With iPhones becoming more popular, one important aspect of whether companies adopt the device is how they can manage and secure such phones. A Macworld article examines the possibilities for doing such things in an enterprise environment, and discusses the new security features added to iOS 4. It covers native security features, but also looks at third-party management servers that can be used with the iPhone. This is a long, fairly complex article, but those who are faced with the challenge of integrating the iPhone into a broader corporate security policy will find that it offers many answers, as well as suggestions for how to go further and solve this problem.
We got wind of a new program today that claims to be able to extract passwords from an iPhone’s keychain. (This would also affect other iOS devices.) The company selling this software claims it is a forensic tool, designed for investigators, and, perhaps, network administrators. However, such a tool, which is not very expensive, would allow anyone who “finds” an iPhone to access passwords for e-mail accounts, web sites, and any other software. This means that if you were to lose your iPhone, any passwords you had entered for say a banking site, PayPal, or commercial sites that store your credit card information and allow you to make purchases without entering it again, would be accessible.
(Note: we’re not mentioning the name of the software or the company, as we feel that such information is detrimental to iPhone users.)
The company’s website gives no price for this program, but given the prices for its other software, the investment in such a program would be minimal for anyone who is interested in cracking iPhones.
For this reason, it is strongly recommended that iPhone users store as few passwords as possible on their device’s keychains. Some, such as an e-mail account password, are required, but it is best to not store passwords for banking sites, commercial sites, or any other sites that could allow a hacker who finds a lost or stolen iPhone to access confidential information. And it’s not just the information that’s at risk; it’s also the user’s identity that can be usurped by obtaining access to their accounts.
Apple has responded very quickly to the iOS vulnerability that we presented yesterday. According to Cnet, an Apple spokesperson has said, “We’re aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update.” Apple did not say when this update would be available, but it could be very quick, if the update does nothing other than fix these issues.
Citibank has issued a warning to users that its iPhone app contains a critical flaw, that could expose user information to hackers. This information is stored in a hidden file, and it is simple to access this file on a lost or stolen iPhone. Security researcher Charlie Miller said, “By their statement, I’m guessing that the file isn’t encrypted.” He also pointed out that such data is also saved to the host computer that syncs with the iPhone, which is probably more at risk than the iPhone itself.
In any case, users of this software should upgrade immediately to the latest version available from the App Store.
The Library of Congress has issued a statement that allows the breaking of copyright protection in certain cases, as part of the fair use doctrine of copyright law. This statement covers the protection applied to a smartphone to limit access to the file system and prevent users from installing software, among others. It is this latter protection that prevented users from having the right to jailbreak iPhones.
As the Librarian of Congress says,
Persons who circumvent access controls in order to engage in noninfringing uses of works in these six classes will not be subject to the statutory prohibition against circumvention.
There are six “classes of works” where such circumvention is now allowed:
- Movies (or TV shows) on DVDs, protected by CSS.
- Computer software used on wireless telephone handsets, for questions of interoperability.
- Computer software circumvented to access a specific type of wireless network.
- Video games, if such circumvention is performed for testing, security audits, etc.
- Computer software protected by dongles which are damaged or obsolete (i.e., no longer compatible with current hardware).
- Ebooks that prohibit text-to-speech features on hardware. (Note: there is a discrepancy between the six classes presented in the Library of Congress’s statement and the full document from the Federal Register linked to in the next paragraph. In the latter document, this specific case, the text-to-speech issue, is listed as being refused.)
It’s the second class that affects the iPhone, and other smart phones, as well as the third case. (A complete text of the ruling from the Federal Register is here in PDF form. It more specifically addresses the issue of jailbreaking and the iPhone.)
Apple has issued a statement regarding this decision:
Apple’s goal has always been to insure that our customers have a great experience with their iPhone and we know that jailbreaking can severely degrade the experience. As we’ve said before, the vast majority of customers do not jailbreak their iPhones as this can violate the warranty and can cause the iPhone to become unstable and not work reliably.
We have often stressed that jailbreaking is a risky procedure, irrespective of any warranty issues; it can open up an iPhone or other device to security threats. While it is now considered legal in the US, it still carries a broad number of risks, and we still recommend that users do not jailbreak their iPhones.
Well, it’s no surprise. Every time Apple releases a major OS upgrade, there’s a security element included. In this case, the new version of the iOS (formerly iPhone OS), contains more than 60 security fixes. These fixes, as expected, run the gamut of the OS: from Safari cookies to application sandboxes; from WebKit (the framework for displaying web pages), to, well, WebKit (50 of the bugs fixed are in WebKit alone). (You can find details about the security update here.)
You’ll need to have a compatible device to install iOS 4 (iPhone 3 or 3G, iPod touch 2nd or 3rd generation), and installation is done through iTunes. Connect your device, then click the Check for Update button on the main screen for the device. It’s a big download; more than 300 MB.
But what about other devices that run what is now called iOS? Do they have these security flaws? Are we going to see updates for them? For the iPad hasn’t received these fixes; the iOS 4 update for the iPad won’t be ready until the fall. Or what about older iPhones or iPod touches? Are they vulnerable?