IPhone security: Nightmare for IT or no big deal?

Apple Inc.'s iPhone will prove to be a security nightmare to corporate IT when it debuts Friday. Or it may fuel a surge in mobile malware. Or it won't change the security landscape one whit. Take your pick, said security researchers and analysts today.

With details still unclear -- Apple has said next to nothing about iPhone security -- it's no wonder that the device's vulnerabilities are in the eye of the beholder, even if those beholders are professionals who make their living researching vulnerabilities and blocking exploits.

"It's a nightmare for security teams," said Andrew Storms, director of security operations at nCircle Network Security Inc. "What I'm afraid of is that enterprises are going to get pressure from, say, sales, to bring this in. And even if it's not approved, people will try to connect it to their corporate networks. It has no place in the enterprise."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Apple Inc.'s iPhone will prove to be a security nightmare to corporate IT when it debuts Friday. Or it may fuel a surge in mobile malware. Or it won't change the security landscape one whit. Take your pick, said security researchers and analysts today.

With details still unclear -- Apple has said next to nothing about iPhone security -- it's no wonder that the device's vulnerabilities are in the eye of the beholder, even if those beholders are professionals who make their living researching vulnerabilities and blocking exploits.

"It's a nightmare for security teams," said Andrew Storms, director of security operations at nCircle Network Security Inc. "What I'm afraid of is that enterprises are going to get pressure from, say, sales, to bring this in. And even if it's not approved, people will try to connect it to their corporate networks. It has no place in the enterprise."

Storm's problem with the iPhone stems from the lack of a security management tool that could enforce company policies about which devices connect to the network and when. "There are no central management tools. If there was a product that integrated with [Mac] OS X Server, it would be a totally different story," said Storms. "Apple has been quiet about enterprise security, so we have to expect and plan for the worst."

Neel Mehta, team lead for Internet Security Systems Inc.'s advanced research group, agreed -- up to a point.

"All the press around the iPhone makes it a very enticing target for hackers," said Mehta, who has forecast malware aimed at the new device will be developed in the near future. "The fact that it runs Mac OS X means that there is a good possibility that vulnerabilities found on the OS will also affect the iPhone. [Hackers] may be able to port the hacks they find on one to the other."

But Mehta also said he sees an upside to iPhone security. One likely boon: the omission of an software developer's kit for the phone. The decision to forgo an SDK and instead force application writers to deliver software and services through the embedded Safari browser may have disappointed developers, but it got a thumbs-up from Mehta.

"The lack of an SDK will limit the development of viruses and worms," he argued. "Without one, it's going to be very challenging [for anyone] to run any software on the iPhone."

And even if malware authors manage to overcome the difficulty, Mehta doesn't expect the iPhone's world to come crashing down -- at least not right away. "I think we'll begin to see attempted exploits, if they do appear, very quickly after the iPhone launch," he said. "It will probably be more attractive as a research target than an exploit target, because the market share just won't be comparable to other platforms for a long time to come."

David Goldsmith, one of the principals at security consultancy Matasano Security, and a co-founder of @stake Inc., downplayed potential iPhone security issues even more so than Mehta. There are much more important things to worry about, he said.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.