16 October 2007
There are a number of dubious design decisions in the Apple iPhone and iPod touch. As I wrote earlier, the most serious of these is the apparent intention to make these devices purchasing appliances rather than networked computers. I'm tempted, in fact, to label them iProfits.
From a security perspective, though, there's another problem: everything runs as root. That is, every application runs with full privileges; if any application has a security hole — and there have been many of them — the attacker has complete control over the device. It is, frankly, rather unbelievable that Apple made such a mistake. Microsoft effectively did this with every version of Windows up to Vista, but at least they had the excuse of backwards compatibility. It almost justifies Apple's claim that excluding other applications is necessary for security, save that Palm Pilot has always has always behaved that way.
There is a silver lining, though. Running as root has one major advantage: root can switch to other userids. This would permit each application to run as a separate userid, thus separating each one from the others. It's a solution I've been advocating for years. Microsoft has done something similar with Internet Explorer 7. Will Apple follow suit? It would be a good way to benefit from a serious misfeature. Of course, they have to separate their own applications that way, too; they've certainly had their share of security problems.
Update: Apple has just announced that in February, they will offer a software development kit (SDK) for the iPhone and iPod touch. This is very good news. However, the note speaks approvingly of Nokia requiring applications to be digitally signed by "known developers". This conflates authentication — who wrote or published the code — and protection. They're not the same. At best, authentication tells you whom to sue after the fact. What's really needed is a strong security architecture that prevents nasty things from happening.
It will be interesting to see what happens if Apple does decide to use digital signatures. What will the criteria be for obtaining a certificate? Will certificates need to be renewed frequently, effectively forcing users into a software rental model? Is this the iPhone or the iProfit? (There are some good observations in the New York Times Bits blog.) I'll post more when we know some details.