iPhone security issues pose various threats to the enterprise, but IT can take some steps to keep sensitive corporate data secure.
There are several ways in which the iPhone -- or corporate data on the iPhone -- can be compromised. Understanding enterprise iPhone security
Identifying enterprise iPhone security issues
Extracting data from an iPhone is fairly easy for hackers. If an iPhone is lost or stolen, even if it’s locked, it’s possible for a hacker to obtain sensitive data. For example, existing software allows hackers to jailbreak phones even if they're locked. The hackers can then run any application or install a script that retrieves the phone's secure keychain entries, which can include account details for accessing enterprise resources.
The iPhone is also susceptible to remote code injection attacks and to hackers intercepting wireless signals. In addition, careless practices by end users, such as syncing data to an unsecure computer or cloud service, can result in unauthorized access to enterprise resources.
Viruses, worms and Trojan horses can also access secure resources for the purposes of disrupting services, causing damage or extracting confidential information. For the most part, the iPhone malware hasn't been an issue because Apple tightly controls the applications allowed to run on iOS. But many security experts think it’s just a matter of time before renegade coders develop malware capable of infiltrating iOS. Users who have jail-broken their phones are already susceptible.
Given the rapidly growing number of enterprise iPhones, IT has no choice but to confront these security challenges head on. Wi-Fi security measures, virtual private networks (VPNs) and Exchange ActiveSync are just some of the tools and strategies that can help abate the security risks that come with iPhones.
If iPhones use Wi-Fi networks to connect to enterprise resources, encryption and authentication can help reduce iPhone security issues. Use Wi-Fi Protected Access 2 (WPA2) Enterprise, a protocol that features 128-bit encryption and 802.1x authentication. WPA2 Enterprise is native to iOS, but it requires a Remote Authentication Dial-In User Service server to handle authentication.
For iPhone users who need remote access to the corporate network, IT can configure the devices to use a VPN. VPNs let iPhone users access enterprise resources over the Internet via connections that can be authenticated and encrypted, thus preventing unauthorized individuals from being able to intercept secure enterprise data. Users can connect through the iPhone’s built-in VPN client or through third-party clients available from companies such as Cisco Systems and Juniper Networks. The iPhone supports industry-standard VPN protocols that help to ensure secure access to network resources.
Microsoft Exchange ActiveSync enables secure synchronization of emails, calendars, contacts and tasks between Exchange Server and authorized iPhones. Exchange ActiveSync also lets administrators implement security policies, enforce password restrictions, perform remote wipes and set times for phone inactivity. In addition, Exchange ActiveSync can refresh policies, limit syncing while roaming and prohibit Web browsing and camera use if the enterprise has implemented Exchange Server 2007 or 2010.
Data security, device management and education
IT must take every step possible to protect the data stored on users’ iPhones. That means encrypting transmitted data, using digital certificates for authentication and enforcing strong passcode-lock rules. It’s also important to implement remote-wipe capabilities, in case a phone is lost or stolen. Configuring the iPhone to erase all personal data after a certain number of unsuccessful attempts to unlock the phone will help with data security as well.
More on iPhone security issues
iPhone’s Siri security flaws: Is IT powerless?
Securing employee smartphones: iPhone security settings
Apple seeks to better iPad, iPhone security
Beyond data protection, mobile device management (MDM) is at the heart of effectively incorporating iPhones into the enterprise. IT should consider using MDM software to control iPhones remotely. Admins can also use the iPhone Configuration Utility to create, encrypt and install configuration profiles and manage apps. Controlling app installation, passcode policies and access to browsers and iCloud will lessen iPhone security issues. IT should also make sure that these profiles are digitally signed and encrypted.
But no matter how diligent IT is when it comes to enterprise iPhone security, users themselves will have to help protect their phones as well. Instruct users to pay attention to the networks and devices to which they connect their iPhones, keep software and firmware updated and implement their employers’ recommended security policies.
The most important (and likely the most challenging) thing users can do to protect their iPhones is to avoid storing any sensitive data on the devices. Anything short of these safety precautions can result in significant risks, and no amount of convenience is worth that.
This was first published in December 2011