Apple's new iPhone - Will it be secure?

Posted Thursday, June 28, 2007 5:33 PM by hwaldron

  Below are both positive and negative security speculations regarding Apple's new iPhone.  Until, this product emerges with more details, it's too early to truly evaluate security in both the home and corporate environments. 

Any popular wireless device with Internet access and built-in data storage could become a target.  In personally beta testing Apple's new Safari for Windows browser, I have seen them fix security issues expediently.  Hopefully, a secure architecture has been designed into these new devices. 

Still, folks purchasing this device should "think security" (and I'm hopeful that Apple has done that as well in it's design). We should know more next week.

The pros and cons of iPhone security
http://news.com.com/2008-1029_3-6193430.html

quote:

Overall, Mehta thinks the iPhone's security will be better than other smart phones on the market, and he credits the lack of a software developer kit (SDK) from Apple as a definite positive. The absence of an SDK will make writing malware much more challenging, he said, and inexperienced criminals will be scared off. "It doesn't make it impossible," Mehta said, "just harder." Mehta thinks the iPhone will attract a more sophisticated criminal who's attracted to the challenge of hacking a complex system. Also, with Symbian OS-enabled phones currently occupying 40 to 50 percent of the world market, most petty thieves will still be drawn to the lower-hanging fruit.



Analysts: iPhone Has Neither Security nor Relevance
http://www.eweek.com/article2/0,1759,2149610,00.asp

quote:

The iPhone won't go on sale until June 29. Up until now, and probably until it hits retail shelves, Apple has given next to nil information regarding the security features its first smart phone will have, making security analysis little better than conjecture. The few pieces of security background analysts have to go on include these tidbits: 1) The iPhone will run on Mac OS X and 2) the iPhone will run Apple's Safari browser.



Is The iPhone Insecure?
http://www.forbes.com/security/2007/06/19/iphone-security-risk-tech-security-cx_ag_0619iphonesecurity.html

quote:

The iPhone is capable of many of the same smart phone applications as business devices like Research In Motion's (nasdaq: RIMM - news - people ) BlackBerries. But unlike BlackBerries, Storms says, iPhones are unlikely to have a remote "lock and wipe" function that erases the device's data in the event that it's lost. The phone will use an operating system and a Web browser that have already been available in some form for years, so hackers will have a head start in finding entry points to exploit even before the phone is released. And the iPhone's "closed" operating system makes it impossible to install protection software from security companies like McAfee or Symantec.



The iPhone - Our new Security Nightmare
http://blog.ncircle.com/blogs/sync/archives/2007/06/the_iphone_our_new_security_ni.html

quote:

Questions for Apple regarding the iPhone:

  • Is data encrypted while in transit?
  • Is data encrypted on the device?
  • Is data encrypted on removable memory?
  • Is data removed if the device hasn't checked in centrally, hasn't received a policy update within a time window or if battery power is too low?
  • Is there S/MIME support?
  • Is there PGP support?
  • Are there electromagnetic analysis countermeasures?
  • Are there DRM applications? (Ability to read, but not forward data)
  • Is there user authentication by means of password, passphrase or smart card?
  • Does the device automatically lock and requires authentication to unlock?
  • Are the encryption keys stored on the devices and are they also encrypted?
  • Do the network devices have firewalls?
  • Are the network interfaces disabled by default and does the user has ability to disable at will?
  • Is there the ability to remotely lock and disable the device?
  • Is there the ability to remotely wipe and backup data?
  • Is there the ability to centrally develop and enforce policy settings?
  • Is there centralized reporting of all device events - calls made, data transferred, usage statistics?
  • Comments

    No Comments