Informal Brain

Just another sign that IBM really “gets it” when it comes to iPhone security. I happen to work at a Lotus Notes shop and we have been taking a strong look at the iNotes Ultralite application for some time now. You may have seen some of my previous posts about the lack of enterprise level encryption for email on the iPhone. This is a show stopper for our company where we manage complex PHI (Personal Health Information) for our customers. We can’t afford to loose even one device (laptop, smart phone) which is not encrypted.

IBM is always concerned about data security for its customers, and as such they decided to make iNotes Ultralite a web app rather than a native iPhone application. IBM felt it was important to customers to insure that all communications between the iPhone and Lotus Domino server be encrypted, and that no data remain on the device in case it was lost or stolen.

[From iPhone in the Enterprise: Lotus iNotes Ultralite - The Unofficial Apple Weblog (TUAW)]

I suspect we will see a native Notes application for the iPhone or a plugin for the native Mail application in the future when encryption is available. Until then, IBM is delivering what we need right now.

In the past couple of days there has been a sudden outcry around the security issue with the iPhone pass code bypass issue. I loved this comment on iPhone Atlas today:

“The iPhone is a computer, just like a desktop computer, and so it can easily be booted in such a way that one can mount the disk and delete or modify the device’s configuration - including the passcode configuration. Cracking the iPhone’s passcode is about as complex as changing the root password on a desktop machine, given physical access.

[From iPhone Security Flaw Is the Tip of the Iceberg - iPhone Atlas]

This is something I have been pointing out for some time now. The iPhone doesn’t have any kind of storage based encryption so as the author of the above quote so readily points out that mounting the iPhone as a disk allows access to the configuration files. This allows easy editing of the PLIST files allowing a hacker to disable the pass code and steal the data.

For some time now I have been calling on Apple to give us encryption as an enterprise feature. I noted in a previous blog post that device encryption was the missing enterprise feature when the 2.0 software was announced. I was in shock when I watched company after company (including the military) laud the iPhone 2.0 software. Did they miss the point that the device can be compromised so easily putting their mobile exchange push data at risk?

We need to pressure Apple to add encryption to the device while fixing these pass code problems. Only encryption will protect the device from being mounted as a disk. Until then I would not store sensitive data on the device using push email from exchange, LDAP or POP3. I would be very careful with webmail solutions. For example, we are asking lots of tough questions to IBM around iNotes for Lotus Notes and how much data it allows in the browser cache.

Ask the tough questions…. and continue to demand encryption.

I challenged myself a few weeks back to completely switch my RSS reading habits over to the Acrylic Times RSS reader.  I have noted in a couple of my previous posts here and here that I had found some some immediate benefits to the amount of time I was spending with RSS feeds.

I am happy to announce that weeks later I continue to find benefit in this new style of reading.  For example, I spend less time leafing through feeds in google reader.  I noticed a number of other people who have tried Times felt that they were suddenly unburdened by unread count syndrome.  Like most people who needs another email like reminder that we are falling behind.  I also switched my reading style on my iPhone to subscribe to a few safari based RSS feeds.  The list is very small and only includes those sites with immediate to the point news, with a small number of daily articles.

So what is the next step?  Well, I would suggest that the Acrylic folks think about building a version of Times for the iphone as a native application.  It would be very interesting to see the same style of RSS overview on the iPhone.  Perhaps some kind of zoom into and out of article with a double tap to show the details like the current Times page curl effect.