Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Apple
    • Apple
    • Applications
    • Cybersecurity
    • IT Management
    • Mobile
    • Networking

    Analysts: iPhone Has Neither Security nor Relevance

    Written by

    Lisa Vaas
    Published June 22, 2007
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Apples upcoming iPhone: Its a “security nightmare,” it will “turn your security team into zombies,” and Apple is possibly “using the Windows Safari Beta Test to stamp out iPhone security holes.”

      Or, then again, depending on which iPhone watcher youre paying attention to, the iPhone security is irrelevant compared with “insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers personal financial information, and stolen laptops.”

      /zimages/2/28571.gifClick here to read reasons why the iPhone will/wont succeed.

      The iPhone wont go on sale until June 29. Up until now, and probably until it hits retail shelves, Apple has given next to nil information regarding the security features its first smart phone will have, making security analysis little better than conjecture. The few pieces of security background analysts have to go on include these tidbits: 1) The iPhone will run on Mac OS X and 2) the iPhone will run Apples Safari browser.

      The security experts who are worried about the hot, new gadget base their fears on the fact that the iPhone will be capable of much of the same functionality as the BlackBerry, without the enterprise-class security: The iPhone can access e-mail, the Internet and SMS, and it can store a plethora of sensitive data in its contact and organizer functions.

      /zimages/2/28571.gifClick here to read about whether enterprise IT managers can keep the iPhone out of their organizations.

      “The BlackBerry has over 200 security policies that permit enterprises to turn off its camera, force password changes” and prevent browsing certain sites, among other enterprise-class security features, said Ken Dulaney, an analyst at Gartner. “Im 99 percent sure thats not where the iPhone is taking it. If [such security features] came from anywhere, it would be from third parties. BlackBerrys are going to kill [the iPhone] from a security [perspective].”

      Note: The BlackBerrys security profile isnt necessarily faultless: Symantec researcher John OConnor put out a whitepaper on hacking the device in the fall. The paper was subsequently removed from Symantecs site, however; OConnor said the reason for the removal was that he hadnt considered “the effectiveness of all possible security features that might provide mitigation of the impact of malware and the management of application permissions.”

      Still, BlackBerry security headlines have covered, among other things, a DoS (denial-of-service) bug in January 2006, the release of exploit code in August 2006 and the ability for attackers to purchase a $100 API developer key to enable data theft off the devices.

      /zimages/2/28571.gifClick here to read why you can expect to see iPhone-style features turning up in competing handsets.

      Andrew Storms, director of security operations at network security firm nCircle, who called the iPhone a “security nightmare” in a recent post, has gone so far as to post a list of security-related questions that he wants Apple to address in a public forum before organizations “reel this new gadget into” their security policies. To wit:

      • Is data encrypted while in transit?
      • Is data encrypted on the device?
      • Is data encrypted on removable memory?
      • Is data removed if the device hasnt checked in centrally, hasnt received a policy update within a time window or if battery power is too low?
      • Is there S/MIME support?
      • Is there PGP support?
      • Are there electromagnetic analysis countermeasures?
      • Are there DRM applications (ability to read, but not forward data)?
      • Is there user authentication by means of password, passphrase or smart card?
      • Does the device automatically lock and require authentication to unlock?
      • Are the encryption keys stored on the devices, and are they also encrypted?
      • Do the network devices have firewalls?
      • Are the network interfaces disabled by default, and does the user have the ability to disable at will?
      • Is there the ability to remotely lock and disable the device?
      • Is there the ability to remotely wipe and back up data?
      • Is there the ability to centrally develop and enforce policy settings?
      • Is there centralized reporting of all device events—calls made, data transferred and usage statistics?

      Gartner plans to recommend that businesses dont allow iPhones to come onto their premises.

      Not that the iPhone is as potent a potential threat as a PC, Dulaney said. All phones have a security advantage given that they sit behind operators at, for example, Cingular or Verizon.

      Next Page: iPhone faces Internet risks.

      Risky Internet Links

      “Because the phone sits in a closed environment, its uniquely different from PCs attached to the generic Internet,” Dulaney said. “By definition it has security advantages a generic PC wouldnt have.”

      That said, the smart phone can expose itself to the risky Internet through, for example, browsing, Dulaney said, and lacks a firewall.

      The iPhone likely isnt going to have enterprise-class security anytime soon, either. Dulaney talked to Apple last week and said that he came away with the impression that the company isnt interested in selling to that audience; rather, its fixated on selling the iPhone to consumers.

      Nonetheless, executives will “no doubt” bring the phones into their organizations, he said. Recognizing that inevitability, Gartner is reiterating to its clients its recommended three-level support policy: Platform, Appliance and Concierge.

      At the Platform level of support, an organizations IT group selects a device because its characteristics meet enterprise security policies. At the Appliance level of support, IT permits some degree of choice to its end users: IT asks users to narrow the functionality they deploy on a given device—say, limiting their use to browsing. In return they get more support.

      /zimages/2/28571.gifRead more here about the hurdles the iPhone faces in infiltrating the enterprise.

      If forced by executives to support the iPhone, Gartner suggests slotting the device under a Concierge level, where security is offered at a high price. In this level of support, an organization would apply bodies to the problem. If an executive insists on being supported with some device, the only thing the enterprise can do to safeguard its data assets is to hire college kids to look after the device. If its lost, a college kid would do nothing but try to find out where it is and to prevent loss of data, Dulaney said. Given that higher-level executives are the ones who can demand IT support, the risk of exposure is that much higher, he pointed out—i.e., a lost iPhone could very well have, for example, a companys financials on it.

      Mac OS X fans point to the fact that the operating system, considered by many to be far more secure than Windows, will ensure that the iPhone is secure. At this point, however, nobody knows what features have been removed from Mac OS X to fit it into a smart phone form factor.

      “To take a big operating system and shrink it down to a phone is a serious technical challenge, I dont care who you are,” Dulaney said. “Who knows what Apples done here.”

      For example, Apple could have gotten the operating system from a third party and just called it OS X, Dulaney said. An example is Java for servers and Java for phones; theyre both called Java but theyre “very different,” Dulaney said. For all we know, Apple could have started from scratch to write the operating system for the iPhone, in spite of calling it Mac OS X. One indication that the operating system of the iPhone and the Mac desktop are sitting on different code bases is their UIs; each is very different from the other.

      “Its hard to say how much they put in there,” vis-à-vis security, Dulaney said.

      Windows Mobile is another example of a mobile operating system being quite different from the desktop operating system from which it descended. The APIs between the UI on Windows for the desktop and Windows Mobile are common, but thats all the two share, Dulaney said.

      “[Microsoft calls] them both Windows, but they share very little in common,” he said.

      Next Page: Microsoft answers security quiz.

      Microsofts Answers

      As a means of comparison, Microsoft supplied the answers to Storms questions for Apple as if he had asked them of Windows Mobile. Microsofts answers:

      • Is data encrypted while in transit? Yes, the data is transported using SSL, so it is encrypted during transit
      • Is data encrypted on the device? No.
      • Is data encrypted on removable memory? Yes.
      • Is data removed if the device hasnt checked in centrally, hasnt received a policy update within a time window or if battery power is too low? No. However, please note the Exchange server can remotely wipe the device. The device is also wiped if the password is entered too many times as a security measure.
      • Is there S/MIME support? Yes.
      • Is there PGP support? No (need third-party application).
      • Are there electromagnetic analysis countermeasures? No.
      • Are there DRM applications (ability to read but not forward data)? Yes, support for DRM for media content and IRM for e-mail (read and create is supported).
      • Is there user authentication by means of password, passphrase or smart card? Yes. Windows Mobile 6 includes the ability to lock your device and require a password to use the device after a specified period of disuse.
      • Does the device automatically lock and require authentication to unlock? Yes.
      • Are the encryption keys stored on the devices, and are they also encrypted? Yes, stored on the device and is possible to encrypt them.
      • Do the network devices have firewalls? No.
      • Are the network interfaces disabled by default, and does the user have the ability to disable at will? User can disable.
      • Is there the ability to remotely lock and disable the device? Yes.
      • Is there the ability to remotely wipe and back up data? Yes, can wipe but cannot back up data.
      • Is there the ability to centrally develop and enforce policy settings? Yes.
      • Is there centralized reporting of all device events—calls made, data transferred and usage statistics? No, not today.

      One source of potential security risk that wont be on the iPhone is Exchange. Dulaney said that Apple told him the iPhone will support Outlook but not the Exchange server. The only e-mail Apple plans to support on the smart phone is ISP e-mail—a fairly rudimentary version of e-mail.

      The iPhone also wont support pushed e-mail; Sync, the “old-fashioned way of doing things,” will basically be the only way to download e-mail, Dulaney said.

      At any rate, Apple is annoying some analysts with its lack of security details.

      “They really have said absolutely nothing,” Dulaney said. “The way theyve been with everybody borders on arrogance. They should tell people what theyre getting into.”

      As far as what Apple is saying, Dulaney said he has trouble believing the companys claims about the smart phone, including battery life claims.

      /zimages/2/28571.gifIs the Mac making a stealth entry into the enterprise? Some sites say its so. Click here to read more.

      “Apple [is claiming] almost a 2x ratio of standby to talk time of other devices,” he said. “Which says to me, if you have given the same amount of capacity on the network with the same battery capacity, [various smart phones battery lives] should be the same, which Nokias and BlackBerrys basically are. Apples never made a phone before. Do they have a nuclear generator in there? They could have filled every nook and cranny with liquid polymer stuff, but its hard to tell.”

      And then again, theres the option of not caring about iPhone security. Security firm Matasanos Dave Goldsmith wrote in the company blog—in its headline, actually—that “Matasano Does Not Care About iPhone Security.”

      “If you are responsible for keeping data inside of your organization, for the love of everything that is holy, please dont spend too much time on the iPhone,” Goldsmith said.

      The rationale:

      “Allow us to remind you about all of the data breaches that are happening thanks to insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers personal financial information, and stolen laptops.

      “Will the iPhone compound this problem? Slightly.

      “Will researchers attack the iPhone? You bet.

      “Will attackers spend a lot of time trying to steal data off of an iPhone? I doubt it.

      “Will someone run Linux on the iPhone? Sadly, yes.

      The person that spends 500$ on their phone will protect it more than the laptop you issued them.”

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×