There has been more interest in iPhone applications and the security of such applications. Even if Apple reviews every application and Cocoa development using XCode includes validation and verification tools developers do not always use secure coding methods. Recently there have been various presentations about rouge applications that access personal information such as address books, passwords and location information. Currently there is a CVE canidate for FreeBit ServersMan 3.1.5 iPhone application due to a DOS Crash Attack vulnerability triggered by a malformed HEAD request.  It is clear that phone application security has to be included in an organizations Information Assurance Risk Matrix.

Apple's review process may be circumvented in a malicious way resulting in distribution of malware, it is just a matter of time. I would expect that security researches may try to see if they can pass a malicious application through the Apple approval process. It is also to be expected that at some point this will be successful. Software always has an unexpected vulnerability or a flaw that the level of risk is mis-understood.

Where I think the serious problems occur (related to the iPhone) and should really be the focus of security professionals is users who by-pass the iTunes store,have a jail broken iPhones or a failure to include phone in an organizations Information Security Program. When allowing applications access to data on your phone users must understand what they are approving. Education is the key, security professionals must include employees phones within their security policies and procedures. If your company provides users with iPhones so should there be terms of use for employees to follow. This should address many of the risk factors similar to employees computers such as alteration, installation of the hardware or software. This should go beyond the iPhone since any phone can be compromised in this fashion. 

For a very excellent rebuttal to a recent paper related to the topic (link in references) users should visit Intego's Blog but remember that understanding the debate is not a risk assessment. That has to be conducted in an un-bias manner, something Mac Administrators have difficulty with. This comes from someone who has be an Apple user since the Apple ][.

Apple released a security update for the iPhone OS/iPod Touch which users should install that addresses various security issues. There was a buffer overflow in the handling of mp4 audio files and a buffer underflow in ImageIO handling of tiff files which could lead to application termination or code execution. These issues are addressed by using improved bound checking. 

WebKit had been updated to address input validation when handling FTP directory listings. It is possible that a maliciously design FTP can be used to cause a DOS or disclose information. Also in WebKit HTML Media Element failures in WebKit can result in Mail loading remote media even if remote image loading is disabled. A maliciously crafted file can be used for Reconnaissance related to user activity. The memory curruption bypass issues have allso been fixed.

There is also an iTunes update that should be installed as well. This includes various performance improvements.