Apple Explains How to Use iPhone's New Anti-Phishing Feature
Amid the hubbub over new iPods and iTunes' LPs announced at last week's annual Apple event, one feature that was a little under-hyped was the new "anti-phishing" protection built into the iPhone's Safari web browser. The added feature, available via an iPhone software update, warns users when visiting fraudulent websites using Safari. This sort of technology is already commonplace on the web, but is rarely seen on the mobile platform.
Unfortunately, there seemed to be a problem with the new security feature: it wasn't working...or at least, so it seemed. As it turns out, the problem was that users weren't informed as to how to properly activate the anti-phishing protection, an issue that points to a poor implementation of what could and should have been a major breakthrough in mobile computing technology.
The Problem: Anti-Phishing Protection Doesn't Appear to Function
Although Apple touted the anti-phishing protection back in March when they announced their 3.0 update, the new feature didn't actually materialize until this month when the company released the OS 3.1 iPhone/iPod Touch software. According to Apple, the anti-phishing protection feature will display an on-screen warning message when you attempt to visit a known malicious website.
Once the update was released, security researchers and other Apple enthusiasts began testing the new technology. The results were immediately disappointing. "I've not been able to get it to block anything," Michael Sutton, vice president of research at security firm Zscaler was quoted as saying. He had been testing the feature using known phishing websites identified by the anti-phishing database hosted at PhishTank. The Mac Security Blog also found after extensive testing that it simply "does not seem to work." MacWorld, however, found that the feature worked sometimes, but the inconsistency hinted that the technology was not "ready for public consumption," they reported.
What gives? Did Apple really release a broken feature? Were they even aware of the problem? Blogger Jim Dalrymple of The Loop decided to go straight to the source: he asked Apple.
Apple Says "You're Doing it Wrong"
Apparently, this was not a case of the anti-phishing technology being broken. It was a case of everyone simply "doing it wrong." As it turns out, in order for Safari's anti-phishing database to update, there are a few particular steps that need to be followed, explained an Apple spokesperson. After updating the phone to the OS 3.1 update, users need to do the following:
- Launch the Safari web browser.
- Connect to a Wi-Fi network.
- Charge the iPhone with the screen off.
The spokesperson added that for "most users" this process should happen automatically when they charge their phone. We would have to disagree. "Most users" don't launch the Safari browser prior to charging their device - if anything, they close down any open applications before plugging in the phone to charge.
Poorly Implemented, Poorly Explained
If you follow the above steps, the feature will work. However, most users will never know to do this unless they happen to closely follow technology news and blogs. The general mainstream population - the very demographic Apple so craftily attracts via their billion dollar marketing campaigns - expects things to "just work." That is the Apple promise, after all.
Yet even on Apple's own website where they detail the various new features in the OS 3.1 update, there is no mention as to how the anti-phishing protection should be utilized. It simply lists that the feature exists. A helpful link to a "how to" guide would seem appropriate here or, at the very least, a footnote.
Having to perform the somewhat unintuitive steps to get the anti-phishing protection feature to function properly seems like an unusual miss for a company who generally makes things simple and straightforward. Why does it need Wi-Fi, for example? Apple claims that the Wi-Fi connectivity is required so as not to incur any additional data fees for the end user. But launching the browser? We almost wonder if it wouldn't have made better sense for Apple to implement the feature in the new iTunes update instead. The desktop software could retrieve the updated anti-phishing database from the internet upon launch and could then sync it to the iPhone or iPod Touch the next time it was plugged in. That would also alleviate another common problem with the current implementation - if the phone isn't plugged in long enough, the update won't complete and users will only be partially protected. On the other hand, the inclusion of the database via a sync would have ensured that all the data was copied over to the phone.
In the end, though, Graham Cluley, a senior technology consultant at Sophos, reminds us that maybe we shouldn't be too hard on Apple. "Many other smartphones don't offer even the most elementary form of anti-phishing protection to their users," he says. That may be true but, unfortunately, the way Apple chose to deliver their anti-phishing protection feature means that most iPhone users won't be protected either.
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
What the.. the idea was really great but it looks like it still needs to be...
This is great, we really needed this!
I think the IPhone has been able to live without worry about viruses and fishing for a while simply because there wasn't enough of them out there to make it a worthwhile target for hackers....selling 5M a quarter though will change all that in a hurry. Glad to see they are making progress!
It is not correct to say that the iPhone user, or any other smartphone user, does not have to worry about phishing.
Phishing depends on the creation of convincing fakes of real websites, mainly banking sites but others too. Anyone viewing the sites with a web browser could potentially be fooled. It doesn't matter what platform you're using to view the site, Windows, iPhone, Linux, Palm etc. Phishing relies on tricking the user, not the software.
The addition of anti-phishing technology to the iPhone is a welcome improvement to the security of iPhone users. I hope that other smartphone providers take steps to protect their users too.
One thing to keep in mind is that Safari on the iPhone is one of the few Apple provided applications on the iPhone that once launched continues to run in the background. If the updates will occur if Safari has *ever* been launched since the last phone restart (and not just when it was an open foreground application at sleep time) then I think Apple's statement that this "for most users this process should happen automatically" would be accurate. It would be interesting to confirm whether the updates are pulled when Safari has been backgrounded.
It would not be a good idea to tie these updates to iTunes. Many of us, especially Mobile Me users who receive sync'ed calendar, contacts, email, bookmarks over the air, rarely connect to iTunes and simply plugin to charge using the wall power adapter, or just plugin to an available USB port without launching iTunes. Personally I connect to iTunes about once a month.
I would also like to state that I appreciate the fact that this service is there. They will work out the kinks over time if people are not getting the updates. As was stated earlier, we should appreciate that they are taking extra steps to protect us, something that I believe no other smartphone platform is doing.