Securing Your iPhone - Security vulnerabilities
(Page 3 of 4 )
While these steps will provide some basic security for your iPhone, unfortunately they won't help you overcome a number of specific security vulnerabilities from which it suffers. None of these are catastrophic - until now, for example, no one has revealed a way to extract all the data off the phone by Bluetooth, or to hack into it through a web browser.
Nonetheless, the flaws are significant enough that they ought to be taken seriously by anyone who keeps private and personal data on their iPhone - and that means just about everyone. Enterprise users and IT departments in particular should be concerned enough to act, as some of the vulnerabilities compromise corporate data protection requirements.
Home key/emergency call vulnerability: This vulnerability, as mentioned above, provoked a strong reaction when it was recently revealed that bypassing the iPhone's passcode protection to gain access to virtually all its sensitive data was in some cases as trivial as tapping three keys. The problem occurs on locked iPhones running firmware version 2.0.2, when the emergency call button is tapped, followed by a double tap on the Home button. This, by default, opens the favorites - obviously as intended by Apple - to enable you to call a favorite contact in the event of an emergency. What Apple surely didn't intend was that you now have access to:
- The full address book
- The dial keypad - from where you can now dial any number
- Voicemail
- All private information linked to your favorites
- All emails on the system - by tapping on an e-mail address in a favorite entry
- The Safari browser - by tapping on a URL in a favorite or email message
- All SMS messaging functions - by tapping Send Text Message in a favorite entry
Apple has acknowledged this problem, and say that a fix will be implemented -- in fact, at this time, they're up to at least version 2.2 in their firmware. Fortunately, if you haven't been updating, there is a simple workaround that will protect your data, although it does require you to sacrifice the ability to call a favorite in an emergency without unlocking the phone first. The workaround involves remapping a double-tap on the home key to something other than the favorites list, for example the home page or iPod.
To secure your phone against the home key vulnerability:
1. Open the settings application.
2. Tap the general icon.
3. Tap the Home Button.
4. Tap either iPod or Home.
All of this clearly makes something of a mockery of the idea of the phone being locked at all. It is an especially severe vulnerability in enterprise environments, since it could be seen to break the terms of Apple's Exchange Active Sync licensing agreement with Microsoft, which requires the iPhone to have passcode protection. This could leave enterprise managers struggling to control the situation, since Apple has provided no way of either forcing an iPhone firmware update or rolling out the workaround other than manually. Managers therefore have no reliable way to ensure that the iPhones in their organizations are secure.
Lack of encryption: One of the most significant security flaws of the iPhone is its lack of encryption. This is a standard method of securing data, especially in the enterprise, against unwanted access, and the iPhone's main competitors - BlackBerry devices, for example - have encryption built in. Presumably Apple's decision to pitch the iPhone as primarily a consumer device lay behind this omission; but in much of its post-release publicity, the company has made a point of emphasizing the gadget's business credentials. Its functionality and build quality certainly seem to appeal to many IT managers. However, the lack of encryption is just the kind of security hole that will inhibit take-up of the iPhone at the enterprise level.
Although whole-device encryption remains out of reach, it is possible to implement a degree of iPhone encryption, and this is advisable for anyone who keeps sensitive data on their handset. To do so requires the use of third party encryption software such as SMobile's CompactCrypt, which encrypts contact information, or Clownware's Firebox, which implements industry-standard Blowfish encryption alongside key strengthening to allow you to encrypt any data you select.
Next: More Vulnerabilities >>
More Hardware Guides Articles
More By Bruce Coker
