iPhone OS Security

Louis Gerbarg on Core Location:

In iPhone OS 4.0 this is being greatly improved, so much so that the improvements were demoed in the keynote. In 4.0 there will be a status bar indicating that an app has recently used CoreLocation, it will be possible to look at the list apps to see what has used your location in the las day, and turn on and off their access. All of this works without changes to the existing APIs, so all existing apps the CoreLocation will be effected, resulting in much better security of the user's location information, and the ability to notice and identify if something is using the data without your consent.

and Address Book:

By exposing the address book database in this way not only has Apple introduced a way for applications to read all of the address book data without going through the AddressBook API, they have also exposed an attack vector for applications to insert poisoned address data that can be synced back to other device, or even attack other applications inside their own sandboxes.

It’s odd that applications can’t directly share files with one another, but yet any application can read and write to the address book (and transmit it over the network), with no audit trail. On the Mac, I am at least somewhat protected by fine-grained backups and Little Snitch.

iPad Analog Clock

Isaiah Carew:

The other day I went hunting through the App Store hoping to find a nice clock for the iPad that I could turn on while it was sitting on my desk. To my surprise, there really wasn’t anything that appealed to me. There are a handful of really nice digital clocks, but I prefer analog. And the iPad’s size feels just right for a nice big clock face.

So he built one, and Apple rejected it because he hadn’t mucked it up with extraneous features (via Macworld).