Apple maintains tight control over its iOS software and hardware. There is no file system per se to which users have direct access, applications cannot easily communicate or collaborate with each other, you can only get apps from the App Store and so on.
Apple has done this to ensure a high level of quality and uniform usability for its customers. The company also wants to maximize its iOS revenues by making sure that only apps it approves and hosts on the App Store can be downloaded and installed. As a side benefit to customers, all of these controls make the iOS a very secure mobile platform and a favorite in corporate environments.
For the most part, the iOS user community accepts this state of affairs. However, many other owners of iPhones and iPads have gotten tired of the stringent controls Apple places on their devices, limiting them from fully utilizing all iOS capabilities. Many users have decided to jailbreak their devices in order to unlock more of the features that iOS has to offer.
What is Jailbreaking?
Jailbreaking refers to the process whereby you can remove the controls and restrictions Apples has placed in iOS and you can use your device more like an Android, which does not have iOS style controls, or a personal computer.
Whether jailbreaking is something you do to your iPhone depends on what you want to accomplish, and whether you are willing and able to accept the risks.
iOS Security Architecture Overview
At this year’s RSA Security Conference 2012, I attended a lecture session on IOS Security Fundamentals given by security threat researchers Dino Dai Zovi and Charlie Miller. The information in this section is a summary of the points they presented.
Jailbreaking an iOS device is a challenging obstacle course that requires considerable hacking skill and effort to conquer. It involves applying multiple exploits to poke holes through the several layers of security built into the operating system. Specifically, the iOS architecture includes these security elements:
- Reduced attack surface. There are fewer apps to attack in iOS and consequently fewer bugs to exploit. Flash and Java are frequent attack targets on other operating systems but do not run on iOS. Many file types either cannot be rendered or are only supported to a limited degree. Not all features of PDF files, for example, are supported. There is no terminal shell (/bin/sh) nor the binaries that you can run in shells, like “ls”, “rm”, “cp”, “mv”, etc. That means you cannot run shell code exploits.
- Privilege separation. Most iOS processes run in a limited user privilege mode. You don’t get direct “root” access which, on other operating systems, lets you do anything you want to your computer.
- Code signing. All executables and applications must carry signatures certified by Apple. Signatures are validated whenever any executable or application is run on iOS. This is why you only can get apps from the App Store. Code signing makes it nearly impossible for attackers to upload and run remote apps on your iPhone.
- Non-executable memory. Buffer overflow is a hacking technique where an attacker injects malicious code into areas of memory allocated to store data that are outside the memory boundaries of a given application. Once there, this code can be executed beyond your control to damage files or steal data from your system. By contrast iOS does not allow code to be executed from memory marked for data storage. In other words data written to memory by an application cannot be executed.
- Address space layout randomization. Operating systems that load code and data into fixed, predetermined memory locations are more susceptible to buffer overflow since attackers know in advance where code and data will reside in memory. iOS puts code and data in random memory locations so attackers must guess where their code will run. Wrong guesses can cause the malicious code to crash which is usually an irrecoverable situation.
- Sandboxing. Applications obtained from the App Store run in a restrictive sandbox that limits access to iOS system resources. Apps that are installed with iOS, like Safari, also run in a sandbox but one that is less restrictive than the purchased application sandbox. These apps can open your address book, photos, movies and so forth, but are prevented from other potentially damaging activities like sending SMS messages.
Benefits of Jailbreaking
After reading the list of security protections offered by iOS, you might wonder why anyone would want to jailbreak their iPhone or iPad. There are, however, practical benefits to jailbreaking.
When you use your iPhone internationally, you are subject to roaming charges. For Internet access you can always use free Wi-Fi hotspots to hold down roaming charges, but free Wi-Fi is not as common in countries outside the US. You can unlock a jailbroken iPhone, allowing you to replace your original SIM with an inexpensive pay-as-you-go SIM that you purchase in the country you are visiting.
For an extra monthly charge, you can tether your iPhone to your notebook computer to give the latter Internet access in areas where there is either limited or expensive Wi-Fi. Alternatively, there are several apps that run on jailbroken iPhones that give you this same access for free.
Without jailbreaking, you have to use AT&T or Verizon as your carrier for your iPhone. But jailbreaking and unlocking your iPhone lets you use any 3G or 4G carrier.
Risks with Jailbreaking
The security risks of jailbreaking are huge. You give up all the considerable security protection the iOS normally provides. This leaves your iPhone more vulnerable to attack.
When you jailbreak your iOS device, you are never completely sure what the jailbreaking code is doing. For all you know, the code could be installing other malicious binaries. Don’t forget that by definition and practice the process of jailbreaking involves exploiting your iPhone in the first place.
If something goes wrong during the jailbreaking process, you automatically void your warranty with Apple. Don’t bother taking your hopelessly dorked up iPhone to Apple service, they will turn you away on the spot. That said, all you have to do to restore your iOS device to factory settings is connect to the computer that you use to back up iOS and go through a restore operation.
When it comes to updating your iOS software, you are kind of stuck. The act of updating will undo your jailbreak and you may have to wait for a while before a jailbreak for your new iOS version is released. You may have to forego iOS updating if you prefer using your iPhone in a jailbroken state.
So far Apple has not created any updates that intentionally damage jailbroken iOS devices. At the same time, since the company does not condone nor support the practice, it is unlikely they will give much consideration to the effect any given update has on these devices.
Is Jailbreaking for You?
Jailbreaking unlocks some interesting capabilities in iOS devices for users adventurous enough to try it. However, in my opinion, the security risks and inconvenience of jailbreaking outweigh the benefits. I haven’t jailbroken my own iPad nor am I likely to in the near future.
If you bring your iOS device into work you should check to see if your company has a policy prohibiting jailbroken devices from connecting to the company network. If your company has such a policy you will have to forgo jailbreaking or restore the original iOS software on your device to comply.
It’s wise to think twice before jailbreaking your iPhone or iPad.
Last spring I wrote a blog called Facebook Privacy Potholes in which I explained how to navigate Facebook’s then somewhat difficult privacy control terrain. Since then Facebook has given its privacy controls a much needed, well, facelift.It’s now fairly easy to control your Facebook privacy settings.
And it’s more important than ever to know how to protect your online privacy with Facebook and any other social networking service for that matter.
I just read an article that kind of sent shivers up my spine. Cult of Mac, the daily news website that follows anything Apple, reported on an iPhone app called Girls Around Me that actually pinpoints the locations of women on a Google Map that are within a certain radius of your location. The app does this by tapping into Facebook and Foursquare APIs that provide information on the locations of women who have checked in with these services to let their friends know where they are.
The trouble is a lot of people either don’t know how or don’t do anything to change their default privacy settings, which are usually set to allow information like current geographic location to be essentially broadcast to everybody.
Limiting the circulation of your posts on Facebook – and Foursquare – to friends you trust is the best way to avoid being tracked by apps like Girls Around Me. Now, let’s take a look at how you can do that with the new Facebook privacy controls.
Take It from The Top
Clicking on the Privacy Settings in your Facebook drop down menu takes you to a screen that shows your top-level privacy settings. The first improvement over previous Facebook versions you’ll notice is that your top level controls are there nicely organized into sections: Control Your Privacy When You Post, Control Your Default Privacy, How You Connect, Timeline and Tagging, Apps and Websites, Limit the Audience for past Posts, and Blocked People and Apps.
In the Control Privacy When You Post section, the visibility of each post you make can be individually set to Public, Friends, Only Me, or a custom level. If you want to create a default setting for all your posts, click on Public, Friends or Custom under Control Your Default Privacy, then all your posts will use that setting. I strongly suggest you limit all your posts to friends and make sure that your friends on Facebook are just that, not merely acquaintances.
How You Connect
Clicking on this category link takes you to the How You Connect screen. It lets you control how, and if, you can be found in Facebook searches and contacted.
Allowing yourself to be found on Facebook is the one option I can advocate for setting to Everybody. If you don’t use this setting, you will be almost invisible to everyone, which makes it hard to reconnect with friends you had years ago who are trying to find you on Facebook. You do run the risk of getting spammed via email, but I haven’t seen so much on my account.
As for how people can contact you option, I suggest limiting this to Friends or Friends of Friends to cut down on unwanted messages. If you make a new real friend that is not in either category, you can “Friend” them which adds them into your circle of trust.
Timeline and Tagging
While I’m OK with people finding me on Facebook, when it comes to posting on my timeline and getting tagged in photos I want to limit either activity to a great degree. Facebook did a nice job of organizing these controls in the Timeline and Tagging panel.
The first three controls handle who can post to and see what’s on your timeline. I suggest you limit that to Friends only, particularly if your posts are somewhat personal. Of course, if they are too personal, I don’t think you do yourself any favors posting them on Facebook.
Tagging is a feature I’ve never really liked using nor promoted for myself, although I can see why people who are very close on social networking circles and in real life would like to be tagged in each other’s photos.
Facebook allows you to review posts to your timeline in which others tag you when you enable these controls. Unfortunately, this does not prevent people from tagging you in photos that appear elsewhere on Facebook. Such a feature is high on my wish list for future enhancements to the service.
With the last control on the timeline panel, you can opt out of letting people use Facebook facial recognition to get assistance in tagging you in photos in which you appear. I wrote a blog about this technology when it was first introduced, stating that facial recognition does not diminish your privacy on Facebook any more that being in involved in social networking does. Nevertheless if you feel the way I do about tagging, you might as well opt out of this feature by setting this control to No one.
Apps and Websites
In my Facebook Privacy Potholes blog, I commented that it’s a good idea to limit the access to your personal information that apps and websites have. My advice this time around is the same. Use the Apps and Websites panel to take an audit of the apps that currently have access to your Facebook account to see whether or not you still use them or should cut back on the information they access.
Let’s take an example from my settings. I use a Google Reader client app called Feedly from which I like to post articles to Facebook and Twitter. To do this, Feedly requires access to my accounts on both of these social networking services. When I click on Feedly, I get the panel of settings shown in the following illustrations.
Here I see that Feedly requires access to my basic information and information that people share with me. However, I was surprised to find out that by opting into Feedly on Facebook, I unknowingly allowed the app to manage my pages, which I certainly don’t recall allowing it to do when I first authorized access to my Facebook information. So I just clicked on the Remove link to prevent Feedly from doing this. I also didn’t feel comfortable with allowing the app to access my data anytime so I got rid of that privilege as well.
Another great Facebook privacy feature is the app access log. Click on the See details link under the Last data access section and a screen will pop up that shows you when and what Facebook information of yours was looked at.
The last three privacy controls in the Apps and Websites panel govern how the personal information gathered by apps can be used including: how people bring info to apps they use, instant personalization, and public search.
I’m going to make a sweeping generalization here by saying that none of these are your friend when it comes to maintaining your privacy on Facebook. Because these leave open the possibility of sharing information in ways that go otherwise unchecked, I suggest you opt out of all of them.
Limit the Audience for Past Posts
With the introduction of Timeline, Facebook made it convenient for you and others to go all the way back to when you first starting using the service to see what you posted. Limiting the audience for past posts enables you to convert all the posts that you made public or only shared with friends of friends to be visible to only friends.
This is very handy if you originally set the visibility of your posts to public or friends of friends back in the Control Your Default Privacy section of your top level privacy controls and you’ve since decided that wasn’t such a good idea. If that’s the case don’t forget to go back to that section and change the setting to Friends.
Blocked People and Apps
By the time you get to the Blocked People and Apps section of the top level privacy control panel, you are pretty well set and may not have to adjust anything here. On the other hand if you are troubled by contact from users who you don’t want to include in your friend list, app and event invites that you don’t interest you, or applications in general that you don’t want to hear from, you can block any or all of these in the Blocked People and Apps panel.
Another interesting control this panel gives you is the ability to compile a list of friends who should not receive your posts unless you make them public. I’m not sure when you’d really need this control if you truly trust all your Facebook friends. Before making such a list, I think you should consider first unfriending the friends you were planning to use it on.
This article was also posted on Fearless Web
Pinterest is the relatively new kid on the block that is taking the social media world by storm. If you haven’t heard of it or tried it out, Pinterest is a social networking service that lets you upload and pin pictures to your own online picture boards. It’s like a pictorial Twitter where all your pins are visible to users in a public timeline stream of photos.
You can re-pin pictures you find on Pinterest, or anywhere else on the web with the right browser plugin. You can follow and be followed by other users if you fancy their pins or they fancy yours. You can also comment on pins wherever you find them so you can discuss pictures with others.
I have to confess that I’ve been really caught up in the Pinterest phenomenon. For the past couple of weeks I’ve been pinning pictures of a few of my favorite things in the areas of music, movies, and humor. Pinterest is just flat out fun. I love seeing the new images that come down the wire. It’s like looking at a new photo album every time you go to the Pinterest website.
But on the flip side of all this Pinteresting stuff – the company’s even got me talking like them – Pinterest is all about public exposure. If you are not careful you can really sacrifice your privacy and damage your reputation using this service.
Be Careful What You Pin
Let me state this simply and clearly, there are no privacy controls supported by Pinterest, period. Like Twitter everything you pin is seen by everybody, not just your followers. There are no controls you can use to limit the visibility of what you pin or comment on like there are on Facebook and Google+. And like Twitter, once your pictures and comments go online, there’s no taking them back.
The easiest way to avoid torching your privacy or just embarrassing yourself online is to really think twice about any picture or comment you want to post. Following these guidelines, which seem like common sense to me, should keep you out of trouble on Pinterest:
- Don’t post any pictures that you wouldn’t feel comfortable showing to anyone including your parents, kids or co-workers (that includes your boss) in person. It’s easy to get carried away with pictures. Stuff you’d only be willing to show to your closest friends, you probably don’t want everybody to see. So stop and think before you pin. If you feel comfortable showing anyone a given picture in person and are reasonably sure they wouldn’t be offended, then you are probably OK going online with it.
- Similarly don’t add any comments to pins that you wouldn’t be able to say to anyone in person. Your intentions may not be to insult or alienate somebody with your comments, but things can be taken out of context. Basically if you don’t have something nice or informative to say then don’t say anything at all.
- Don’t reveal your current location online, particularly if you are away from home. Trust me, nobody really cares where you are every 10 minutes of the day, with the possible exception of thieves who might be interested in breaking into your house when they find out you are not there. Save your posts for pictures when you are on a truly great vacation that people might actually enjoy looking at. And don’t use Pinterest for this, stick to Facebook, Google+ and other services where you stand a reasonable chance of limiting the circulation of these photos and the information that you are out of town.
- Parents, help your kids your with these suggestions and let them know what you consider to be material appropriate to put online. Kids are kids, as they say, and don’t always realize the ramifications of what they do, particularly if it seems like harmless good fun. But what they share online can be harmful to them and to others. Take a look at my blog 10 Social Networking Tips for Parents to get other ideas for helping your kids use social networking responsibly.
This article was also posted on Fearless Web.
Apple rigorously scrutinizes applications before publishing them on its AppStore site, often rejecting apps that violate the company’s security and usability policies. Given this practice, it’s easy to assume that iOS mobile devices (iPhones, iPads, iTouch) are more secure than their Android counterparts.
But there’s more to this story. Veracode, maker of application risk management software, published a useful infographic that contrasts iOS and Android security. The bottom line is both mobile operating systems have strengths and weaknesses when it comes to security that you should be aware of.
Common Security Features
To a great extent iOS and Android devices are more secure than PCs. For one thing, each application installed on either platform must be granted your permission to access data that resides on your smartphone.
Laptops on the other hand usually require only that you are logged in as a particular user that has been granted permission to install applications and access system wide data. Once granted this permission exists for the lifetime of that user account. Malware that assumes the identity of this privileged user can likewise access data on the laptop without asking for permission to do so.
Applications running on iOS and Android cannot access mobile device hardware directly. Normally malware attacks the operating system, but last year there was a report of next generation malware that attacks the code contained in PC firmware. The attack involved using diagnostic software for PC network cards to install custom code into the firmware that allows a hacker to run malicious code on the PC victim. This sort of breach is much more difficult to do on an iOS or Android device.
More on Android Security, Pro and Con
When installing an Android application, you are prompted to accept the installation. You must give permission to the marketplace you a downloading from to allow the installation. With this scheme, it is not possible to remotely install and run undesirable applications that would have done damage to the device, like auto-erase the files or geo-locate the phone, and you, without your knowledge.
On the minus side, it is well known that Google does not check the security of apps before publishing on the application marketplace, which greatly increases the chance of picking up malware on your Android phone. On several occasions Google has had to scramble to pull malicious apps off the marketplace. It’s safe to say there is a greater likelihood you could pick up a malware laden app from the marketplace.
You can mitigate this risk to a certain degree by checking the legitimacy of the Android app source.
More on iOS Security, Pro and Con
In addition to Apple’s security testing of apps prior to AppStore publication, the iOS has permission-based access control for protected features that is enforced at runtime. For example, when an app wants to track the location of your iPhone, iOS prompts you to allow or deny location tracking.
If one of your iOS devices is lost or stolen, you can find it from another iOS device with the free Find My Phone app. You just register your devices with Apple and then when one of them goes missing you can use Find My iPhone to find it on a map, remotely lock it, or completely erase all the data on the device.
But, it’s not all rosy for iOS, as Apple has had to withdraw malicious apps from the AppStore after allowing them to be published. Last year, security expert Charlie Miller published a proof-of-concept app that exploited a security flaw in the iOS Safari browser, enabling his app to download and run malicious code that could be used to steal data from victims. The scary thing is that Miller’s app passed Apple’s security screening process the first time around. Apple only pulled it from the AppStore AFTER realizing the potential security risks it posed for users.
Every iOS device running a version of the operating system lower than 4.3.5 is susceptible to SSL man-in-the-middle-attack, which is made possible by weak validation of certificates for SSL (secure sockets layer) network connections.
The problem may be all the more serious if you have a device that cannot be upgraded to the latest iOS. Apple simply won’t allow certain categories of devices to be upgraded. You can’t upgrade an older 3G iPhone to the full iOS 4.x, which means these phones are permanently saddled with all the vulnerabilities that came with pre-4.x iOS, including the SSL man-in-the-middle-attack.
In all fairness to iOS and Apple, there are many older Android phones that are orphaned, left behind because their hardware was not compatible with more modern versions of the Android operating system. Not everybody races to upgrade to the latest mobile phone hardware, so users who can’t or don’t want to upgrade their phones every couple of years will eventually be stuck with permanently vulnerable devices.
So What’s the Answer?
For my money, iOS has better security features than Android due to Apple’s pre-publication security testing and the platform’s overall resistance – but not immunity – to malware.
To cover the gaps in Android security, Trend Micro offers Mobile Security Personal Edition, which provides application scanning, call and texting security, and lost device protection. For iOS protection, you can use Trend Micro Smart Surfing for iPhone, which is a free mobile browser that blocks access to malicious websites and provides protection against phishing attacks.
Mobile smartphones are increasingly becoming targets for malware, but if you understand the extent to which your device is vulnerable, keep your mobile operating system up-to-date, and use the right anti-malware tools, you can travel safely on the mobile Internet.
This article was also posted on Fearless Web.
Back in October I came across the article How To Teach Kids ‘Digital Literacy’ on Forbes’ website that discussed how The School at Columbia University is using the open source tool Elgg to create private social networks that their pre-teen students can use to improve their digital literacy.
With Elgg, the students have an isolated environment where they can safely learn how to use social networks and develop an understanding of what is appropriate online behavior, without risk of exposure on the public Internet.
I think this is a model that could and should be adopted by other schools. Learning computer skills should be an integral part of any child’s education both at school and home. But when reading the Forbes article what struck me as even more important is the responsibility we have as parents to teach our kids to be good digital citizens.
Parents, Remember the Golden Rule
Cyberbullying is a problem with which many kids have to cope. Considerable attention has been devoted in the media to educating kids about what constitutes cyberbullying behavior and what can be done to protect them from it. It’s easier to picture one of our children as a cyberbully victim than it is to see the potential for the same child to become a cyberbully.
I’ve said it before in a previous blog on social networking tips for parents. Our kids have to take the Golden Rule to heart. Social networking is an extension of our face-to-face social world where we are expected to treat others as we would want to be treated ourselves. It’s our parental responsibility to instill this notion in our children so they know how to behave responsibly, online and otherwise.
Whenever one of our kids writes an email, sends an instant message, or posts to a friend’s Facebook Wall, they have to ask themselves whether the message is something they would want to receive from someone else. It’s simple really when you stop to think about it, but many kids don’t.
That’s where close parental involvement in our kids’ digital lives is so important. We need to know when and how they are using the Internet. The trouble is that can be a tall order for many of us in our busy adult lives. We can’t look over our children’s shoulders all the time while they are online.
Trend Micro Titanium Can Help
Despite our best efforts, kids may still post something online that is on the borderline of what we consider to be acceptable. Sometimes people end up saying something offensive when no offensive was intended because the objectionable words were said to people who they consider to be “close” friends. Even amongst friends it’s easy to forget that a joke to one friend might be an insult to another.
To help your kid out, you can use Titanium’s Data Theft Prevention feature. Normally, Data Theft Prevention is used to prevent personal data like credit card numbers, addresses, phone numbers, and such from accidentally being sent out over the Internet. But it is also a great tool for filtering out objectionable language before it is sent.
Here is the procedure for setting rules to block objectionable words or phrases.
1. Open the Titanium control panel.
2. Click on Tools.
3. Click on Data Theft Protection. You’ll see a screen like the one shown above.
4. Click on the New Category button to add a new entry.
5. Enter something like Bad words in the Category column.
6. Enter the word or phrase you want to block in the What to Protect column.
7. Repeat steps 4 – 6 for all the words or phrases you want to block.
8. Click OK.
After that, whenever any of the What to Protect phrases are entered into a browser or email, a notification will be given to users that the phrase they tried to enter was blocked. This protection will not only prevent your child from sending the prohibited phrases, the notifications will also help educate your children that these words are not appropriate in any situation.
This article was also posted on Fearless Web.