In June 2007, Apple released the iPhone, and the device quickly took off to become a major brand in the smartphone market. Yet when the iPhone shipped, security on the mobile operating system was nearly nonexistent. Missing from the initial iOS (then called iPhone OS) were many of the security features that modern-day desktop software has as a matter of course, such as data-execution protection (DEP) and address-space layout randomization (ASLR). Apple's cachet lured security researchers to test the platform, and in less than a month, a trio had released details on the first vulnerability: an exploitable flaw in the mobile Safari browser.
"It was so insecure, it was bad," says Charlie Miller, a security research consultant for Accuvant and one of the finders of the flaw. "Your Web browser ran as root, and there was no sandboxing, no DEP, and no ASLR. It was a hacker's dream."
[ Learn how to manage iPhones, Androids, BlackBerrys, and other smartphones in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]
How times have changed. Between Apple's harried response to vulnerabilities found by security researchers and the company's own desire for control over the applications running on iPads and iPhones, iOS has become the most secure software platform to date, says Raimund Genes, CTO for software security firm Trend Micro.
"Apple owns the complete ecosystem -- they own the hardware, they own the software, and it makes it quite safe," Genes says. "And thanks to the App Store, they also have a recall switch."
Apple has repeatedly boasted it has an OS that is more secure than the competition. While security experts have frequently debated whether Mac OS X fits the bill, iOS doesn't seem to raise such questions. Miller, for example, does not disagree with the assessment that the iOS may be the current pinnacle of security for a mass-market operating system. "It's in the realm of truth," he says.