By Andrew Storms

Two years ago I took some hard hits from my peers for calling the iPhone “a security nightmare.” Two years later, I can’t find a single person who doesn’t agree that the iPhone is the number one mobile target of security researchers.Fast forward to today: Is the iPhone still a security nightmare or have those problems been relegated to annoyance status?

Last week at one of the Black Hat evening events, I went out of my way to personally thank Charlie Miller for his creative and diligent work finding new and ever more alarming bugs in the iPhone. Charlie needs very few introductions these days due to the notoriety driven by his iPhone security hole discoveries and his history at the Pwn2Own contest. But Charlie is not alone when it comes to iPhone security research.  Apple security updates for the iPhone OS now recognize a rapidly expanding list of bug reporters.

The iPhone is now on its third full OS version and Apple has added many new enterprise and security related features. In spite of Apple¹s attempts to keep the iPhone a closed system,  more is known about its inner workings than any other mobile platform (except possibly the open source development of Android). iPhone popularity  isn’t limited to consumers; it is a favorite with security researchers.

One security maxim says that risk increases in proportion to the target landscape.  If this is true, then the iPhone represents a significant security risk simply because of its market penetration. The same thing can be leveled at Microsoft Windows. It’s easy to say that because the iPhone is getting the high level of security attention it represents the greater threat than other popular mobile platforms such as Windows Mobile or BlackBerry. This kind of thinking is short sighted.

The reason why the iPhone continues to represent a significant threat to the enterprise is not because of its operating system design or the dozens of security bugs it contains. The iPhone risk continues to escalate because of the way Apple prioritizes and operationalizes security. Apple continues to prioritize usability and features ahead of security. Apple just recently added on-board data encryption to the new 3GS model. Only days after its release, iPhone encryption was shown to be easily subverted. And enterprise security teams operating with limited resources still don’t have a centralized management console for pushing out updates, and the updates themselves are released on Apple’s timing with no advance clues as to timing or content. Enterprises that allow iPhones on their networks must live without vendor-supplied intelligence routinely provided by other vendors.

Today the iPhone might not qualify as a security nightmare but it¹s still a pain in the side both IT security and operational teams. We would like very much to support and deliver the best tools to our users, and that includes the iPhone. The problem is that Apple¹s enterprise management tools just don¹t measure up to what is available from Microsoft and BlackBerry. And even when we get in a bind with security issues from other vendors, at least they communicate and lend us a hand with detailed information and risk mitigation steps. It’s time for Apple to get serious about security if they want to grow in the enterprise.


Categories: Social Engineering, Vulnerabilities