Informal Brain

Just another sign that IBM really “gets it” when it comes to iPhone security. I happen to work at a Lotus Notes shop and we have been taking a strong look at the iNotes Ultralite application for some time now. You may have seen some of my previous posts about the lack of enterprise level encryption for email on the iPhone. This is a show stopper for our company where we manage complex PHI (Personal Health Information) for our customers. We can’t afford to loose even one device (laptop, smart phone) which is not encrypted.

IBM is always concerned about data security for its customers, and as such they decided to make iNotes Ultralite a web app rather than a native iPhone application. IBM felt it was important to customers to insure that all communications between the iPhone and Lotus Domino server be encrypted, and that no data remain on the device in case it was lost or stolen.

[From iPhone in the Enterprise: Lotus iNotes Ultralite - The Unofficial Apple Weblog (TUAW)]

I suspect we will see a native Notes application for the iPhone or a plugin for the native Mail application in the future when encryption is available. Until then, IBM is delivering what we need right now.

Start counting down the days and refreshing your App Store icons starting tomorrow. The long awaited refresh of the Facebook iPhone app is upon us.

Thanks everyone for being patient waiting for me to finish Facebook for iPhone 2.0. The good news is, I plan to submit the update to the iPhone App Store a week from today. That doesn’t necessarily mean you will be able to download it a week from today - Apple reviews every application before making it available, and they can sometimes take up to a week. So, you may get the update as soon as next Wednesday, or as late as October 1st.

[From Facebook | Facebook for iPhone's Notes]

The new photo tagging looks absolutely wild. It looks like it leverages touch services so you can tap the photo after you have taken it on the device and tag it with your contacts on the phone using touch gestures. Brilliant!

Just when you thought you got rid of that incriminating email on your iphone, or removed that suspect web site from your cache you might be surprised to hear that the iPhone captures an image of the application when the “home” button is pressed.

As widely reported, the iPhone takes a screenshot every time the home button is pressed so that the 3D “zoom” effect can be processed when the application zooms in and out, when suspending and resuming applications. These shots are stored, at least temporarily, on the device, presenting potential privacy issues.

[From Keeping Your iPhone From Spying on You - iPhone Atlas]

A forensic analyst can retrieve the images from the phone by mounting the disk and using data recovery tools to reconstruct the images as they are not actually removed from the disk, just the pointers to the files are removed. This continues to demonstrate that the iPhone cannot be treated as a secure device. The iPhone atlas site demonstrates a way to disable the image storage on a jail broken phone. For the average user, be aware that your iPhone is keeping a log of your activity.

I continue to make the argument for encryption. To make that a reality, with good performance, Apple may need to embed a dedicated encryption processor to the device.

In the past couple of days there has been a sudden outcry around the security issue with the iPhone pass code bypass issue. I loved this comment on iPhone Atlas today:

“The iPhone is a computer, just like a desktop computer, and so it can easily be booted in such a way that one can mount the disk and delete or modify the device’s configuration - including the passcode configuration. Cracking the iPhone’s passcode is about as complex as changing the root password on a desktop machine, given physical access.

[From iPhone Security Flaw Is the Tip of the Iceberg - iPhone Atlas]

This is something I have been pointing out for some time now. The iPhone doesn’t have any kind of storage based encryption so as the author of the above quote so readily points out that mounting the iPhone as a disk allows access to the configuration files. This allows easy editing of the PLIST files allowing a hacker to disable the pass code and steal the data.

For some time now I have been calling on Apple to give us encryption as an enterprise feature. I noted in a previous blog post that device encryption was the missing enterprise feature when the 2.0 software was announced. I was in shock when I watched company after company (including the military) laud the iPhone 2.0 software. Did they miss the point that the device can be compromised so easily putting their mobile exchange push data at risk?

We need to pressure Apple to add encryption to the device while fixing these pass code problems. Only encryption will protect the device from being mounted as a disk. Until then I would not store sensitive data on the device using push email from exchange, LDAP or POP3. I would be very careful with webmail solutions. For example, we are asking lots of tough questions to IBM around iNotes for Lotus Notes and how much data it allows in the browser cache.

Ask the tough questions…. and continue to demand encryption.

So far I have noticed two positive changes with the 2.0.2 update:

1) The keyboard performance is much, much better across the entire device. Lag has been significantly eliminated when typing.

2) Something has been tuned with the 3G network usage. For example I am seeing the device drop to the EDGE network far more often. This is good, in that previously the device would hold on to the 3G connection too aggressively. I would see the device frequently become hot with 1 bar of 3G and then go to no service. Now, the device immediately switches to EDGE. I am going to try and turn on push tomorrow and see how the device battery holds out. The battery life today and yesterday has been very good.

So far 2.0.2 appears to be a turn in the right direction.

UPDATE: Version 2.0 is now out. Read my review here.

Phantom Fish just released version 1.0.1 of their offline Google Reader iPhone application called Byline.

There is lots to like about this new version. Google Reader does a nice job of feeding you relevant news from your collection of feeds using its automatic ordering algorithms. This continuous river of news works great for the iPhone where you don’t have lots of time to drill into each feed. I hear tag based filtering is coming. Not a big feature for me because I trust googles ordering algorithm seems to keep the fresh, relevant items near the top of the list.

The first big change you see when you scroll to the bottom of the new items like you get a handy “Mark All Items As Read” link. This was probably my biggest complaint about the first release. You can also now, swipe any item to mark it as read. I nice quick action to push it off the list.

Once you tap an item you get an enhanced menu at the top. The first thing you see is a new “share” button. Let’s hope in a future release they will add the ability to tag a small note just like in Google Reader to the item.

All in all, if you are looking for a great RSS reader for the iPhone and you are a Google Reader fan, I can now recommend ByLine as a great purchase.

http://mobileforensics.files.wordpress.com/2008/02/iphone_passcode_workaround.pdf

This type of information shows the iPhone is not ready for enterprise use where critical information may be stored on the iPhone device.

I continue to call for a strong encryption solution.

See below:

Earlier this week, the iPhone Dev Team released WinPwn 2.0, a tool that allows Windows users to jailbreak iPhone 3G units. However the initial release was affected by an issue that caused the Ipwner component to crash. A new version, 2.0.0.3, has now been released, resolving this and other issues.

Jailbreaking allows full read/write filesystem access and the installation of unofficial third party applications.

[From WinPwn 2.0.0.3 successfully jailbreaks iPhone 3G for Windows]

Notice the full read/write access to the filesystem. In fact that is the biggest risk item to an organization deploying iPhones for corporate use. If one of these devices falls into the wrong hands it is probable that someone could jailbreak the device and access the data stored there.

We are even questioning if webmail is a good enough solution. What happens if sensitive materials are stored in the browser cache?!

I really suggest organizations think twice before deploying the iPhone as a corporate device. Know the risks to the email, calendar or browser data that could be stored on the device’s flash memory; then make an informed decision.

Encryption is the answer, I call upon Apple to deliver it.

Look at this forum post:

http://discussions.apple.com/thread.jspa?threadID=1602608&tstart=0

Look at the statistics on the forum post below!

Wow, that is one large number of views, and comments.

What do you think?

A little more research today. Appears like the applications are chewing up the battery. When the phone is put into sleep mode it doesn’t appear the applications are closing down their IP threads. Potential related 3g connectivity problems would then force the radio to power up while in your pocket, on your desk etc. Many people on the net saying their usage time is extremely high compared to standby when they had the phone locked most of the day.

Appears applications that poll for new messages (NetNewswire, Twitterific, Facebook, etc) are key culprits.

Try a test. Leave an application which polls for new data active, and sleep the phone. You may just notice your battery runs down very, very quickly.

Thoughts?