Analysts: iPhone Has Neither Security nor Relevance

Take your pick: The iPhone is either a "security nightmare" or pretty irrelevant to enterprise security.

Apples upcoming iPhone: Its a "security nightmare," it will "turn your security team into zombies," and Apple is possibly "using the Windows Safari Beta Test to stamp out iPhone security holes."

Or, then again, depending on which iPhone watcher youre paying attention to, the iPhone security is irrelevant compared with "insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers personal financial information, and stolen laptops."

/zimages/2/28571.gifClick here to read reasons why the iPhone will/wont succeed.

The iPhone wont go on sale until June 29. Up until now, and probably until it hits retail shelves, Apple has given next to nil information regarding the security features its first smart phone will have, making security analysis little better than conjecture. The few pieces of security background analysts have to go on include these tidbits: 1) The iPhone will run on Mac OS X and 2) the iPhone will run Apples Safari browser.

The security experts who are worried about the hot, new gadget base their fears on the fact that the iPhone will be capable of much of the same functionality as the BlackBerry, without the enterprise-class security: The iPhone can access e-mail, the Internet and SMS, and it can store a plethora of sensitive data in its contact and organizer functions.

/zimages/2/28571.gifClick here to read about whether enterprise IT managers can keep the iPhone out of their organizations.

"The BlackBerry has over 200 security policies that permit enterprises to turn off its camera, force password changes" and prevent browsing certain sites, among other enterprise-class security features, said Ken Dulaney, an analyst at Gartner. "Im 99 percent sure thats not where the iPhone is taking it. If [such security features] came from anywhere, it would be from third parties. BlackBerrys are going to kill [the iPhone] from a security [perspective]."

Note: The BlackBerrys security profile isnt necessarily faultless: Symantec researcher John OConnor put out a whitepaper on hacking the device in the fall. The paper was subsequently removed from Symantecs site, however; OConnor said the reason for the removal was that he hadnt considered "the effectiveness of all possible security features that might provide mitigation of the impact of malware and the management of application permissions."

Still, BlackBerry security headlines have covered, among other things, a DoS (denial-of-service) bug in January 2006, the release of exploit code in August 2006 and the ability for attackers to purchase a $100 API developer key to enable data theft off the devices.

/zimages/2/28571.gifClick here to read why you can expect to see iPhone-style features turning up in competing handsets.

Andrew Storms, director of security operations at network security firm nCircle, who called the iPhone a "security nightmare" in a recent post, has gone so far as to post a list of security-related questions that he wants Apple to address in a public forum before organizations "reel this new gadget into" their security policies. To wit:

  • Is data encrypted while in transit?
  • Is data encrypted on the device?
  • Is data encrypted on removable memory?
  • Is data removed if the device hasnt checked in centrally, hasnt received a policy update within a time window or if battery power is too low?
  • Is there S/MIME support?
  • Is there PGP support?
  • Are there electromagnetic analysis countermeasures?
  • Are there DRM applications (ability to read, but not forward data)?
  • Is there user authentication by means of password, passphrase or smart card?
  • Does the device automatically lock and require authentication to unlock?
  • Are the encryption keys stored on the devices, and are they also encrypted?
  • Do the network devices have firewalls?
  • Are the network interfaces disabled by default, and does the user have the ability to disable at will?
  • Is there the ability to remotely lock and disable the device?
  • Is there the ability to remotely wipe and back up data?
  • Is there the ability to centrally develop and enforce policy settings?
  • Is there centralized reporting of all device events—calls made, data transferred and usage statistics?

Gartner plans to recommend that businesses dont allow iPhones to come onto their premises.

Not that the iPhone is as potent a potential threat as a PC, Dulaney said. All phones have a security advantage given that they sit behind operators at, for example, Cingular or Verizon.

Next Page: iPhone faces Internet risks.