Earlier this week Forrester released a paper on iPhone and Enterprise use. That article was summarizedby Larry Dignan on ZdNet. As a side note, I started to write on this earlier but wasn’t sure that I could legitimately quote from the article. I guess it would be ok to quote small passages to critique. But it’s fairly easy to start using too much. I don’t need Forrester on my case over their $500 article. I notice the article was updated 8/4. I read the original Forrester article.
The thing to remember is these research company articles focus on feature sets. Can you check the encryption box. Can you require a pin. Can you remote wipe. While that is a good baseline, I’m worried about security not box checking. Can you bypass the encryption still is first on my list. So they bury security considerations deep within the article after spending half the article saying the iPhone 3.1 was secure enough. No. It wasn’t . iOS 3.1 failed to fix the Zdziarski Method. There was also the insecure backups in Zdziarski’s videos. And then later there was the boot PIN bypass. Lets not forget that Apple downplayed or denied these issues. That’s just how they roll.
Andrew Jaquith equates iPhone security with PC security. Yet denies that the phone needs any of the security software that a PC would have. He says because people don’t worry about Cold Boot Attacks against Full Disk Encryption, they shouldn’t worry about encryption bypasses on the iPhone. My FDE product claims to have protection in place against the cold boot attack. Additionally, the FDE still protects against cold boot attacks when off. Lastly, laptop computers are necessary. Replacing the Blackberry with an iPhone is personal preference. Thus different requirements are possible. I would suspect a phone is much more likely to be lost, and now it s a candidate to be stolen as well.
The iPhone already found a home in organizations that don’t care about security. What is supposed to allow us to sleep at night and deploy the iPhone is the new encryption. Each App can now have a separate data container with its own encryption keys. Check out Anthony Vance’s blog post . Only Mail by default is encrypted this way. Each app developer would have to specifically use it. I wonder if a year from now we’ll have similar security issues as were found in ios 3.
I feel pretty secure about my corporate email inside a GoodLink on the iPhone. But what other data will end up on this device? Fortunately, the iPhone doesn’t seem to like our brand of EAP-GTC. So it stays off our internal wireless. We keep them off the ASA by not enabling it for access. (I’m guessing that request isn’t far behind).
I feel a bit offended by the tone that anyone stopping to evaluate the security of the iPhone must be a security idiot. (even though they do go on to say that Corporations under strict regulatory control will need the stronger security of the Blackberry).