Few people standing in line to buy an iPhone on Friday in the US will be focusing on the security of Apple's new phone. But some influential security researchers already have given the matter lots of thought.

Take Neel Mehta, a security expert at IBM's Internet Security Systems, which typically focuses on perimeter security for large corporations.

Overall, Mehta thinks the iPhone's security will be better than other smartphones on the market, and he credits the lack of a software developer kit (SDK) from Apple as a definite positive. The absence of an SDK will make writing malware much more challenging, he said, and inexperienced criminals will be scared off. "It doesn't make it impossible," Mehta said, "just harder."

Mehta thinks the iPhone will attract a more sophisticated criminal who's attracted to the challenge of hacking a complex system. Also, with Symbian OS-enabled phones currently occupying 40 to 50 percent of the world market, most petty thieves will still be drawn to the lower-hanging fruit.

In advance of iPhone's release, ZDNet Australia sister site CNET News.com spoke to Mehta about the pros and cons of iPhone security.

The iPhone is likely to be one of the most complex smartphones that we've seen to date. As such, it will be challenging to have a completely secure code base.

Q: What is the biggest security threat to the iPhone?
Mehta: The number of eyes that will be drawn to the iPhone platform itself and all the applications that run on it, that's probably the biggest security risk for the iPhone itself in that it will be undergoing a tremendous amount of scrutiny, probably more so than any of these applications have seen before. In the end, we'll get a better understanding of how secure the entire code base is and how these applications withstand thousands of eyes looking at them.

Do you think some early adoptors will be targeted by criminals online? Early iPhone users by definition are going to be wealthier than the average person. And for a criminal, there's bound to be payoff in stealing the personal data of someone like that.
Mehta: The people who are going to buy [the iPhone] are the people who have US$500 to spend on a smartphone and are fairly technology savvy as well. Again, it's a phone and its also, from my understanding, being marketed in a consumer space, and has features that are much more attractive to consumers instead of businesses in terms of the ability to download and play media of all different types on it, and so on.

So businesses will likely have employees that use it, but in terms of sanctioned IT use within an enterprise environment it's probably not going to be that common. It's always possible that there will be attackers who will launch sophisticated attacks against someone with an iPhone, but there are a lot of other mobile devices that are much more common within an enterprise environment, such as the BlackBerry for example, that are more interesting targets -- at least in the short term.

You mentioned that the iPhone's being marketed as a consumer phone. That means there will be a lot of media-rich applications preinstalled. How will that affect the overall security of the device?
Mehta: You can look at it as a portable computing device, more so than any other mobile phone, in its traditional sense, so it is going to have to understand many different types of multimedia formats. It will be able to play audio, video, pull that content off the wireless network, or off a PC that it's connected to. It will also understand e-mail. It will contain, possibly, a full-featured version of Mac OS X, and so the complexity of the device makes it more challenging to secure.

We're seeing this with all the different smart-phone platforms -- as they become more complex, have more features built into them, they also have more opportunities for hackers to break into them. The iPhone is likely to be one of the most complex smart phones that we've seen to date. As such, it will be challenging to have a completely secure code base ... and so we'll likely see the need for updates for the iPhone as flaws are discovered.

Speaking of flaws, there have been a few exploits developed recently for Mac OS X vulnerabilities. Mac OS X is based on Unix. Isn't it likely, with the increased interest in Mac OS, that someone will start porting over existing Unix exploits and trying them against the Mac?
Mehta: Mac is based off or derived from BSD Unix. The OS X that's running on iPhone will most likely be derived from the same original code base. But, the one thing that will probably be a huge factor in how easy it is to port exploits over is the processor that's in the phone. At the moment we don't know for sure what that processor will be. If it's an Intel-based processor, then it will be very similar to the current generation of Mac computers. There probably won't be that much difficulty for attackers to port exploits from existing Mac platforms over to the iPhone.

But if it turns out to be an ARM processor, for example, that's different. ARM has the biggest share of the processor market for mobile devices. That may be something a little bit new for the people who have been writing exploits for the Unix environment or for the Mac computing devices. If there's a change in processor architecture, it may take them a little bit of time. It's something that attackers who are determined will overcome. I think that Apple has been very tight-lipped about the underlying processor that will be running on the iPhone. I suspect that we will find out on Friday. Before then we're just guessing.

In many cases there is no over-the-air update mechanism, and also these phones are not connected to the PCs with the specific purpose of its own firmware updates. Some of the firmware updates [for smart phones] require you to backup all of your contacts and data on the device, wipe the entire device, and so on. All of these things contribute to updates for other smartphones being very infrequent.

It's very likely that vulnerabilities that are found for Safari for Mac or Safari for Windows will also affect the iPhone.

If Apple makes updating the iPhone as easy as it has made updating some of the other devices [like the iPod], it'll have a leg up on other smartphones in terms of installing patches and keeping it up to date, even if security vulnerabilities are there. I think that's a positive as well. The only other smartphone that has that to any degree is the BlackBerry, platform where updates can push from the enterprise server, and be managed by corporate IT. But outside of that most smart phones are very hard to update, and they require you to manually search for updates on your own and let you install them by yourself.

So the iPhone will be easy to keep patched, but it seems there's another exploitable weakness -- the browser. Even if you have a fully patched browser, there are still ways for criminals to hijack the Ajax processes on Web 2.0-enabled sites, for example, and link iPhone users to malicious code. But that's assuming the Apple Safari browser is not itself vulnerable, right?
Mehta: Yes. You're absolutely right. If you look at the history of browser security for the last year or two, it's been absolutely terrible. And that's because browsers are enormous and very complex applications. One of the things we do know about the iPhone is that the Safari browser will definitely be on it. And the only documented way for third parties to develop applications for the device will also be through Safari and through Ajax. So it's very likely that vulnerabilities that are found for Safari for Mac or Safari for Windows will also affect the iPhone.

I think that's just a small piece of the bigger potential security risk being that having an iPhone based on Mac OS X gives attackers the ability to go and analyse any shared application that might be on a Mac, and analyse it on a familiar platform that they understand very well, and then try and extend that knowledge or port it over to the iPhone. We'll likely see that there will be a parallel stream of updates for the Safari browser on both Mac and on the iPhone, and for other applications within OS X that run both on the Mac and on the iPhone. Even though it's a closed platform, it will have a certain degree of transparency because of the shared code base with other platforms.

I would also guess that less sophisticated attackers will likely try and look at the applications on the Mac platform or the Safari browser on Windows and then simply try the exploits that they create against the iPhone and see if they work. We've already seen some public speculation that the Safari vulnerabilities will affect the iPhone prior to its release.