As with any jailbreak or rooting of a handset, "hacking" a phone OS is usually exactly that: exploiting a weakness to get unsigned code onto a device. That means that any other hacker, be they sufficiently nefarious, could use that same exploit to mess with your phone in the bad, not-installing-emulators-off-of-Cydia sense. Early iPhone jailbreaks (back when installing your own ringtones was a
wild idea) took advantage of a TIFF exploit, the recent
EVO 4G root found a hole in Flash Lite, and the
JailbreakMe exploit is stuffing its code in a PDF font. Until Apple patches this exploit (when asked, Apple told us it was "aware of the reports and looking into them") we'd be extra careful about which PDFs we open -- there aren't any reports of malicious use so far, but with Safari's seamless handling of PDFs, it wouldn't be hard for some hacker to hide a potentially phone-invading PDF behind some harmless looking hyperlink. The iPhone devteam points out that this isn't the only known exploit for Safari on iOS, so there's no need to start hyperventilating about this particular one... unless it's a slow day at your mainstream media publication and you're looking for something to hyperventilate about.
Oh, and are you looking for a surefire way to steer clear of PDFs? Cydia has a PDF loading warner that lets you skip PDFs your browser is trying to load on a case by case basis. Of course, you'll need to jailbreak your phone to use it. Ironic, right?
posted August 3rd 2010 3:53PM
I expect Apple to write a virus that does this very thing for Android and then make videos about how all smart phones have this problem and not just iPhones.
@rmbrown09
I couldn't agree more.
Add SBSettings and 3G Unrestrictor to the list :)
(or My3G - Works with FaceTime currently, update for 3GUn soon..)
@pspitts
Right.
Yawn. Apple will patch it in iOS 4.1 and the convenience of JailbreakMe will be gone again.
Where are all the idiots who think Apple OS' are secure?
@Jordus It's a lot more secure than free ballin' with Android...
@Dickybell Totally agree!
Wow... Just when you start to think that engadget isn't run by a bunch of 14 year olds....
is it just PDF's in safari, or iBooks as well.
That's really not a problem because iPhone users are technically savvy enough to use their phone to view pdfs online.
@fysician I meant they are not savvy enough.
Isn't that Norton Utility? Oh god I miss those blue text editor - make me feel more like a hax0r!
"The iPhone devteam points out that this isn't the only known exploit for Safari on iOS, so there's no need to start hyperventilating about this particular one"
lolwut? Seriously? That's your defense for your dark masters -- erm -- Apple?
Good ole' Norton Commander.
Safari isn't the only app on an iPhone that can open .pdf files. Air Sharing and Air Sharing Pro, as well as the iCab web browser for iPhone can open and download .pdf files to the iPhone. Under iOS 4 using Safari you can choose to open a .pdf file with iBooks, if you have installed it or other installed iOS 4 aware apps that can open and display .pdf files.
Apple isn't as restrictive as some would want you to believe.
Yeah folks: Pay! Go to jail! Then jailbrake! Then get un bumper! Than repay!
Wasn't it meant to be the easy smartphone ?
The exploit is NOT in the PDF viewer, that's just how JailbreakMe happened to implement it. There are also many public remote code execution exploits which were fixed in the desktop version of Safari but not yet fixed in MobileSafari.