With Apple's announcement Monday that it shipped 1.12 million iPhones in the three months after its launch, the gadget's apparent popularity rivals some PCs. That has security experts warning of trouble, following revelations that Apple built the iPhone's firmware on the same flawed security model that took rival Microsoft a decade to eliminate from Windows.

"It really is an example of 'those who don't learn from history are condemned to repeat it'," says Dan Geer, vice president and chief scientist at security firm Verdasys.

It wasn't long after Apple released the iPhone in June that researchers discovered that every application on the device – from the calculator on up – runs as "root," i.e., with full system privileges. As a result, a serious vulnerability in any of these applications would allow hackers to gain complete control of the device.

The same problem in Windows played a big role in stoking a plague of internet malware-production that began with the Melissa virus in 1999, and continues with the malicious Storm worm today.

With the limited bandwidth of the iPhone, malicious code would be unlikely to slow portions of the internet. But malware could wreak creative havoc of a different kind. It might, for example, cause a phone to call numbers without the user's knowledge, seize text messages and a list of received and sent calls, turn the phone into a listening device, track the user's location through nearby WiFi access points, or instruct the phone to snap photos of the user's surroundings – including any companions who may be in view of the camera lens.

Apple announced last week that it plans to release a software-development kit in February, to open the way for third-party developers to create applications for the iPhone. More applications, though, invariably means more attack routes for hackers. Apple CEO Steve Jobs said in his announcement that the company was taking time to release the SDK to deal with security issues, suggesting that a future operating system update to the phone might only run applications approved and digitally signed by Apple.

But this wouldn't solve all of the security problems.

"As long as everything runs as root, there are going to be bugs and people are going to find them (to take over the device)," says Charlie Miller, principal security analyst for Independent Security Evaluators, who, with colleagues, discovered the first reported bug with the iPhone earlier this year. The bug, found in its Safari browser, would have allowed hackers to take control of a phone. The researchers criticized Apple in their paper (.pdf) for designing iPhone applications to run as root.

Although Apple issued a fix for the Safari vulnerability in July, the company never responded to criticism about the root problem with its phones. Apple also didn't respond to calls from Wired News for this story.

Last week, H.D. Moore, a security researcher who developed the Metasploit Framework security and hacking tool, posted information on his blog about a vulnerability in the iPhone's tiff library that is used by the phone's e-mail , browser and music software. He also supplied detailed instructions on how to write code to exploit the bug and provided an exploit to gain remote control of an iPhone.

Computer security professionals call the iPhone design flaw a fundamental mistake, and say that Apple should have known better.

"The principle of 'least privilege' is a fundamental security principle," says Geer. "Best practices say that if you need minimal authority to do (something on a system), then you don't need to have more authority than that to get it done."

Microsoft has been roundly criticized for years for releasing early versions of its Windows operating system with administrative privileges automatically enabled. This gave hackers who gained access to Windows machines complete privileges to modify the operating system and take control of the machine.

It took a while for the company to get the message, but Redmond finally closed the hole with its Vista operating system this year, which included a User Account Control feature to control the level of privileges required for various functions on a Vista machine.

" I guess Apple hadn't learned those lessons and is now going to learn them the hard way," says Geer.

Miller says that Apple will need to redesign the entire firmware to fix the problem – which would require owners to install a pretty hefty update.

"If you start from the beginning with security in mind and you design your product thinking about security as you go, it's not really any harder to design a secure product than an insecure product," he says. "Once you've already got it out in everyone's hands, it's a little harder to go back and add security. And that's really what they need to do at this point."

Viruses, Trojans and Remote Snooping: Hackers Release Their Own iPhone SDK

Apple's Not 'Bricking' Hacked IPhones for Revenge

The Perils of Taking the IPhone Mainstream