Again, my case about never playing a match-3 game ever again has been breached. This time, I am very happy with my decision because the result is one so good. The result? Ponk. Making its way into the puzzle/arcade genre(s) is Ponk, a wonderful and colorful match-3 game from iPhone
Over in this week's "Pwn2Own" hacking contest in Vancouver, British Columbia, Canada, virtually every major browser and operating system had vulnerabilities exploited. According to CNET, researcher Charlie Miller, the principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. Miller also cracked Safari in Mac OS X last year, taking home the $5,000 prize in addition to hacking a MacBook Air in 2008 at the competition.
This year, Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not "jailbroken," a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.
A new security flaw has been uncovered in the iPhone's software that could have potentially serious ramifications. The issue lies in the ability to download system configuration files over-the-air through Mobile Safari, which enterprise businesses use to install configuration files to make setup possible. A group of anonymous hackers have figured out a way to make the configuration file register as being "Verified" on the device, and even have it show up as being sent from Apple Inc, allowing them to trick someone into install a malicious system config file without knowing it.
According to Swiss software engineer Nicholas Seriot, Apple's app approval process is not enough to weed out certain malicious applications form getting into the App Store and being downloaded by millions of users. With the current system, apps disguised as a harmless game or other app could easily be created to harvest user data in the form of their mobile-phone number, address book data, and a notes section of the address book, and then send it to be stored on a web server without the owner knowing.
Well, at least the iPhone security people aren't bored these days. A Swiss iPhone developer has published research that indicates that security vulnerabilities affecting the iPhone are not limited to jailbroken iPhones. Developer Nicholas Seriot has created a proof of concept app called SpyPhone as a demonstration of how Apple’s own APIs could be misused to read or edit a user’s address book or gain access to a user’s web surfing history or recent location information.
You might want to be careful with what you do on your iPhone over an unprotected Wi-Fi hot spot. A recent report from mobile security research firm SMobile Systems says iPhones and other smartphones connected to unencrypted Wi-Fi hotspots are easy targets for hackers with certain tools that are currently available to them. Their study used a laptop with software tools that intercepted communications between smartphones connecting to a Wi-Fi access point, and then to bypass SSL. The information was then used to access several email accounts, but could also be used for things like bank accounts.
The creator of the rickrolling worm Ikee created quite a stir the other weekend when his self-replicating software was discovered spreading around iPhones across Australia. Since then, he's been discovered, and he says he's recieved both death threats and even a job offer for what he's done.
Undercover for iPhone, Orbicule's app for recovering stolen iPhones and iPod touches, has been updated to now utilize push notifications to trick thieves into telling you where they have your iPhone. All savvy internet-goers these days are familiar with the classic phishing scam where a scammer will trick you into giving them sensitive information by pretending to be an organization you trust like a bank or credit card company. Undercover 1.5 lets you use this same principle to trick thieves into disclosing where they and your stolen iPhone are located.
Mac security firm Intego is now reporting its discovery of a piece of malware which affects many jailbroken iPhone. The malware appears to use the same vulnerability as the "ikee" exploit which we reported on earlier this week. This more nefarious software can be installed on any device and used to collect user data from any jailbroken iPhone or iPod touch which uses the default root password.
Unlike traditional computer viruses, this one, which Intego calls "iPhone/Privacy.A," instead simply runs on a Mac, PC, or even another iPhone and monitors for jailbroken devices. Once the software finds a vulnerable device, the hacker can then access and copy any information.
The first known actual iPhone worm has been spreading across jailbroken iPhones in Australia late last week. The worm seeks out jailbroken iPhones with SSH installed in which the default password has not been changed, and installs itself on the device. Once installed, it changes the background to an image of Rick Astley and looks for other phones on the network to install itself on, though it has the potential to be used for more malicious things.