MacWorld recently published an article stating that analysts have exaggerated security concerns of the iPhone. Some of the statements in the article regarding the security of the iPhone and the overall security of mobile computing deserve further commentary. While I for one have taken it "on the chin" for not jumping on the I-Heart-The-iPhone bandwagon, the purpose of this follow up is to set a stage for an open discussion on overall smartphone risks to the enterprise." />

nCircle Sync Blog

Response to iPhone security concerns exaggerated

MacWorld recently published an article stating that analysts have exaggerated security concerns of the iPhone. Some of the statements in the article regarding the security of the iPhone and the overall security of mobile computing deserve further commentary. While I for one have taken it "on the chin" for not jumping on the I-Heart-The-iPhone bandwagon, the purpose of this follow up is to set a stage for an open discussion on overall smartphone risks to the enterprise.

(Those statements printed by MacWorld and in the voice of Andrew Jaquith are quoted below).


Policy Always Includes Security

"There are reasons not to support the iPhone - you don't want to support IMAP or the flavor of VPN that the iPhone uses - those are policy decisions," said Jaquith. "Security is not the reason."

Policy, whether it be directly related to security or not, must always include risk and thus security. It may be policy that your supported IT applications don't include specific types of VPN or email connectivity by IMAP, but to completely take security off the table when talking policy is shortsighted.

Sensitive Data is on the Device

One argument researchers have against the iPhone is that it has no data security features. Jaquith counters that the iPhone does support SSL and TSL and there is little sensitive data on the iPhone that needs to be encrypted.

When it comes to information security, its far better to assume that the iPhone will enter the enterprise network and users of all types will store sensitive data on the device. When looking at the iPhone from a non-business perspective, users are sure to store private data on the device for the purposes of reducing their own life's complexity. Items such as an ATM PIN, passwords, social security numbers, voicemail password and more are all commonly found on cell phones. Let us not forget the Paris Hilton incident years ago when the data on her Sidekick was stolen. Turning the perspective to using the iPhone as a business enabler, certainly the email and contacts of any business are confidential and may be considered competitive information. Its certainly better to assume data encryption be required, than to learn the hard way later.

Gartner's Dulaney pointed out that the iPhone doesn't have remote wipe (the ability to wipe the phone's data if lost) and it doesn't have a firewall. Again Jaquith said it just doesn't matter because of the type of data the iPhone has on it and none of the iPhone's processes require open TCP/IP ports.

How does the lack of having listening ports on a device equate to the lack of remote administration tools being less of an issue? Gartner is correct here; the lack of any centralized and remote policy enforcement of the iPhone makes it considerably less of a valid option for enterprise smartphone usage. Furthermore, when examining the currently released landscape of iPhone vulnerabilities, all exist in the MobileSafari web browser. A client-side exploitation does not require the device to have open ports nor will a firewall provide any mitigating factors.

Security Thru Obscurity

The Yankee Group also contends that opening any needed ports to allow email connections not going through VPN can be done on non-standard ports, minimizing any risk.

Moving standard services to non-standard ports is not an accurate risk reduction methodology. Discovering IMAP bound to an odd port is an extremely easy job for free tools readily available. Scanning all 65,000+ ports takes less than a day and once you have the data, it's just as easy to redirect all your remote attack tools to a different port.

Custom Apps and File System Access

In addition, all custom applications that run on the iPhone are web-based, and users do not have access to the underlying file system.

Due to a great desire for an iPhone SDK, Apple instead chose to deliver a fully functional browser called Mobile Safari. According to Apple, this permits developers to write full Web 2.0 AJAX applications. The downside is that third party security vendors also can't deliver the applications that the enterprise desires, namely integrated applications including AV, AntiSpyware, data encryption and firewall. Furthermore, access to the file system on an iPhone is now relatively easy. If you have physical access to the device, one can run a free tool called Jailbreak. We also recently discovered, from the research by Charlie Miller and his team at ISE, that all applications run as root. This means once an application becomes exploited, the injected code snippet has access to all applications and data on the iPhone.

Summary

"Security worries about the iPhone are overblown," said Jaquith. "To boost employee productivity, enterprises would be better served thinking about how to accommodate the iPhone. It's the best phone and iPod I've ever used."

The iPhone and all smartphones on the market today are incredibly powerful devices. These pocket computers rival computing power of the most powerful devices just 10 years ago. Security worries about any smartphone device should not be taken lightly. While the iPhone may just be the latest device to hit the market, how the enterprise decides to take full advantage of mobile computing is much more an important topic.

To learn more about my top list on managing smartphones, read my prior post on "Supporting smartphones in the Enterprise".


Tags:

Posted by Andrew Storms on August 6, 2007 4:06 PM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/238

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):


About

This page contains a single entry from the blog posted on August 6, 2007 4:06 PM.

The previous post in this blog was nCircle at BlackHat.

The next post in this blog is The Security Trickle Down Effect.

Many more can be found on the main index page or by looking through the archives.



Bio

Blog: Sync
Author: Andrew Storms

As nCircle's Director of Security Operations, Andrew Storms is responsible for the definition and enforcement of the company's security compliance programs as well as overseeing day-to-day operations for the Information Technology department.

Andrew's commentary on IT security issues has appeared in CNBC, Forbes and The New York Times, as well as many other publications. He is a Certified Information Systems Security Professional (CISSP), a member of Infragard and a graduate of the FBI Citizens' Academy. Andrew blogs at blog.ncircle.com/sync


Search

   


Recent Posts

   

Archives

   

Categories