Last week the news about yet another non-belligerent iPhone worm did the rounds and people responded by saying things like “How silly jailbreaker’s are for not changing their SSH root passwords,” and “It’s only a matter of time until a worm appears that’s not so friendly…” OK, yes, geeky people said those things. Normals will likely never know that jailbreaking is something you can do to a phone.

Well, the predictions of gloom have proven true. Over the last few days, and reported by The Mac Observer, a new worm has been identified. This one, (so-far limited to iPhone owners in the Netherlands), takes advantage of the exact same SSH-exploit as the previous worm. Once on a user’s iPhone, it circumvents Mobile Safari’s anti-phishing technology to present a spoof of a popular banking website. Users are tricked into handing over their online banking authentication details. The worm spreads from iPhone to iPhone, but is limited to jailbroken handsets connected to the same Wi-Fi network.

Apple has weighed-in with its own sage wisdom and advice on the matter. Speaking to The Loop’s Jim Dalrymple, Apple spokesperson Natalie Harrison said:

The worm affects only a very specific set of iPhone users who have jail broken their iPhones and hacked it with unauthorized software. As we’ve said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably.

If you live in the Netherlands and have jailbroken your iPhone and installed SSH, you need to change the default password to protect yourself from this particular exploit. Just don’t think you’ll be safe — Apple might keep the iPhone platform locked-down tight, but you can’t argue against the obvious security advantages of doing so. To date, there have been four confirmed worms “in the wild” on jailbroken iPhones. How many confirmed worms have appeared in the wild that affect non-jailbroken iPhones? There you have it.

The Real Question Is…

But the real question, as I see it, is this; who jailbreaks any more? I mean, really… who? Why? The single biggest reason people originally went to the trouble of jailbreaking their iPhones was due to frustration at the lack of native apps. (Back in the early days of iPhone ownership, and before the app store existed, only Apple’s own home-grown apps were locally installed on the device. Every third-party apps ran inside Mobile Safari and, therefore, required access to the Internet.) I did a lot of travel back then, usually by air and train, so I didn’t always have a reliable Internet connection; this rendered most of my web apps useless. That annoyed me, and I very nearly did the whole jailbreaking thing just so I could install applications locally that would work irrespective of an active Internet connection. (Ultimately I wussed-out, too afraid I’d permanently mess-up my precious — and expensive — iPhone.)

But that was then, and times have changed.. What other compelling reasons were there to void Apple’s iPhone warranty? MMS, video recording, exchange server support, multitasking and Copy & Paste were the “most missed” features. Today we have more apps than you can shake an iPhone at. We have MMS and video recording, exchange support and copy & paste.

The only thing missing is “true” multitasking, but for the vast majority of iPhone owners (for whom multitasking is another way of saying “I want instant messaging!”), Apple’s Push Notification Service does a decent job of balancing productive multitasking with preserving battery life.

So… why jailbreak? Is it a form of protest against Apple’s broken application approval process? Is it because you absolutely must replace the default icons with something far less classy? Perhaps you can’t live without tethering? Tell us in the comments the (few) remaining reasons for jailbreaking an iPhone.

Just please don’t say it’s for geek cred… I might cry!

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Mobile Q4: All Eyes Were on Android, 4G and the Rising Tablet Tide
• Report: A Mobile Video Market Overview
• In Q3, the Tablet and 4G Were the Big Stories

This update is recommended for all Safari users and features protection from fraudulent phishing websites and better identification of online businesses. This update also includes the latest security updates. For detailed information on the security content of this update, please visit this site: http://support.apple.com/kb/HT1222

The KnowledgeBase article about the security content of the update takes you to Apple’s main security page, which links to the Safari 3.2 security fixes. Most of the fixes are about arbitrary code execution but some are more subtle fixes to make sure that web pages don’t have access to local files.

The anti-phishing updates are two-fold. If you visit a malicious web site, Safari will warn you with the following dialog box:

Clicking on the “Learn more about phishing scams” link takes you to a web page that explains Strange Behavior and Malicious Software: Phishing attacks. Interestingly enough, this explanation is on Google.com rather than on Apple’s web site. I assume this means that Apple is using Google’s list of sites that they have identified as potentially dangerous, like you might see on some search results.

To go along with this, there is a new preference in the security panel to toggle this warning when you visit a fraudulent website.

The other change is a positive indication for sites that have taken the extra step to obtain an Extended Validation Certificate from one of the Certificate Authorities that have begun to do the extra background checks. If you visit a site that has one of these Extended Validation Certificates, Safari will display the site name next to the usual lock icon in green text, as you can see in this example from eBay.com’s login page.

Not all sites with SSL certificates have these EVC credentials (my bank’s online site does not, for example). When you do see the notice, you can click on this green text to get more details on the site certificate (just as you can for other sites by clicking on the lock itself). Make a note of the “Class 3 Extended Validation SSL SGC CA” line in PayPal’s description below.

There are lots more features coming in Safari 4 which should implement much more of the HTML 5 specification and the new SquirrelFish javascript engine, but this is a small step towards that.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• What Does the Future Hold For Browsers?
• Report: A Mobile Video Market Overview
• Mobile App Developer Survey: Profiles, Platforms and Monetization

The email takes the user to an Apple look alike site that asks for the “user’s credit card type, credit card number, expiration date, security code, billing address and social security number.” In addition to the grief that comes with having your identity stolen, this info could give the phishers full access to all purchases that can be made from Apple: hardware, software, iTunes account, and iPhoto products.

This is one of the drawbacks of Apple’s great success. Unix is pretty solid and secure, but people have never put much effort into attacking Macs because of the economies of scale. Now that Macs are becoming more popular, we will likely see more malware attempts aimed at Apple hardware, software, and customers. Hopefully, it won’t ever get as bad as it is on any PC.

Don’t click on those links in emails. Go to the site directly. Be sure to check and make sure it is a secure website you are using. You can tell because it will start with https:// or have a lock in the status bar (not in Safari).

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce
• Content Farms: The Players, The Benefits, The Risks