Analysts: iPhone Has Neither Security nor Relevance

By Lisa Vaas  |  Posted 06-22-2007
Apple's upcoming iPhone: It's a "security nightmare," it will "turn your security team into zombies," and Apple is possibly "using the Windows Safari Beta Test to stamp out iPhone security holes."

Or, then again, depending on which iPhone watcher you're paying attention to, the iPhone security is irrelevant compared with "insecure wireless access points, tape backups disappearing, wrapping your newspapers in customers' personal financial information, and stolen laptops."

Click here to read reasons why the iPhone will/won't succeed.

The iPhone won't go on sale until June 29. Up until now, and probably until it hits retail shelves, Apple has given next to nil information regarding the security features its first smart phone will have, making security analysis little better than conjecture. The few pieces of security background analysts have to go on include these tidbits: 1) The iPhone will run on Mac OS X and 2) the iPhone will run Apple's Safari browser.

The security experts who are worried about the hot, new gadget base their fears on the fact that the iPhone will be capable of much of the same functionality as the BlackBerry, without the enterprise-class security: The iPhone can access e-mail, the Internet and SMS, and it can store a plethora of sensitive data in its contact and organizer functions.

Click here to read about whether enterprise IT managers can keep the iPhone out of their organizations.

"The BlackBerry has over 200 security policies that permit enterprises to turn off its camera, force password changes" and prevent browsing certain sites, among other enterprise-class security features, said Ken Dulaney, an analyst at Gartner. "I'm 99 percent sure that's not where the iPhone is taking it. If [such security features] came from anywhere, it would be from third parties. BlackBerrys are going to kill [the iPhone] from a security [perspective]."

Note: The BlackBerry's security profile isn't necessarily faultless: Symantec researcher John O'Connor put out a whitepaper on hacking the device in the fall. The paper was subsequently removed from Symantec's site, however; O'Connor said the reason for the removal was that he hadn't considered "the effectiveness of all possible security features that might provide mitigation of the impact of malware and the management of application permissions."

Still, BlackBerry security headlines have covered, among other things, a DoS (denial-of-service) bug in January 2006, the release of exploit code in August 2006 and the ability for attackers to purchase a $100 API developer key to enable data theft off the devices.

Click here to read why you can expect to see iPhone-style features turning up in competing handsets.

Andrew Storms, director of security operations at network security firm nCircle, who called the iPhone a "security nightmare" in a recent post, has gone so far as to post a list of security-related questions that he wants Apple to address in a public forum before organizations "reel this new gadget into" their security policies. To wit:

  • Is data encrypted while in transit?
  • Is data encrypted on the device?
  • Is data encrypted on removable memory?
  • Is data removed if the device hasn't checked in centrally, hasn't received a policy update within a time window or if battery power is too low?
  • Is there S/MIME support?
  • Is there PGP support?
  • Are there electromagnetic analysis countermeasures?
  • Are there DRM applications (ability to read, but not forward data)?
  • Is there user authentication by means of password, passphrase or smart card?
  • Does the device automatically lock and require authentication to unlock?
  • Are the encryption keys stored on the devices, and are they also encrypted?
  • Do the network devices have firewalls?
  • Are the network interfaces disabled by default, and does the user have the ability to disable at will?
  • Is there the ability to remotely lock and disable the device?
  • Is there the ability to remotely wipe and back up data?
  • Is there the ability to centrally develop and enforce policy settings?
  • Is there centralized reporting of all device events—calls made, data transferred and usage statistics?

    Gartner plans to recommend that businesses don't allow iPhones to come onto their premises.

    Read the full story on eWEEK.com: Analysts: iPhone Has Neither Security nor Relevance