Apple has a knack for producing consumer friendly technology, and they have done it again with its Apple iPhone OS 3.0 software, which will be available later this summer. But in the process they've exposed the smartphone to new areas for hackers to target. The new iPhone software has many exciting new features for consumers. Features such as landscape editing, viewing of email and text files and access to corporate applications through...
browsers, means this handheld device will be a significant issue for security teams.
Apple iPhone security:
Apple iPhone app could boost two-factor: IT costs and user acceptance has hindered deployments of two-factor authentication. But a new Apple iPhone application could increase use once available for other smartphones.
Is the iPhone amenable to any method of email encryption? When it comes to sending and receiving email, the iPhone offers some security benefits.
iPhone security issues revolve around the classic problems of data protection and software integrity. The Apple device is a highly distributed and powerful computer that is always connected to the network and always vulnerable to security glitches. The new features in iPhone 3.0 that should raise a few security concerns are the Apple Push Notification Service, copy/paste and search, and Bluetooth peer-to-peer communications.
- The Apple Push Notification Service allows Apple to automate distribution of third-party software updates and upgrades through certified Apple Store servers. This is great for application developers who only have to upload application software changes to Apple and then let Apple manage the distribution to the iPhones; and great for users who get upgraded even when the affected application is not running. However, an automated upgrade stream can create a gaping security hole. IT should evaluate methods to control which applications users put on their devices and to ensure the update stream can only be initiated from authenticated Apple servers.
- The ability to copy and paste data between applications is a nice feature for writing messages, embedding maps, videos or voice annotations in the body of a file. Local copy/paste also provides an opportunity for the user to move confidential information outside the realm of IT control. The easiest way to secure data on handhelds is to ensure the data never resides on the iPhone in the first place. Enforce security policies that either require virtualized data access via a remote display protocol or require browser access only. If sensitive data must reside on the iPhone, then explore ways to use the Apple iPhone OS 3.0 search feature to detect its presence and delete or secure the data before it can be lost.
- Apple has added Bluetooth connectivity to the iPhone to make it easy to share applications without fumbling with cables. Bluetooth has a range limitation of approximately 30 feet so man-in-the-middle attacks will be rare. Still, educated iPhone users should use registered passwords to authenticate Bluetooth connections for secure access to the iPhone.
It is likely that Apple iPhones will be compelling devices to access corporate applications due to advances in performance, storage, displays and user interfaces. The convenience of being always connected means that users will be able to access the business wherever and whenever they want. IT should look for security capabilities such as using the Apple iPhone as a two factor authenticator while establishing an SSL VPN connection to the corporate network. The Apple iPhone is a clever device, and with 13.7 million produced in 2008, it is a device that IT security teams need to understand.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.