go wrong, because EVERYTHING that can go wrong is fair game, same as if the neighbor had a laptop instead.
Also as a note, adding the iPhone just makes things harder.
In order for someone to hack into someones PC via their iPhone, you’d have to first hack their iPhone remotely (which is, thusfar, entirely unprecedented), gain complete (unauthorized, unnoticed) control over it, and then hack your PC from there.
Ockhams Razor, why’re you making shit retardedly hard?
‘We’ is mankind. Show me some proof of an approved app appearing in the app store that exhibits malicious behavior.
No, I don’t, but I do know that with over 50 million iphones sold if there was a an app that was malicious in nature it would have made the news. We would know about it. There has been no mention of such an app, because it doesn’t exist.
What level of experience I have is completely irrelevant, I could be someone who found a computer for the first time last week or I could be a Professor of Network Security at MIT, it doesn’t change the truth of any statement I make.
You don’t have access to the data collected by any of those apps, it is of no use to your whatsoever. He could have an app on his phone that remotes into his Windows PC but that doesn’t make a blind bit of difference to you because you can’t control or influence his phone at all.
As above, the existence of the app is not the same as having control over that app with malicious intent. On every Windows PC you have the ability to format the HDD, is that a huge security flaw because it means a hacker can do the same? No, the fact that the device is able to perform this task is of no risk whatsoever as long as a hacker can’t control the device. The hacker can’t control the iphone so the apps installed are of no use to him. The only way for the hacker to get control is to have an app they have written installed on the iphone, something which no hacker has ever managed to perform.
You can figure that one out for yourself.
Who am I asking for help from? I’m fine here baby!
Why am I so certain that solutions don’t exist to hacking the iphone? Because if there were such solutions they would have been found and exploited. People far smarter than you or I do this for a living and all the hacking experts have come up with the same thing when trying to hack the iphone, precisely squat.
I’m not sure why it should matter so much to you, do you only listen to the opinions of people with letters after their name?
If the neighbor had malicious intent and a jailbroken iphone sure he could do some damage, no doubt at it. That doesn’t relate in any way to the OP though. For the record, i’m not giving advice to anyone here, security is an important issue and one I deal with daily, I would always advise people to take as many precautions as possible when dealing with any device that can communicate or be communicated with on a network. The OP isn’t asking for general advice however, he is asking if someone from a message board can gain access to his PC via his iphone, this being GQ, the answer is ‘no’.
This malware is a work of art. It started off as an app that hacked, evolved into a scanner that sent the results home, then ironically back into an app that tries a list of vulnerabilities in it’s repertoire. Although it ignored some challenges, it’s risen to quite a few, but it still involves wasting a valuable 0-day exploit in the iOS to settle a forum grudge. Anyone who does that is, by definition, too dumb to do that.
No one has said it’s impossible. We could do a Drake equation on the subject, but based on this discussion, I’d still be counting the zeros to the right of the decimal after I won the lottery.
That’s what the aliens in Independence Day thought, but they didn’t count on a bridge over tcp/ip!
Tapatalk has had a few vulnerabilities. One was a trick to see your forum passwords, but that could only be done by you installing a proof of concept app that did it (and it was only on Android). It’s also been used to attack a vulnerability in forums, but that forum bug could have been exploited with anything, the attackers just used Tapatalk.
Tapatalk is like a browser, it connects to the forums and formats them to be read within the app. I don’t know how many forums you visit, but I’ve been using it for about 9 months and only use it for 6 forums, so it’s like a browser that only connects to a limited number of sites. I’m not sure how the iphone version works. On Android, it can open links, but it uses the system browser. It can download files, but it uses the system download manager and thus the system’s built-in security measures about executing downloads.
The main danger is probably that a forum owner puts a piece of naughty code in the forum pages and it messes with Tapatalk. Putting that into the Drake equation above would probably make it a little less likely. Now it needs a forum owner to deliver the mystical iOS exploit that can hack your PC.
not_alice, this is a third Moderator Warning, once again for violating my instructions. I told you to drop the snark. If you can’t do so, stop replying to this thread.
The poster used a colloquialism and I asked him to clarify his terms. That is not snark.
That is my professional opinion. I see no evidence here for any of mittu’s, and every string of rhetoric s/e has written has been debunked repeatedly by me and others, yet s/he insists on giving people bad advice regarding security.
My professional opinion again, not snark. I read plenty of forums where the posters are script kiddies, and there is much similarity between some of the content on this thread and those forums.
that is not snark, that is advice to others to consider the risks of following **mittu’s ** recommendations. Again, my professional opinion.
I’ve installed a program on my iPhone that allowed me to control the mouse on my computer with the touchscreen on the iPhone. Granted, I had to install a server program for it on the computer as well, but I did. If that had been the program with malware that slipped by the Apple security team, my computer would have been extremely vulnerable.
Apple has approved over 100,000 apps since the app store opened in 2008. Developers don’t have to even submit code to Apple, just executable binaries. Apple gets upwards of 10,000 submissions a week. And all the malware that doesn’t exist because we haven’t heard about it? If it’s well written malware, you never will.
Yeah people have lots of concerns, but they are concerns which aren’t backed by reality. Like I said earlier security experts have been predicting doom since 2004 for the iphone but here we are 6 years later and nothing has happened, not for lack of trying on the part of hackers one would imagine. The banking app flaw is a flaw which in itself is not malicious. When testing iphone apps the saving of local data isn’t going to raise any flags, if that data was then sent to a third party then sure, time for alarm bells but that isn’t the case here so it’s no surprise that it passed into the app store. Apple aren’t responsible for making sure developers aren’t idiots, just that they aren’t malicious (intentionally or otherwise).
It is not factual proof of a flaw in iOS design or the app approval process to say things like ‘If that had been the program with malware that slipped by the Apple security team, my computer would have been extremely vulnerable.’ If you start injecting your own conditions (which aren’t true) in order to invent a scenario where something is true, it should be a sign that that thing simply isn’t true in the real world.
I think this thread is going round and round in circles to little end, nobody can demonstrate flaws in iOS that would allow an attacker to do anything malicious. An app would need to get past the approval process despite containing malicious functions, something which has never been done despite experts saying it is inevitable for 6 years. Until someone can demonstrate this being possible the answer to the OP remains ‘no’. This is the last I will say on the matter, it’s getting dull pointing out the same fallacies over and over again, and unlike some I have the fortitude to stick by my decision to leave this thread to the crows.
“If ifs and buts were candy and nuts, we’d all have a merry Christmas”
My opinion as a professional snarker is that when called on your snark, it’s a bad idea to merely repeat everything you just said and claim it wasn’t snark.
Has anyone specified what the terms of this question are?
If I ask Harry Houdini if he can break out of a pair of handcuffs, and he says “sure,” I’m going to be disappointed if he comes to the challenge with an X-ray machine and a couple of assistants with power tools.
I believe that it is within the realm of possibility to use an iPhone to hack into a PC on a local network if the iPhone has been prepared with pre-installed malware. This however, is a completely different situation than trying to do this with a stock iPhone that is merely on standby, getting email in the background.
Yeah, I haven’t seen you post one “debunk” here yet.
So far, this thread reads like a professional (mittu) tearing an amateur (not_Alice) a new one, while not_Alice continues to posit unreasonably obscure possibilities.
And btw, the iOS doesn’t rely on security by obscurity (see end of post for details).
Case and point: Android had malware less than three months after it was release, and by the release of froyo it had a half dozen or so malware apps where were remote killed.
On the other hand, there have been zero malware apps remote killed (or removed) from the app store – plenty have been denied, but none killed. And at the time, android was much less prevelant than iOS, and iOS still has more apps, more app downloads and more app submissions than Android. Your security by obscurity argument is as ridiculous as your “BUT WHAT IF APPLE DOES SOMETHING IT HAS NEVER DONE BEFORE AND IS ENTIRELY OUT OF CHARACTER FOR THEM?!” argument.
The OP came back to mention that he uses the Tapatalk app and was on a board where people threatened to hack each other and wondered if visiting the site via tapatalk could compromise his phone, and then his computer.
I tried here to get on the subject of Tapatalk. This is guesswork based on my experience with Tapatalk and how it works but, to me, using the app seems to put some constraints on an already constrained situation.
Any valid response in the negative would have to prove that it is not possible. Which is not possible. So the OP’s question, whether useful or not, is de facto true.
Straw-men ensue, such as “sure, all the air molecules in a room could assemble in one corner”. Some might detect that the distinct odor of fear and ignorance is discernible?