Are iPhone encryption features on the way?

Expert Ken Munro explains why the iPhone's lack of encryption features has kept it from being a reliable enterprise device -- for now.

Should the fact that data can still not be encrypted on an iPhone disqualify the mobile device from an enterprise environment?
The iPhone should not be considered part of a secure mobile email environment. I believe Apple is working hard to improve its security and remote manageability right now, but today it is not suitable.

If an iPhone synced with an Exchange server is lost, there is currently no way to remotely wipe the device, or otherwise disable it, other than by changing domain credentials and contacting your telephone company to block the SIM card identifying the mobile user.

The stored data is not suitably protected by iPhone encryption, so any locally stored data (email and attachments, for example) is potentially accessible by the thief. Recent versions offer '10 strikes and wipe' for device passwords. This feature, though rarely implemented, allows the iPhone to wipe its user memory if too many incorrect PIN/passwords are entered. The BlackBerry has had the wipe function for a very long time, and Windows Mobile devices have had it more recently.

It is also trivial to spoof an OpenZone wireless access point and convince an iPhone user to part with their domain credentials over the air.

Several important vulnerabilities have been found in the iPhone, including some as part of the 50-vulnerability roll up patch released recently.

By contrast, BlackBerry and (to a degree) the Windows Mobile operating system offer significantly better remote management. This is why the BlackBerry is accredited for use in certain protectively marked environments as an enterprise mobile device. For instance, the Blackberry Enterprise Server (BES) offers the ability to manage almost every feature of a BlackBerry device remotely, including remote wipe. This is ideal for the corporate environment, where a lost/stolen device could lead to data theft. More recently, Windows Mobile devices have become almost as manageable remotely, without the need for an expensive BES.

Read more on Application security and coding requirements