Security through obscurity is never a good thing and will always be broken. We can see this with the iPhone’s encrypted AppStore binaries. Once the phone is jailbroken, it is trivial to decrypt the apps; you simply run the program with gdb and set a breakpoint after the decryption software has run. Viola! you have the decrypted app. The virus writers do a much better job at this.
Recently I downloaded a Firefox plugin (I know, nothing to do with the iPhone, but illustrates my point) which required paid registration to gain access to all the features. I pulled up wireshark and noticed that every time I started Firefox it would query the companies servers to see if the license was valid. The silly part was, however, that all the queries ran over traditional http (no encryption). It would be trivial to change the hosts file on my computer so that their domain was redirected somewhere else. Perhaps to a server that I controlled that would tell the program that the license was valid.
Why do I bring this all up? First of all any iPhone app developer who thinks no one will have access to the files on the device is obviously wrong. Hard coded passwords, registration numbers/processes, etc are all a bad idea. Second, of all the third party apps I’ve tested that use network connections to push out the user’s recent score in a game, download the high score list, etc, none of them use SSL. This is a bad idea because using MITM techniques I could modify the packets and no one would be able to detect that. Also, let’s say there was a buffer overflow in the code that parses the high score list. Any exploit could be thwarted if the connection were SSL and proper certificate checking were performed. Instead, however, all an attacker would have to do is MITM the host and inject the exploit when the high score list comes back from the server.
This got me to wonder, are smart phone browsers vulnerable to this too? My guess is that they are, but to what extent. I believe that AppStore and iTunes connections are SSL. What about older Windows Mobile IE browsers? In the next few weeks I hope to code up a tool that can test these OSes against this vulnerability.