Is any one auditing the software on the app tap installer? we are basically installing apps that are brand new, from programmers who most likely do not have reputations.. who knows what could be in them or what they could be harvesting from our phones. I'm curious what has been done to ensure our phones are safe... I'm guessing nothing...

Our iPhones are computers so we should treat the security on them in the same way that we would our regular computer systems.

nothing, just like when you go on sourceforge or any website and download an app from some guy you've never heard about...

RVN84, true. However since the apps on SF are more widely used (because the iPhone is so new) I have more confidence that the OSS community will find backdoors , etc. I guess its going to be hard to know what all of the apps have in them.. but maybe we should have a warning for users when they are installing the apps? 3rd party app makers would suffer a pretty big loss if one bad apple gave 3rd party apps a bad wrap IMO. It would also give apple more fuel to throw on the fire as to why 3rd party apps should be blocked.

AFAIK, there is such a warning in AppTapp installer when you get community sources...

My comment above was in agreement with you, but just pointing out that this isnt only on iphones... it happens on all platforms...

Unfortunately, it will be difficult to get some sort of "security seal" which can be independent (i.e. trustworthy) while also being effective enought and cheap to keep quick and free applications from popping up...

Yes there is such a warning when you install community sources.

I agree with the concern, it's a right one, but I would say it's nearly impossible to guarantee good security in these apps that are developed for the iPhone. Just like people run AnySim without reading through the source code. We just have to trust the developers and the community.

As a side note; I doubt all the people installing sshd, knows that anyone on your wlan can log into your iPhone and fsck it up as much as they want too (assuming default root password).

Really? Does sshd get installed when you put on the BSD Subsystem?

(unix n00b)

SSH does not get installed with the BSD Subsytem.

However, I do agree with the concerns of security using these apps. Many of the applications on AppTap do have google code repositories or some other form to publicly browse thier code. Many developers at this stage are learning from each other so those actually get looked through quite often, although not with a security focus. So far I personally have looked through UIctl, rSBT, NES, DeEDGE, Stumbler, and Colloqy (not thoroughly) without any cause for concern yet.

Languard N.S.S. 8.0 (2007) reports some vulnerabilities on my iPhone. Maybe someone with expertise could give it a try on his. It would be interesting to see how an out-of-factory phone reacts to the scan. I'm going to take all 3rd party apps off the phone tomorrow for a moment to see the changes. E.g. this asylum hint isn't that nice (even though the port is reported stealth if onEDGE/GPRS).

This is something that I've been worried about for a while, especially after some of the talk I've seen on IRC concerning turning iPhones into zombies and other types of hacking. I think developers need to take more responsibility here - most iPhone apps don't even have the level of info from developers provided by Freshmeat. A web page describing what the app is, does, and a version history, source code if applicable, and contact info would be - I would think - a minimum requirement. Additionally, I really admire what the developer of Sketches has done, providing version history in the app itself. I think developers should do more of this.

Additionally, nullriver has been talking about making Installer.app a commercial product. If so, I think they're going to need to do more to vet applications by requiring a little more from application developers in order to be pushed through Installer.app. I like Installer.app, but I'm really concerned about the utter lack of security. It would be trivial to write and distribute an app containing a really nasty and virulent worm, especially when you consider that apps run as root.

Overall, I'm starting to warm to the idea of Apple controlling what apps run on the iPhone. I think we absolutely need an SDK, but I also don't believe that the iPhone dev community has shown the ability or even willingness to take security seriously.

Is the concern with inadvertant security holes, ie buffer overflows etc. or with outright malicious software? I don't think malware is a problem, the scene is so small this will get found out quickly. Apart from Installer.app I only install opensource software, as far as security holes in software goes ... I have to admit the code I've seen in a lot of popular iPhone applications is absolutely atrocious. While its not a security hole, here is an example from a very popular iPhone project that will remain nameless:

Code:

NSString* fileInfo = [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[NSString string]
		stringByAppendingString: @"Size: "] ... it just gets worse from here

I mean wtf, this project has even made it to Gizmodo ... you know who you are.