Wednesday, August 27, 2008 -- 3:35 p.m. -- at my desk

After finding out about this today, I'm thinking we might see a 2.0.2 update pretty fast. Almost seems as though we'd have to.

Way back in January, in 1.1.3, Apple patched a security flaw in the iPhone to stop people with prying eyes from bypassing the password protection built into the iPhone. Well, the flaw is back .. unpatched in 2.0 ... just like it was never patched in the first place.

So did Apple just forget to put the patch back in? Who knows. They haven't commented yet, but obviously if you password protect your phone, this is not a good thing.

Would you believe that I don't? Never have. Not sure if it's because I have this fear that the time I go to enter the code that my phone will lock me out. Just a fear of the software not being mature. I would consider doing it, though, once this is patched.

Basically, in order to sidestep the password feature, you tap EMERGENCY CALL on the password screen and then double-tap your home button. Just like that -- you end up in the iPhone's favorites list with complete access. If there's a link to e-mail or anything else in the contacts, you can get to the Internet and e-mail that way. Not good, obviously. All of my contacts have e-mails associated, and many have Web site addresses.

Here's the direct information on passcode lock from Apple as per 1.1.3:

The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

According to several Mac sites with forums, there's at least a workaround for now: You go SETTINGS--GENERAL--HOME BUTTON -- and when you do, the flaw can't get to the favorites. The passcode option just pops up again.

So while that's somewhat reassuring, it's not ideal.

Here's hoping that Apple fixes what ails the iPhone (again) and this time leaves it fixed!!

Sound off in the comments, please.

Thanks for calling.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451600969e200e5549517d08834

Listed below are links to weblogs that reference Oops. Nasty security bug in all 2.0 iPhones:

Do'h! Gosh, for awhile I was beginning to think Steve Jobs was more the Montgomery Burns type of character (a la The Simpsons polluting nuclear power plant owner). But now he's sort of reminding me of Homer. This just isn't the Apple Inc I've come to know during the past few years since I migrated from PC/Microsoft Windows. Just hoping I don't have to start calling Steve a Milhouse character in the future!

SCOTT's REPLY: I hope not either!

You didn't say what setting to put on the home button. I would assume iPod..? or Home? If it isn't Favorites. Right?

SCOTT's REPLY: Sorry ... not favorites. Home is the one you want to get it to bounce back to the password screen.

Scott,

ggrrrrrrr. Well, now I get to try linking a double click of the home button to my iPod function. Come on Apple!! You can get your act together.

I wonder if Apple is taking advantage of an old theory that says,
"there is no such thing as bad publicity". I remember that when EF Hutton was charged with kiting checks in the late 80's they had their best year after that because people only remembered Blah Blah Blah, EF Hutton. (of course Hutton was bought out and disappeared after that but......)

I haven't liked this new software update 2.0.2. My 3G coverage has been much worse and my phone gets stuck much more when I try to go to web pages or try to get email. Sometimes I have to shut off the 3G then shut down the phone then turn it back on then switch 3G back on. This doesn't seem faster to me!!!

I still love my phone. I just want it to work.

grrrrrr

N

SCOTT's REPLY: Me, too, Neil. Me too.

u can also get into the app store with a safari link

SCOTT'S REPLY: Ugh. Well, hopefully if that were to happen that you'd get prompted for a password and not have access to someone else's account. Still, bad enough.

This is only a concern if you actually use the Favorites feature and add contacts to it. To prevent any security concerns, I found that you can delete your favorite contacts from the Favorite feature or change the double tap settings to Home or iPod until a patch is released by Apple.

SCOTT'S REPLY: Indeed, Dustin ... and changing the double tap settings seems to be the lesser of two evils, allowing you to at least keep your favorites in tact.

Talking of security concerns... I'm a little annoyed that the "emergency call" screen has actually always let you call ANYONE - even internationally! Why can't they restrict it to a database of emergency numbers? (911, 112, 999 etc.) My 7-year-old old Nokia used to be able to restrict emergency calls to real emergency numbers - why can't iPhone?

So... if my iPhone was stolen or lost, someone could use it to rack up a huge bill for me (before I called AT&T to report it stolen/lost), and basically have a free phone at my expense.

In addition, the iPhone's Emergency Call screen will tell you the name associated with any number you type in, giving the thief knowledge about who's in my phone book. While this may not be a personal concern, I can imagine corporations taking issue with this due to the obvious lack of confidentiality.

Seems to me that this 2.0 flaw and the handling of emergency calls in general is a major blow for Apple's wooing of enterprise users.

Jake.

SCOTT'S REPLY: It seems as though a complete overhaul of how the iPhone operates in so-called emergency mode is clearly needed and fixing the one flaw that started this whole thing is not nearly enough.

odd, I don't have a security bug. Why? I DON'T LOSE MY PHONE!!!

SCOTT's REPLY: You know that just because you wrote that that you might just .... nahhhh.

The comments to this entry are closed.