Security Updates plus 46 Security fixes – iPhone Is Enterprise Ready Now!?

iPhone Enterprise Security finally comes into its own

The recent disclosure of 46 new security fixes in iPhone 3.0 is just part of the proof the iPhone is ready for Enterprise adoption.
For years Blackberry has set the standard for Enterprise class Smartphone security features. This has endeared it to businesses the world over and made Blackberry the undisputed leader in the Enterprise Smartphone sector. The release of the iPhone 3G did little to challenge Blackberry's Enterprise dominance. With its latest hardware and software iPhone upgrade Apple takes another shot across the bow of Blackberry. Will this shot be more than just a warning shot this time? Should Blackberry be wary of the new iPhone 3GS and 3.0 software? Will the new iPhone 3GS measure up to the high security standards that Enterprises have come to expect in their corporate Smart phones? Only time will tell for sure, but it looks promising for Apple.

First let's start by reviewing the considerable number of security fixes that Apple put into iPhone 3.0 software. A total of 46 security fixes were introduced in iPhone 3.0 code. Of the 46 security holes fixed, 12 are listed by Apple as "may lead to arbitrary code execution". Contrary to what your first reaction to this news might be, this is actually excellent news! No other Smartphone company has publicly demonstrated such a comprehensive dedication to secure coding practices and reviews. All code will inevitably be found to have vulnerabilities; after all it is humans who are programming it.

What truly makes one company stand out from another is their commitment to adopting a secure coding methodology and code review process. Given the shear breadth of Apple's iPhone 3.0 security fixes it is evident that the Apple iPhone coding team has adopted these best practices. This should be a big differentiator to any business evaluating the differences in security between different Smartphone manufacturers. Add to this the fact that the iPhone OS is largely based on the MAC OS X platform, the iPhone also inherits much of the respectable security track record that OS X has enjoyed over the years.

Now let's take a look at the baseline security features that the iPhone adopted with the 2.x code train. Apple added a Cisco IPSEC VPN client, WPA2 802.1x wireless support, two-factor authentication with token/OTP or PKI Certificate support, wirelessly push company email, calendar events, and contacts over a 128-bit encrypted SSL connection, and iPhone Security Configuration Profiles to set and enforce the above corporate security policies. One security feature almost nobody seems to know exists in 2.x, and miss reports as a limitation of the iPhone security all the time, is Alphanumeric pass codes of 4 or more characters with special character enforcement included. You must use an iPhone profile in order to enable it, look here for more info on creating a profile. Here is a screenshot of how it looks when enabled:

With the release of iPhone 3.0 software Apple has added a few important new security features to the iPhone. Tops on the list is hardware data encryption, available only on the new iPhone 3GS. Just like it says, this feature will encrypt all of your data on the device. Exactly how this works I don't know yet. But I am downloading the 3.0 SDK so should have an update soon.

The second most important is the remote wipe capability. This allows a user with a lost/stolen iPhone to send a command to their phone over the airwaves telling it to delete itself and restore factory default settings. The way the remote wipe functions differs based on the iPhone model you have. If you have the iPhone 3G then the 3.0 software performs a bit by bit secure delete of the drive and then restores the factory defaults. If you have a new iPhone 3GS then the remote wipe will just delete the hardware encryption key, thus rendering the data unreadable, and then restore factory default settings. The advantage of the iPhone 3GS method is that it allows for a user to restore their data later if they end up finding their iPhone. The 3.0 software will just restore the deleted hardware encryption key thus allowing you to read the data once more. The draw back of this method is that if the crypto key is stored locally on the device how securely is it stored. Could a hacker steal your phone, prevent a remote wipe by RF shielding the phone, and then be able to find and use the local key to get at the data? This is theoretical of course, nobody seems to know how this key is protected yet.

Another great new feature is the "Find my iPhone" feature. It allows a user with a mobileMe account to logon and see where their iPhone is currently located on the planet. In addition to being a convenience feature for the user it is also a security feature that could allow law enforcement to track and capture a thief that has stolen a highly sensitive iPhone(s).

So what is the iPhone still missing to be Enterprise ready? Some say it is ready to go now. However, not everyone agrees (as is usual). They point out that the iPhone needs a to offer Enterprises more control over the devices themselves for software upgrades, auditing, enforcement, tracking, remote wipe functions, monitoring, troubleshooting, etc. The leader in this space is Blackberry's Enterprise Server solution. Without a doubt this would be a venerable addition to the iPhone's feature list, but I'd argue that for all but the largest enterprises this is not a showstopper. Given the superiority of the iPhone interface vs. other Smartphone devices, if Apple does have this in development then we might see a enterprise Smartphone monopoly coming.

What features do you think the iPhone still needs for mass adoption in the Enterprise market? Do you think the latest release is enough?

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Cisco enters the crowded AV and DLP client market
*Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere
* Cisco targets Symantec, McAfee with its new antivirus client
* Google's Chrome raises security concerns and tastes like chicken feet a>

Go to Jamey’s Blog for more articles on security.

• Cisco
• Security
• Wireless / Mobile
• Heary
• iPhone
• iPhone 3.0
• iphone alphanumeric pin
• iphone encryption
• iphone enterprise
• iphone enterprise ready
• iphone security
• Jamey Heary