[Editor's Note: The following is a guest blog by John Britton an engineer at Good Technology and formerly at mFoundry. The following is John's personal commentary and does not represent the opinion of any organization or individual]

Last week the U.S. Federal government blessed mobile phone jailbreaking as legal — that is, unlocking a phone without carrier and/or manufacturer approval.  Everyone that has ever jailbroke their iPhone said “Thank you.”

Earlier this week the Unofficial iPhone Dev Team, the de facto iPhone jailbreak providers, released a new method for jailbreaking iPhones. The simplicity of their last jailbreak set off proverbial alarms across the mobile security and risk management community.

Previous jailbreak methods were cumbersome and idiosyncratic. Previously, users wanting to jailbreak their phone would have to download a file, jump through some hoops and 30-40 minutes later their Phone would be free. Unfortunately, after the jailbreak, all of their applications were gone and they would have to reinstall everything from scratch. Each upgrade required repeating the entire painful process.

The old process worked by bypassing Apple’s signing process. It was not something my mom would have ever attempted to try on her own.

The new jailbreak method exploits a vulnerability in Safari and is super simple. You can now jailbreak your phone by simply connecting to a website and swiping your finger. (If you want to see it, the site is: http://www.jailbreakme.com)

The whole process takes about 3 minutes and leaves all of your applications in place. It is a no fuss no muss approach and something my mom could do to be one of the cool kids.

To the credit of the jailbreak team they also included a patch to warn jailbreakers that encounter this exploit in the future.

Apple has currently released a rather vague statement about the approach:

“We’re aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update.”

The exploit is huge. It is only a matter of time before someone with sinister motives decides to exploit the issue for their own gain.  These bad guys could simply trick iPhone users onto navigating to their site or attaching a file to an email that once opened, quietly jailbreaks their phone.

Once the process is complete the phone would look and feel just like nothing happened at all. Except now, maybe the iPhone secretly has key logger software installed that steals usernames and passwords from mobile banking. Or maybe the hacker can hijack a browser session to go where they want it to go and not where users expect to go. Usernames, passwords, financial information including balances and name of banks can all be siphoned off to someone who wants to take money. The bad guy could even look at your anti-phishing site keys.

I hate to state the obvious but this is really, really bad.

Banks and software vendors can do little in their applications to prevent these types of attacks, but they are left to foot the bill for the attack. The bad guy would look and act just like the authentic user.

This problem isn’t just with native iPhone applications.  It also affects browser-based banking on the iPhone. The really advanced bad guy will also find ways to manipulate some of the more advanced SMS based banking.

I have now stopped mobile banking from my iPhone.

Bankers and consumers need to let Apple know that mobile banking and mobile payments need secure platforms. Apple wants to take advantage of mobile payments on their devices. They want to provide the next generation tools for all of us. Apple needs to provide strong protection for the sensitive data passing through iPhones around the world.

Without Apple-provided protection, the only recourse would be to remove their iPhone apps from the App Store and demand that Apple use the kill switch to remotely remove mobile bank apps from end user iPhones. Banks would also need to block all iPhone based browser traffic.

Of course, this is impossible. Mobile banking has already gone mainstream. Mobile commerce has as well. Furthermore iPhones are used by key executives with sensitive information throughout the world’s businesses.

The only true fix to this problem must come from Apple.  They need to patch the exploit quickly.  Apple needs to work with the banks and the security industry to vigilantly protect and continue to grow the opportunities that are in front of us all.

David Eads mentioned previously on this blog that code reviews for mobile applications should be standard fare.  Financial institutions must be vigilant in teaching their customers and members about staying current with software updates.  A couple of steps that you can take to protect yourself and you customers is to encouraged your customers to upgrade to the latest iPhone OS when Apple releases it.  You can also modify your terms of service to require that fraud protection is only valid if their mobile banking devices have the latest versions of the vendors operating systems and are using it in accordance with the hardware and carrier provisions.

Send David questions about this and I will be back next week to answer your questions on mobile security.

Written from my newly jailbroken iPhone 3GS with mobile banking applications uninstalled.

E*Trade Mobile Pro

Mobile financial service applications are spreading rapidly and are generally secure. However, I don’t see evidence of institutions monitoring and protecting the mobile channel as diligently as other channels.

Hackers will certainly start targeting mobile banking and mobile stock trading applications as adoption increases. Furthermore, there are more opportunities for exploits because of mobile platform fragmentation.

When a major attack happens, it will be well publicized and it will likely slow adoption while the public reconsiders their safety. I will be purposefully vague here to avoid providing any roadmaps or ideas to bad guys.

For example, many organizations use fraud detection software on web applications to look for suspicious activity and limit both losses and risk. Often fraud detection software also preserves evidence in the event the fraud is real. For web sites, this type of software is almost as commonly deployed as firewalls and routers.

Organizations have been suspiciously silent on the protections they’re deploying, which is unlike historical ecommerce behavior. Are companies actively monitoring the traffic from mobile enabled accounts to ensure new types of fraudulent activity aren’t occurring?

TD Ameritrade provides a third-party stock trading application (Mobitrade) that optionally lets you save your username and password in the application, thus providing access without a username and password. (E*Trade pictured here, requires a password to see account data). While this option is convenient, the risks are bound to outweigh the reward.

In the case of TD Ameritrade, users can’t execute trades using the Mobitrade application. However, account balances, positions, stocks owned and watched are all sensitive information thieves can use to commit crimes through other channels.

Providing separate applications on separate platforms also increases the effort required to keep security holes plugged. Many institutions are considering supporting mobile applications on iPhone, Android, Blackberry and potentially other mobile operating systems in addition to their mobile web and SMS-based systems. Each production release of each product version runs the risk of containing a vulnerability. It’s all just software.

Organizations must keep the details of their security infrastructure secret to prevent circumvention of those protections. However, organizations need to perform detailed risk assessments of the mobile channel and deploy protections that are at least as strong as protections to online and ATM channels. The security vendors usually ensure the world knows what companies are using their technology.

The silence on mobile security is deafening.

(Disclosure: I have accounts with both TD Ameritrade and E*Trade. I own TD Ameritrade stock (NYSE: AMTD) and have done work for them in the past. This article DOES NOT imply that E*Trade, TD Ameritrade, or any other company are lacking any particular security measure or that I have knowledge of their specific security measures.)

James Van Dyke at Javelin Research posted a very interesting stat on his blog. The fraud-to-fraud detection ratio in online banking is 2:5. For every two instances of OLB fraud, five were caught by using OLB.

Mobile Banking has the potential to have an even stronger ratio because users have quicker, easier and more frequent access to their account information. That is of course, only if the mobile banking solution is secure and easy to use.

This is an interesting angle because Security is often cited as a key concern by consumers. A recent poll by Harris Interactive found that nearly 2/3 of consumers felt their phone was too insecure to do activities like mobile banking.

The mobile industry clearly needs to better communicate and demonstrate the security and benefits of their solutions to consumers.