Thursday, August 2, 2007

iPhone Security Concerns Exaggerated

One analyst says concerns that the new Apple phone is not ready for big businesses have been overblown.

Jim Dalrymple, Macworld

iPhone security has been a hot topic among researchers and analysts since well before the device was even available to the public in June. While some have been ringing the warning bell that the iPhone is not suitable for the Enterprise, one analyst says those concerns have been overblown.


"I think it has been exaggerated," Andrew Jaquith, security analyst with the Yankee Group, told Macworld. "You have to start with the observation that many of the people that complain the loudest and say it's a security threat tend to be security companies themselves."


Vulnerability management vendor nCircle's Andrew Storms was one of the first when he pronounced the iPhone "our new security nightmare." This before the iPhone was released.


Gartner analyst Ken Dulaney told IT executives to keep Apple's iPhone away from their networks, eight days before the iPhone hit store shelves.


Jaquith said that security criticisms of the iPhone fall into two categories - the iPhone is not enterprise ready and that it is insecure. Both of these claims, he said, are overblown.


While IT managers may not want to officially support the iPhone on their networks, it will make its way into the enterprise and corporations through the employees - whether they like it or not.


"There are reasons not to support the iPhone - you don't want to support IMAP or the flavor of VPN that the iPhone uses - those are policy decisions," said Jaquith. "Security is not the reason."


One argument researchers have against the iPhone is that it has no data security features. Jaquith counters that the iPhone does support SSL and TSL and there is little sensitive data on the iPhone that needs to be encrypted.


The Yankee Group also contends that opening any needed ports to allow email connections not going through VPN can be done on non-standard ports, minimizing any risk.


Gartner's Dulaney pointed out that the iPhone doesn't have remote wipe (the ability to wipe the phone's data if lost) and it doesn't have a firewall. Again Jaquith said it just doesn't matter because of the type of data the iPhone has on it and none of the iPhone's processes require open TCP/IP ports.


"By contrast, according to Symantec's Ollie Whitehouse, Windows Mobile listens on four ports: 137 and 138 (NetBIOS), 1034 (ActiveSync notifications) and 2948 (WAP push)," said Jaquith. "This does not mean that Windows Mobile is necessarily insecure; it just means that the assumptions underlying the firewall critique do not hold in the case of the iPhone."


In addition, All custom applications that run on the iPhone are web-based, and users do not have access to the underlying file system.


While Jaquith feels analysts have exaggerated security concerns with the iPhone he would like to see Apple deliver software patches over the air and expand keychain and identity support on the iPhone.


As for enterprises, Jaquith has a few recommendations for them as well, including turning on IMAP-S, using L2TP over IPSec and using non-standard ports.


"Security worries about the iPhone are overblown," said Jaquith. "To boost employee productivity, enterprises would be better served thinking about how to accommodate the iPhone. It's the best phone and iPod I've ever used."

No comments: