The iPhone is not a secure device
In the past couple of days there has been a sudden outcry around the security issue with the iPhone pass code bypass issue. I loved this comment on iPhone Atlas today:
“The iPhone is a computer, just like a desktop computer, and so it can easily be booted in such a way that one can mount the disk and delete or modify the device’s configuration – including the passcode configuration. Cracking the iPhone’s passcode is about as complex as changing the root password on a desktop machine, given physical access.
[From iPhone Security Flaw Is the Tip of the Iceberg - iPhone Atlas]
This is something I have been pointing out for some time now. The iPhone doesn’t have any kind of storage based encryption so as the author of the above quote so readily points out that mounting the iPhone as a disk allows access to the configuration files. This allows easy editing of the PLIST files allowing a hacker to disable the pass code and steal the data.
For some time now I have been calling on Apple to give us encryption as an enterprise feature. I noted in a previous blog post that device encryption was the missing enterprise feature when the 2.0 software was announced. I was in shock when I watched company after company (including the military) laud the iPhone 2.0 software. Did they miss the point that the device can be compromised so easily putting their mobile exchange push data at risk?
We need to pressure Apple to add encryption to the device while fixing these pass code problems. Only encryption will protect the device from being mounted as a disk. Until then I would not store sensitive data on the device using push email from exchange, LDAP or POP3. I would be very careful with webmail solutions. For example, we are asking lots of tough questions to IBM around iNotes for Lotus Notes and how much data it allows in the browser cache.
Ask the tough questions…. and continue to demand encryption.
