If an iPhone synced with an Exchange server is lost, there is currently no way to remotely wipe the device, or otherwise disable it, other than by changing domain credentials and contacting your telephone company to block the SIM card identifying the mobile user.
The stored data is not suitably protected by iPhone encryption, so any locally stored data (email and attachments, for example) is potentially accessible by the thief. Recent versions offer '10 strikes and wipe' for device passwords. This feature, though rarely implemented, allows the iPhone to wipe its user memory if too many incorrect PIN/passwords are entered. The BlackBerry has had the wipe function for a very long time, and Windows Mobile devices have had it more recently.
It is also trivial to spoof an OpenZone wireless access point and convince an iPhone user to part with their domain credentials over the air.
Several important vulnerabilities have been found in the iPhone, including some as part of the 50-vulnerability roll up patch released recently.
By contrast, BlackBerry and (to a degree) the Windows Mobile operating system offer significantly better remote management. This is why the BlackBerry is accredited for use in certain protectively marked environments as an enterprise mobile device. For instance, the Blackberry Enterprise Server (BES) offers the ability to manage almost every feature of a BlackBerry device remotely, including remote wipe. This is ideal for the corporate environment, where a lost/stolen device could lead to data theft. More recently, Windows Mobile devices have become almost as manageable remotely, without the need for an expensive BES.
Related Q&A from Ken Munro
Ken Munro reviews how to secure USB flash drives in the enterprise.continue reading
Even though employees are told over and over again to not give out their user names and passwords, it doesn't always work. Expert Ken Munro explains...continue reading
Expert Ken Munro explains which keyloggers are the easiest to detect.continue reading