Analysts: iPhone Has Neither Security nor Relevance

 
 
By Lisa Vaas  |  Posted 2007-06-22 Email Print this article Print
 
 
 
 
 
 
 

Take your pick: The iPhone is either a "security nightmare" or pretty irrelevant to enterprise security.

Apples upcoming iPhone: Its a "security nightmare," it will "turn your security team into zombies," and Apple is possibly "using the Windows Safari Beta Test to stamp out iPhone security holes." Or, then again, depending on which iPhone watcher youre paying attention to, the iPhone security is irrelevant compared with "insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers personal financial information, and stolen laptops." Click here to read reasons why the iPhone will/wont succeed.
The iPhone wont go on sale until June 29. Up until now, and probably until it hits retail shelves, Apple has given next to nil information regarding the security features its first smart phone will have, making security analysis little better than conjecture. The few pieces of security background analysts have to go on include these tidbits: 1) The iPhone will run on Mac OS X and 2) the iPhone will run Apples Safari browser.
The security experts who are worried about the hot, new gadget base their fears on the fact that the iPhone will be capable of much of the same functionality as the BlackBerry, without the enterprise-class security: The iPhone can access e-mail, the Internet and SMS, and it can store a plethora of sensitive data in its contact and organizer functions. Click here to read about whether enterprise IT managers can keep the iPhone out of their organizations. "The BlackBerry has over 200 security policies that permit enterprises to turn off its camera, force password changes" and prevent browsing certain sites, among other enterprise-class security features, said Ken Dulaney, an analyst at Gartner. "Im 99 percent sure thats not where the iPhone is taking it. If [such security features] came from anywhere, it would be from third parties. BlackBerrys are going to kill [the iPhone] from a security [perspective]."
Note: The BlackBerrys security profile isnt necessarily faultless: Symantec researcher John OConnor put out a whitepaper on hacking the device in the fall. The paper was subsequently removed from Symantecs site, however; OConnor said the reason for the removal was that he hadnt considered "the effectiveness of all possible security features that might provide mitigation of the impact of malware and the management of application permissions." Still, BlackBerry security headlines have covered, among other things, a DoS (denial-of-service) bug in January 2006, the release of exploit code in August 2006 and the ability for attackers to purchase a $100 API developer key to enable data theft off the devices. Click here to read why you can expect to see iPhone-style features turning up in competing handsets. Andrew Storms, director of security operations at network security firm nCircle, who called the iPhone a "security nightmare" in a recent post, has gone so far as to post a list of security-related questions that he wants Apple to address in a public forum before organizations "reel this new gadget into" their security policies. To wit:
  • Is data encrypted while in transit?
  • Is data encrypted on the device?
  • Is data encrypted on removable memory?
  • Is data removed if the device hasnt checked in centrally, hasnt received a policy update within a time window or if battery power is too low?
  • Is there S/MIME support?
  • Is there PGP support?
  • Are there electromagnetic analysis countermeasures?
  • Are there DRM applications (ability to read, but not forward data)?
  • Is there user authentication by means of password, passphrase or smart card?
  • Does the device automatically lock and require authentication to unlock?
  • Are the encryption keys stored on the devices, and are they also encrypted?
  • Do the network devices have firewalls?
  • Are the network interfaces disabled by default, and does the user have the ability to disable at will?
  • Is there the ability to remotely lock and disable the device?
  • Is there the ability to remotely wipe and back up data?
  • Is there the ability to centrally develop and enforce policy settings?
  • Is there centralized reporting of all device events—calls made, data transferred and usage statistics? Gartner plans to recommend that businesses dont allow iPhones to come onto their premises. Not that the iPhone is as potent a potential threat as a PC, Dulaney said. All phones have a security advantage given that they sit behind operators at, for example, Cingular or Verizon. Next Page: iPhone faces Internet risks.



  •  
     
     
     
    Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
     
     
     
     
     
     
     

    Submit a Comment

    Loading Comments...
     
    Manage your Newsletters: Login   Register My Newsletters























     
     
     
     
     
     
     
     
     
     
     
    Thanks for your registration, follow us on our social networks to keep up-to-date
    Rocket Fuel