Wednesday, September 2, 2009

iPhone's False Sense of Security in the Enterprise

Via ComputerWorld -

As an IT security professional, I was tasked with evaluating the iPhone's security features for the enterprise (more iPhone management tests here). Over the past few weeks, I have been testing different aspects of the new iPhone 3GS, particularly the interaction with Exchange ActiveSync (EAS) and device password policies. During my testing, I discovered some strange behaviors with how the iPhone handles device password policies, as well as passwords altogether.

[...]

It has already been proven that the passcode on an iPhone can be removed. The purpose of this article is to point out the false sense of security delivered through Apple's marketing of iPhone features for the enterprise. My testing has revealed that the enterprise security features do not behave correctly and I will point out three flaws with how passwords are handled with the iPhone and EAS.

[...]

Bug 1 -- iPhone does not handle EAS Policies as expected

[...]

Bug 2 -- Passcode Prompt Reveals Too Much Information

[...]

Bug 3 -- Changing your iPhone Passcode

[...]

The iPhone is a great device and is arguably the best mobile device from a usability perspective. Unfortunately, the security features are not quite ready for the enterprise and contain various bugs. In order to safeguard against such bugs, data encryption has to be considered for any type of data protection, but that is another article. Enterprises considering the iPhone for corporate use need to be aware of how the iPhone security features behave and the different ways that data can be breached in the event that the device is lost or stolen.

No comments:

Post a Comment