iPhone (in)security in the enterprise

Just when you thought you’d successfully killed it off, its back. The email from management who is getting pressure from the c levels asking why the iPhone isn’t supported. It comes in on schedule every two month.
“iPhone version 3.1 has solved all the security problems, right?”
Um, no.
“There is now a Wolfram Alpha app for the iPhone. This would really help our business development”
Are you serious?
Who can blame them. Apple and their willing co-conspirators in the tech media have been repeating the mantra. “iPhone 3GS is secure for the enterprise.” Secure or not companies are adopting the iPhone, even to the point of allowing personal devices. Lets summarize what we know and what we dont know about the
Problem 1: Encryption
It is of critical importance to protect data privacy through encryption. iphoneinsecurity.com, a site dedicated to iphone forensics has posted video demonstrating the bypass of the iPhone 3GS encryption.
I suppose some would argue that the evil maid attack allows bypass of Full Disk Encryption on computers so I shouldn’t have my data there either. Of course using a smart card or bitlocker with TPM I could protect myself from this attack.
Problem 2: passcode bypass
The passcode on a iPhone is bypassable
Problem 3: Lack of Central Config Management
Enterprises are used to controlling phone configuration centrally a la through a Blackberry Enterprise Server. iPhones configuration is sort of voluntary. TrustDigital would say they solve that issue. I need to talk with them (again) because I think they can enforce a configuration at the time the iPhone connects to the server, but I dont think they have a permanent enforcement agent. Could be wrong.
Problem 4: patching
While patches can be pushed from the BES, iPhone users need to install each patch individually through iTunes
Problem 5: iTunes
Speaking of iTunes, that isn’t exactly a corporate type product. What if we dont want that on our computers. RIM has worked to make Blackberry work without installing any desktop software in a BES environment.
Problem 6: App Store
Whose account is used in iTunes? Do they use their personal account? In that case the end user really owns any applications purchased by the corporation on that account. When the employee terminates they would essentially walk out with the applications the company owns. If a corporate account is created then the opposite problem occurs.
Problem 7: Jailbroken phones
Jailbroken phones are susceptible to security problems. Besides the ikee worm, they allow unapproved applications to be run, bypassing Apple’s whitelisting security model. How can an enterprise prevent jail broken phones from being used?
Problem 8: Repeaters
Like a lot of company headquarters, ours is like a unintentional Faraday Cage. We’ve had to put up repeaters for Verizon and Nextel. Are we supposed to pony up and install AT&T repeaters?
While the iPhone remains exceedingly popular, it still has Apple’s consumer mindset at the core. (sorry bad pun) At least at our company I dont see it making headway until the encryption issue is solved. Then I’ll talk with TrustDigital again about their management solution.
update
The day I posted this I got emailed an announcement of Good Technology’s support for the iPhone. Good uses their own application and would keep the corporate email encrypted in that. However any other corporate data that made its way on to there wouldn’t be protected. In an era of cutbacks its hard to provide support for both Good and Blackberry.
Commenters have pointed out that the iPhone still does not support S/MIME or PGP. I had thought to check on that but it didn’t make the article. S/MIME support is mandatory for my company.

8 Comments

  1. Weird, I thought the 3gs did support s/mime. Well, that is why I’m writting it down. I keep having the same conversations at work every few months and dont remember it all without writting it down. Lack of S/MIME support for the blackberry (at least working s/mime support) held up my PKI project until RIM deployed a workable version. If management is consistant (yeah right) that alone should kill of this zombie phone project.
    I see Good Technologies now supports the iPhone. Wonder if they include s/mime or PGP support. Looking at their website it seems like the s/mime support is for windows mobile devices only.

  2. I’ve been waiting for S/MIME or PGP support on iPhone for a long time now, but it doesn’t seem to be coming anytime soon (I have a 3GS). The best option I know is to use a service like Hushmail, where you encrypt your e-mail messages while they are in transit. After that, you use a SSL-enabled connection for downloading them from the IMAP/POP server.

    • SecuMail – a PGP compatible app – is now available from the App store.

      It does decryption/encryption, integration with the Mail app, and can also talk to keyservers (including ldaps support).
      It will even open and display encrypted word/pdf/excel documents or encrypted images (jpg, png, gif and a few other formats).

      Works both on iPhone and iPad and is CCATS certified for those that have export requirements.

  3. I have an Android with Verizon, and it is not all that. Apps are terrible, to many force closes, very slow. It is just not the same as an iPhone. The iPhone is still 5 years ahead of every one else. Verizon service is getting slower and slower and customer service sucks. We need a carrier that will step up and provide the service. The iPhone is the best hands down.

Comments are closed.