This has nothing to do with the app approval process. If anything, it shows the "benefit" of locking down hardware so you can't run server processes. Exactly the same thing can and has happened with Macs allowing SSH logins with weak passwords.
Well, it's not so much about weak passwords as it's about a single password being default across all installations of the app. I can't think of any instance of that happening with Macs but I haven't been using Macs for more than a few years so it may have happened "before my time". The point is though, it's arguable that (if background process were allowed and the same level of system access was allowed) such a configuration would never have passed the App Store approval process.
Granted, I don't know of any apps that have been rejected because of password related security concerns, but I also can't think of any apps that have a standard, universal default password. It's honestly such a wildly irresponsible thing to do I'm surprised it happened at all on any platform without some kind of community uprising involving pitchforks and torches.
[edit: apparently the password is already on the account in all iPhones, the SSH app just enables SSH and that user account. Still bad and still some level of irresponsibility, but not quite as bad as I thought, and still no way anything like this would make it through the App store approval process.]
1) They wait until the 3rd paragraph to mention that you have to have unlocked [edit: I mean jailbroken] your phone to be at risk.
2) They wait until the 6th paragraph to mention that you need to have the default password still enabled.
3) The content is misleading on important points: Users who have installed SSH and not changed the password are especially at risk. Correct me if I'm wrong, but they are the only ones at risk. Saying they are especially at risk implies that others are at risk as well.
IIRC, the initial Astley wallpaper worm had the same requirements and was reported just as poorly by the BBC.
I'd also like to point out that releasing SSH software that provides a universal default password is idiotic.
Also, if I worked for Apple I might be tempted to say "this is what happens when you leave the protective walls of the App Store". Just sayin...
To be fair the password comes from apple. Any of the JB apps I have seen explicitly tell you that enabling ssh is a bad idea unless you know what you are doing and only if you are going to change the password. Though the fact that the app does not prompt you to change the password right then and there is lazy at best.
There is no technical journalism worse than mainstream lay writing about "malware". The ratio of killer hooks to real insight is just too crazy to write good stories. I'm not sure I've ever read a good mainstream piece about a virus, worm, or botnet.
10 comments
[ 5.7 ms ] story [ 39.2 ms ] threadGranted, I don't know of any apps that have been rejected because of password related security concerns, but I also can't think of any apps that have a standard, universal default password. It's honestly such a wildly irresponsible thing to do I'm surprised it happened at all on any platform without some kind of community uprising involving pitchforks and torches.
[edit: apparently the password is already on the account in all iPhones, the SSH app just enables SSH and that user account. Still bad and still some level of irresponsibility, but not quite as bad as I thought, and still no way anything like this would make it through the App store approval process.]
2) They wait until the 6th paragraph to mention that you need to have the default password still enabled.
3) The content is misleading on important points: Users who have installed SSH and not changed the password are especially at risk. Correct me if I'm wrong, but they are the only ones at risk. Saying they are especially at risk implies that others are at risk as well.
IIRC, the initial Astley wallpaper worm had the same requirements and was reported just as poorly by the BBC.
I'd also like to point out that releasing SSH software that provides a universal default password is idiotic.
Also, if I worked for Apple I might be tempted to say "this is what happens when you leave the protective walls of the App Store". Just sayin...
[edit, yeah, googled it and everything...]
There's a difference: http://theiphonewiki.com/wiki/index.php?title=Unlock