[moep]

If you've got an iPhone, everything you have done on your handset has been temporarily stored as a screenshot that hackers or forensics experts could eventually recover, according to a renowned iPhone hacker who exposed the security flaw in a webcast Thursday.

While demonstrating how to break the iPhone's passcode lock in a webcast, iPhone hacker and data-forensics expert Jonathan Zdziarski explained that the popular handset snaps a screenshot of your most recent action -- regardless of whether it's sending a text message, e-mailing or browsing a web page -- in order to cache it. This is purely for aesthetic purposes: When an iPhone user taps the home button, the window of the application you have open shrinks and disappears. In order to create that shrinking effect, the iPhone snaps a screenshot.

The phone presumably deletes the image after you close the application. But anyone who understands the way data works is aware that nothing is ever truly deleted from a storage device. Therefore, forensics experts have used this security flaw to successfully nab criminals who have been accused of rape, murder or drug deals.

That’s a pretty significant security/privacy flaw in my eyes.

The link to the webcast where this flaw was demoed:
http://www.youtube.com/watch?v=op-HyBVN2Ek
http://fyi.oreilly.com/2008/09/learn...he-iphone.html

Author of the upcoming book, iPhone Forensics, Jonathan has devoted much of his talent supporting law enforcement personnel with his development of a forensics toolkit that allows them to recover, process, and remove sensitive data stored on the iPhone, iPhone 3G, and iPod Touch. This live presentation is aimed towards law enforcement and anyone else who has a need to access the not-so-readily available data on an iPhone.

[CorpITGuy]

For that matter, every document on your PC or Mac is just as recoverable. I hate to sound like a Fanboi, but I don't see where the iPhone is any worse than any other computer.

[chabig]

I agree. It's a made up problem.

[mitchell_pgh]

It's a problem, but it's industry wide... it's not like the iPhone is the only smart device to have the security problem.

Also, the line "Therefore, forensics experts have used this security flaw to successfully nab criminals who have been accused of rape, murder or drug deals." really makes me laugh. How many iPhone users are there? I have yet to hear of ONE story where a rapist, murder or drug dealer was busted because of their iPhone... I think that would make the news.

[Cipher13]

Indeed, this sounds like somebody simply craving attention.

The phone presumably deletes the image after you close the application. But anyone who understands the way data works is aware that nothing is ever truly deleted from a storage device. Therefore, forensics experts have used this security flaw to successfully nab criminals who have been accused of rape, murder or drug deals.

The entire premise is false - shall I paraphrase?

"Bing tiddle bong, therefore [insert load of crap]".

Either way, this is a remarkable non-issue, in my opinion, and I'm a paranoid security nut. Anyone dumb enough to use a non-disposable product while doing drug deals is pretty damn stupid, and really deserves to get caught.

Anyway - if an iPhone was lost or stolen, chances are the sensitive data would be intact and able to be accessed through the standard interface. If it's sold, it's best to zero it anyway.

The lesson: Don't use the Calendar app to schedule gang hits.

[CorpITGuy]

Originally Posted by Cipher13 

The lesson: Don't use the Calendar app to schedule gang hits.

:: Furiously deleting calendar events ::

[analogika]

Originally Posted by CorpITGuy 

:: Furiously deleting calendar events ::

REMEMBER TO SECURELY WIPE YOUR PHONE.

(else just deleting those events and pics ain't gonna do no good once the forensics team hits your phone)

[vmarks]

Now wait a minute.

My understanding is that the picture is taken of the screen when you press the home button. That's all. Unless I'm mistaken (and I might be) - pictures are taken of the screen at no other time, excepting the user holding down power and home to intentionally take a screen capture.

So navigate within an application to something innocuous first and then press home, if this concerns you in order to prevent it for now, yes?

[Cipher13]

Originally Posted by vmarks 

Now wait a minute.

My understanding is that the picture is taken of the screen when you press the home button. That's all. Unless I'm mistaken (and I might be) - pictures are taken of the screen at no other time, excepting the user holding down power and home to intentionally take a screen capture.

So navigate within an application to something innocuous first and then press home, if this concerns you in order to prevent it for now, yes?

Exactly.

It's a total non-issue, really.

[chabig]

The news keeps getting worse. Apparently the iPhone keeps copies of all your emails, and records phone numbers you have called as well as keeping a database of all your personal contacts and favorite songs!!!

[osiris]

Originally Posted by chabig 

The news keeps getting worse. Apparently the iPhone keeps copies of all your emails, and records phone numbers you have called as well as keeping a database of all your personal contacts and favorite songs!!!

OMG!!!11 also heard that this portable spy trap stores all the websites you visit in something mockingly entitled "history".

[funkboy]

This is not a problem.

If it didn't do that, the iPhone would be considered sluggish... and watching any data transfer can easily show the phone is not transmitting this temporary image.
If you lose your phone, you got much more troubles than simply wondering what was last done when you put your iphone to sleep.

[PBG4 User]

Originally Posted by funkboy 

This is not a problem.

If it didn't do that, the iPhone would be considered sluggish... and watching any data transfer can easily show the phone is not transmitting this temporary image.
If you lose your phone, you got much more troubles than simply wondering what was last done when you put your iphone to sleep.

Not if you set your security to wipe your iPhone after 10 failed password attempts.

[Railroader]

I heard that the front of the iPhone will store your fingerprints if you don't wipe it. Will a screen protector solve this major issue?!?!

[Tsilou B.]

I have to agree that if someone steals your iPhone and goes through the hassle of recovering even the deleted files on it, he/she probably won't gain much additional information from the screenshots.
Still the question remains: Why does the iPhone have to save the screenshots to a file at all? The iPhone seems to work like this:

1. Get the contents of the screen
2. Save it to a file
3. Read the file back in
4. Animate
5. Delete the file

It really should be possible to somehow skip step 2 and 3.

[andreas_g4]

Some people need to breath in a bag for a while…

[aristotles]

Originally Posted by moep 

That’s a pretty significant security/privacy flaw in my eyes.

The link to the webcast where this flaw was demoed:
http://www.youtube.com/watch?v=op-HyBVN2Ek
http://fyi.oreilly.com/2008/09/learn...he-iphone.html

Here is another thing. Your memory contains everything you type and sometimes that data is copied into a swap file.

Seriously, give me a fricken break. The screenshot is not transmitted anywhere and periodically overwritten/purged. You are an irresponsible alarmist.

Even the guy who discovered it thinks people like you are blowing things out of proportion. Get off the internet for a while, go to a pub and have a few beers with your friends.

[aristotles]

Originally Posted by chabig 

The news keeps getting worse. Apparently the iPhone keeps copies of all your emails, and records phone numbers you have called as well as keeping a database of all your personal contacts and favorite songs!!!

That was awesome.

[stwain2003]

Originally Posted by chabig 

The news keeps getting worse. Apparently the iPhone keeps copies of all your emails, and records phone numbers you have called as well as keeping a database of all your personal contacts and favorite songs!!!

hahahahahahaha

[Eriamjh]

So my privacy is at stake when someone has access to my iphone? Apple must STOP people from using my phone!

[moep]

Originally Posted by aristotles 

Here is another thing. Your memory contains everything you type and sometimes that data is copied into a swap file.

Seriously, give me a fricken break. The screenshot is not transmitted anywhere and periodically overwritten/purged. You are an irresponsible alarmist.

Even the guy who discovered it thinks people like you are blowing things out of proportion. Get off the internet for a while, go to a pub and have a few beers with your friends.

Here’s news for you, I’m just voicing my opinion here which is well within the intended purpose of an internet forum.
If you think that makes me an irresponsible alarmist, you’re the one that needs to get off the internet. Don’t be a jerk, please.

[ghporter]

Wait a minute. The iPhone can't be watching me. The camera's lens points the other way. You guys are just trying to scare me.







Seriously, recovering data from the device should be the second big hurdle. The first is getting one's hands on the device to begin with. Unless there is some aluminum beanie-oriented "secret client" that dumps this stuff to computers run by people in black helicopters, basic security practices (not leaving the darn thing laying around, cleaning up after yourself, etc.) should be more than adequate.

[ZinkDifferent]

[edit]

[ZinkDifferent]

Jonathan Zdziarski is quite simply a reckless attention whore, whose income stream depends on generating FUD that gullible folks believe, hook, line and sinker. This thread is just another example of that.

The guy bills himself as a 'forensics expert', and as such, his bankability and credibility depends directly on how much he is being mentioned in the media - which he makes sure keeps happening by regularly releasing such non-news, which the more or less clueless media laps up.

At the core of it, he's got a major axe to grind with Apple, for reasons of his own, which someone should, maybe, take the time to investigate on their own, don't you think..?

[bearcatrp]

Nothing is 100% secure when it comes to any type of computer and its components. Never has been, never will be !

[osiris]

Originally Posted by ghporter 

Wait a minute. The iPhone can't be watching me. The camera's lens points the other way. You guys are just trying to scare me.

You mean, you don't know about the other camera?