You may find this odd coming from a relatively security-conscious sysadmin-type person, but I’m not totally convinced that having everything run as root (if that is indeed true) on the iPhone is a bad thing. See The iPhone’s biggest security pitfall: All applications run as root at iPhone Atlas and Effective UID: 0 at Rixstep.
As first blush, yes, it seems like a horrible idea. Enabling root is bad. Running as root is bad. It’s anathema to even think these things … the whole device running as root? What about privilege separation? Doesn’t that expose user data and so on?
Yes and no. It exposes more than if the device were running everything in an unprivileged account, certainly.
But … the user will presumably always have access to his or her own data. You could probably separate privileges here somehow, but I’m sure that would have downstream effects on performance, usability, complexity, and even on the amount of storage required to run the iPhone’s operating system.
So, if you can get malware onto the device, it appears illogical to me to think that you could really protect the user data simply by not running everything as root. Therefore, root or not, the data must depend upon other protections. Presumably the attacker would get access to the system, but on a 4 or 8 GB device, the delta between that and the user data is small; most of the value to the attacker would be in user data. This would probably be followed by some kind of input logging to collect more such data over time.
If you’re going to trojan the iPhone, wouldn’t it be just as easy to do that in user space? It looks like launchd is there (and being PID 1 on Mac OS X, I’d assume it would have to be), so all you’d have to do is slip in a Launch Agent running as the user. Boom, as we Mac people like to say now, you have a process that starts up with the user. I don’t know how or if Mac OS X protects input, but the possibility of capturing it is probably the greatest risk of running everything as root rather than a less privileged user.
Don’t misunderstand me, though. I think the iPhone is less secure with everything running as UID 0 than it would be if that were not the case. Security — like many things in life — is all about tradeoffs. The tradeoff here is probably a smaller operating system that fits on the device and is still able to provide some pretty amazing capabilities that we wouldn’t have associated with a phone one year ago. We will see if the tradeoffs are worth it over time.
One bit of good news, however, is that the iPhone is, for all intents and purposes, a single click away from a complete restore. Let’s for a moment assume that this wipes the file system and doesn’t just overwrite existing files. (Am I the only one concerned about securely deleting the iPhone? Can’t be.) If so, we can nuke and pave it, eliminating harmful files/executables that may be in its storage.
A difficult problem: What if someone manages to get something malicious on an iPhone, and it is able to jump the barrier from the device back to the host computer?