The iPhone has generated a lot of curiosity in the hacker community. Last year when Apple released its iPhone, hundreds of hackers tried to break the iPhone software in multiple ways. Some of them succeeded in customizing the iPhone in the way they wanted. They changed their mobile service provider and deployed their own applications. Some hackers were able to break the iPhone by exploiting vulnerabilities in applications such as Safari.

Now Apple has released its official SDK to developers. By opening up the iPhone OS and publishing the SDK Apple looks forward to thousands of Mac developers developing iPhone applications. At the same time, Apple announced a lot of new features for enterprise customers.

It appears that Apple is carefully stepping forward to analyze and manage the security implications of opening up its platform for development. In the Leopard OS release Apple added security features such as sandboxing, code signing, etc. The same features are also used as the foundation for iPhone.

Let’s look at some of the security aspects of the iPhone’s application execution environment: Apple issues a certificate to the developer, who signs the iPhone application using this certificate. The iPhone OS then checks the authenticity and integrity of the application before installing and executing it. Each application runs in a sandboxed environment–with very limited access to the file system and other resources. The AppStore application on iPhone manages all third-party application deployments on the iPhone.

One application can interact with other applications using URLs. http://, https://, and feed:// are handled by Safari; mailto:// is handled by the Mail client; and itms:// is handled by iTunes. Third-party applications can declare their own urls (such as myapp://) to handle messages from other apps.

Each application is sandboxed to contain failures if it is compromised. However, an application’s access to a lot of other resources–such as network, phone, camera, address book, mail, and urls–is not controlled. Hackers may now focus on vulnerabilities in applications and also on the mechanisms provided to access iPhone resources.

Enterprise features such as Exchange Server support, and security features such as Cisco IPSec VPN, WPA2/802.1, etc. may encourage wider deployment of the iPhone in enterprises; and thus open up more possibilities for attackers.

Within four days of Apple’s announcement, more than 100,000 SDK downloads indicate the enthusiasm of developers. Sun has announced Java support for the iPhone, and that may attract even more developers.

For now the SDK is still in beta, which gives Apple some time to fix security issues that hackers are going to discover during the next few months. This seems to be a very good strategy. We look forward to Apple’s next steps and the impact they will make on the domain of mobile device security.