iPhone security 'not up to corporate standards'

Analysts have expressed doubts that Apple's iPhone is still secure enough for corporate use, despite improvements announced last week in the new SDK and upcoming 2.0 software.

Share

Analysts have expressed doubts that Apple's iPhone is still secure enough for corporate use, despite improvements announced last week in the new SDK and upcoming 2.0 software.

While many applaud the vastly corporate usability and improved security for iPhone data, they also worry that a lost or stolen iPhone could still lead to potentially damaging data breaches.

Apple has now confirmed it will use both Microsoft's Exchange ActiveSync for push email and data wipe, as well as a Cisco’s IPsec VPN for data encryption when linking wirelessly to private corporate networks.

While most security experts see data encryption as a gold standard security system, "a VPN alone is not a complete security defence for a mobile device," said Gartner analyst John Girard. "I still see the biggest security risk to be the reading of information from a lost or stolen device, and at this time and even with the updated features and tools, the iPhone does not include a mechanism for encryption of all stored data.

"Third-party security tools and secure applications will bring that protection, but it will be months before such tools are delivered."

One IT executive at a major bank, who wished to remain anonymous, said many bank workers wanted to use the iPhone. However, the bank needed more time to evaluate the security innovations in iPhone 2.0 software to see if they would be sufficient to meet internal and government-imposed requirements for data protection.

One vulnerability outside of the VPN could be due to ports exposed on the device that could be accessed even while the VPN is running, Girard said.

Executives at Bluefire Security recently demonstrated such a potential vulnerability, showing how a small data card installed surreptitiously on a person's phone could be encoded to send data from the phone wirelessly to a third party for sniffing.

Girard's concerns were mirrored by Ken Dulaney, another Gartner analyst. Both men also questioned whether the Cisco VPN client will work with other platforms, such as those from Nortel Networks or Checkpoint. "You could have interoperabililty issues," Girard said.

Cisco's Tom Russell, senior director of product management for security, has conceded that "the Cisco VPN client in the iPhone will use Cisco protocols that connect to a Cisco device in a headquarters location", adding that "creating policies outside of established methods creates risk". Still, he said using the Cisco VPN client within the iPhone "reduces risk and does enable the iPhone as an enterprise device".

Cisco's VPN client provides "the highest level of data privacy with the most widely deployed, enterprise-class remote access VPN solution in the market", Russell added.

Find your next job with computerworld UK jobs