In my post yesterday following up on iPhone Software 3.1 issues, I noted that one of the new features of iPhone 3.1, anti-phishing protection, was not working for some people. We now have new information on this: apparently you need to take some rather unusual steps to enable the protection in 3.1. Here is the story.
Phishing and Malware Defined
First, let's define what we are talking about. As Wikipedia explains, "phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public." For example, you might get an e-mail that appears to be legitimate and urges you to click here to go to the ABC Bank, but instead of sending you to that bank it sends you to a website that was designed to look just like the real ABC Bank website. You enter your username and password, and suddenly the bad guys have everything that they need to access to your bank account. Ouch.
Another security threat you can encounter on the internet is malware. Malware is software that can do bad things to your computer without your consent. The entry for malware on Wikipedia notes that malware "includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software." There are some bad websites out there that will, through various means, try to get you to download software to your computer which is, in fact, malware. Ouch again.
On an iPhone (like a Mac), the risk of malware is far less than on a PC, and to my knowledge there are currently no websites that can install malware on your iPhone via Safari. (There were reports of a fake program for the Mac in early 2008 that claimed to update your iPhone but instead did some nasty things. Frankly, it is beyond me why someone would run a program that claimed to be an iPhone updater but didn't come from Apple.) But just because iPhone malware doesn't exist today, that doesn't mean that it won't be here tomorrow. Moreover, even if malware is not much of a threat for the iPhone, a phishing website can trick you no matter how you access the website, via an iPhone, a Mac or a PC. An evil website might include both a phishing and a malware element; the site might try to trick you into turning over sensitive information while also tricking you into clicking a button to download a virus to your computer.
Google Phishing and Malware Protection
To try to protect you from phishing and malware, Google has established a blacklist of evil web sites that the company knows about. And if anyone is going to know about these fake websites, it is Google. As Matt Deatherage of MDJ wrote last year in an article reprinted by Macworld:
Google’s computers, however, have a better shot at deciphering such attacks. As the world’s leading search engine, Google has figured out where eBay is, and knows that a single IP address in China is probably not one of eBay’s servers. Google knows what banks, credit card providers, insurance companies, and other firms people try to find, and it therefore has a reasonable idea that if their images show up in a page in the wrong part of the world, it may be bogus. It also helps that Google has something like six umpteen-gazillion times the computing power of the entire Apollo space program. You may have eight cores, but Google is still slightly ahead of you.
Since 2008, the version of Safari that runs on a Mac or PC has included a preference option to warn when you are visiting a fraudulent website. It is the first preference in this window, and by default it is turned on:
This option works by comparing the URL that you are trying to visit with the known list of evil URLs maintained by Google. Safari doesn't take the time to check with Google every time you try to go to a website; that would slow things down to much. Instead, Safari downloads a list from Google containing some preliminary information on the known bad websites, and if the address of a website that Safari is about to load matches an entry in that list already on your computer, then Safari checks with Google to see if it is something on the blacklist to be worried about. You can get more technical information on how this works in the article by Matt Deatherage that I referenced above. And while I'm talking about Safari, note that the Firefox and Google Chrome browsers also use the Google blacklist for protection, and Microsoft's Internet Explorer uses a different list but also contains the same type of protection.
Bringing the Google Blacklist to the iPhone
One of the features of iPhone Software 3.1 is that the iPhone Safari web browser is updated to include anti-phishing protection. The feature on the iPhone is apparently the same as the feature on the Mac or PC, which means that you need to first have a list on your iPhone of the potentially bad sites so the Safari app knows when it needs to check with Google to see if there is a problem. When the feature works, you get a screen that looks like this:
It is great when the phishing protection works, but as I noted yesterday, Dan Moren reported in Macworld that the feature has not been working for everyone.
Fortunately, we now have a little more information on what is going on. Jim Dalrymple, a former Macworld reporter who now has his own website called The Loop, did the sensible thing and talked directly to Apple about this issue. He reports that the iPhone's malicious website protection doesn't work until the iPhone has downloaded the anti-phishing database. This makes perfect sense, but what is strange is the way that the database is updated. Dalrymple explains:
“Safari’s anti-phishing database is downloaded while the user charges their phone in order to protect battery life and ensure there aren’t any additional data fees,” Apple spokesman, Bill Evans, told The Loop. “After updating to iPhone OS 3.1 the user should launch Safari, connect to a Wi-Fi network and charge their iPhone with the screen off. For most users this process should happen automatically when they charge their phone.”
It is necessary for the iPhone to completely download the database before the anti-phishing feature can protect you against phishing Web sites. This will also allow Apple to update the anti-phishing database when needed to keep users protected.
Considering that this is the director of Mac PR at Apple talking to a respected reporter, I presume this is all accurate. Nevertheless, this seems like a very bizarre way to update the database. I know many iPhone users who rarely connect their iPhones to their computers, and even when they do, I don't know how often they are connected to Wi-Fi and happen to have Safari running. These people will rarely get an update to the Google blacklist, and with new malicious websites appearing all the time, these iPhone users will not receive the security protection promised by iPhone Software 3.1.
Indeed, I find it strange that the page on Apple's website that describes 3.1 says that one of the features is "Warn when visiting fraudulent websites in Safari (anti-phishing)," but nowhere does that page or any other Apple page (to my knowledge) mention the steps that you need to go through to get the protection of an updated blacklist. Moreover, even if you follow the steps that Bill Evans from Apple outlined, the iPhone doesn't tell you when the list is finished downloading. Do I leave my iPhone plugged in for a minute? An hour? Who knows.
Recommendation
In the almost 14 months that I have owned an iPhone, I have never once (to my knowledge) ever encountered a malicious website. I have encountered a few on my Mac, but none of them have been harmful and some have even been almost humorous. For example, this past weekend, I visited the New York Times website—one of the last places that I expected to encounter something like this—and a window popped up warning that my computer had been infected and asking me to install (fake) virus software. Because the warning looked like a Windows warning message and I was using a Mac, it was immediately apparent to me that this was fake. But as Wired reports, some PC users did click on the link and found themselves "stuck with a fake scareware program that badgers them into buying supposed anti-virus software." TidBITS also has a good description of what happened at the Times, and the Times itself posted this article on the mess. In the past, I have been the victim of malware on the PC that I use at work, and to this day I have no idea how the malicious software got on my computer without my knowledge. It is often virtually impossible to remove malware, and for me the only solution was for my tech department to wipe my hard drive clean and start fresh. Fortunately all of my files were backed up, but it was still a painful experience.
Even though the iPhone, like the Mac, is going to be largely immune from these malicious website threats, you never know when the day may come when some bad guy figures out a way to come up with something that can do damage on the iPhone. And as noted above, phishing is always a threat for everyone, even iPhone users. Thus, I'm happy that Safari on the iPhone now includes malicious website protection. But having said that, I'm a little annoyed that the way of keeping the blacklist current is undocumented by Apple. It would be nice to have something on the iPhone telling you the date that the blacklist on your iPhone was last downloaded and instructions for updating the blacklist. Or alternatively, iTunes on your computer could give you a notice of when it is time to plug in the iPhone to update the blacklist.
I suspect that this is not the last that we will hear on this issue. I expect Apple to provide iPhone users with even more information about what they need to do, or perhaps Apple will improve the way that blacklist updates are handled in a future iPhone software update. But for now, I encourage you to follow Apple's instructions and, from time to time, connect to a Wi-Fi network, launch Safari on your iPhone, connect your iPhone to your computer, and then turn off the screen on your iPhone so that the blacklist can be updated.