Q

Are iPhone encryption features on the way?

Expert Ken Munro explains why the iPhone's lack of encryption features has kept it from being a reliable enterprise device -- for now.

Should the fact that data can still not be encrypted on an iPhone disqualify the mobile device from an enterprise environment?
The iPhone should not be considered part of a secure mobile email environment. I believe Apple is working hard to improve its security and remote manageability right now, but today it is not suitable.

If an iPhone synced with an Exchange server is lost, there is currently no way to remotely wipe the device, or otherwise disable it, other than by changing domain credentials and contacting your telephone company to block the SIM card identifying the mobile user.

The stored data is not suitably protected by iPhone encryption, so any locally stored data (email and attachments, for example) is potentially accessible by the thief. Recent versions offer '10 strikes and wipe' for device passwords. This feature, though rarely implemented, allows the iPhone to wipe its user memory if too many incorrect PIN/passwords are entered. The BlackBerry has had the wipe function for a very long time, and Windows Mobile devices have had it more recently.

It is also trivial to spoof an OpenZone wireless access point and convince an iPhone user to part with their domain credentials over the air.

Several important vulnerabilities have been found in the iPhone, including some as part of the 50-vulnerability roll up patch released recently.

By contrast, BlackBerry and (to a degree) the Windows Mobile operating system offer significantly better remote management. This is why the BlackBerry is accredited for use in certain protectively marked environments as an enterprise mobile device. For instance, the Blackberry Enterprise Server (BES) offers the ability to manage almost every feature of a BlackBerry device remotely, including remote wipe. This is ideal for the corporate environment, where a lost/stolen device could lead to data theft. More recently, Windows Mobile devices have become almost as manageable remotely, without the need for an expensive BES.

This was last published in May 2009

Read more on Application security and coding requirements

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...

SearchDataManagement

Close