Apple has released a tech note regarding security enhancements included in iPhone OS 2.2. Here is a synopsis of the changes that apply to security for the iPhone and iPod Touch:
CoreGraphics Changes to CoreGraphics prevent maliciously crafted websites from causing unexpected application termination or arbitrary code execution.
ImageIO Changes to ImageIO prevent the use of maliously crafted TIFF images from causing unexpected application termination, arbitrary code execution or device reset/reboot.
Networking Changes to Networking were made to insure that the correct encryption level for PPTP VPN connections is at the right level when it was often lower than expected.
Office Viewer Changes were made to the OS ability to display Microsoft Office files especially with Microsoft Excel files.
Passcode Lock We'll take a bit closer look at Passcode Lock since its the change most likely to be noticed by most iPhone users and, unfortunately, the one with the most potential for confusion.
The first issue resolved for Passcode Lock is the issue wherein emergency calls are not restricted to emergency numbers. Apple does not define the term "emergency numbers" in their bulletin, only referring to "a limited set of phone numbers", but in our tests, we could not dial 713-xxx-xxxx.
The second issue involves iPhone restores. Previously, when you restored the iPhone from a backup, the Passcode Lock was not re-enabledm, and someone with access to the device could access data and launch apps without the passcode. This has been resolved in iPhone OS 2.2.
Finally (and this is the most confusing of all the changes to the Passcode Lock feature), short message service (SMS) messages were--prior to iPhone OS 2.2--revealed before the passcode was entered.
Under iPhone OS 2.2, we sent three text messages from AT&T's website to our iPhone while the phone was locked. In all cases, the messages displayed on the lock screen showing the actual message and its text along with the slider to unlock the screen. This was with Settings > General > Passcode Lock > Show SMS Preview to ON. You cannot touch the message to open the SMS App. You have to use the slider, enter your passcode and then you can get to the SMS App. You cannot touch a texted phone number from the lock screen to launch the Phone App and dial a number automatically either.
Rather than display the actual text message the phone now displays what you see below. You have to enter your passcode to see the actual message itself. No more previews. Hence no dialing again from these test messages while the lock is engaged and you cannot read them either since you only see the generic message above.
Mobile Safari Changes were made to Mobile Safari's ability to deal with mishandling of HTML table elements, use of iframe elements on a website for interface spoofing, maliously crafted websites may initiate a phone call without user interaction some of these would lead to an unexpected application termination or arbitrary code execution.
Webkit Changes were made to WebKit to prevent the disclosure of sensitive information disclosed to a person with access to an unlocked device.