Although the Apple iPhone 4S is an incremental upgrade, its new voice-recognition service known as Siri has touched a nerve among consumers. With the press of a button on the phone or a headset, an iPhone user can now command his or her phone to make calls, organize schedules and send text messages and emails.
But Siri bypasses iPhone security and locking features, exposing confidential data to anyone who picks up the device and allowing that person to send messages in the phone owner’s name. It is possible to improve the security of Siri somewhat, but the controls are not as granular and automated as enterprise administrators would prefer.
The iPhone Configuration Utility (iCU), for example, does not let admins entirely disable Siri access on locked phones. Doing so requires hands-on access to the phone, and even then, there's nothing stopping end users from re-enabling Siri later.
iPhone’s Siri security risks
Consider this scenario: A prankster picks up a misplaced Apple iPhone 4S and decides to have some fun. If a screen-lock passcode is set, he cannot access any information on the device by using the touchscreen. But he can hold the physical home button to activate Siri. From there, he can say “text John,” and Siri will provide a list of everyone in the contact list named “John” -- including those in the Microsoft Exchange Global Address List, if the owner has corporate email access enabled.
Siri can tag contacts with relationships, such as “wife” and “boss,” and the prankster can access that information as well. Imagine the interesting text messages and emails he could compose in the name of the owner!
Changing iPhone security settings
The first step to securing the iPhone’s Siri service is to enable Passcode Lock in the General menu under Settings. Basic four-digit passcodes are allowed, but longer alphanumeric codes are recommended. Users can set up Passcode Lock themselves, or admins can enable and enforce it directly through ActiveSync by using the iCU.
For the most part, other Siri security measures are left in the hands of Apple iPhone 4S users, not admins. Once Passcode Lock is enabled, for example, users can disable Siri access from the lock screen -- something admins can’t do from the iCU. A simple toggle in Settings > General > Passcode Lock allows users to switch Siri off, eliminating the prankster scenario described above while still allowing full Siri usage when the phone is unlocked. Users should set the Require Passcode timer to Immediately to ensure the phone remains locked at all times when not in use.
Users can also turn off the iPhone’s Siri service or disable it entirely, which admins also can’t do through the iCU. The option to turn off Siri is available under Settings > General > Siri, and users can disable it by going to the Settings > General > Restrictions menu.
The future of iPhone security
The iPhone’s Siri security situation is troubling, especially for IT administrators whose users have corporate data on their iPhones. Apple should offer more granular control over Siri and its access to other applications and data. A list of per-app settings, similar to those in the Notifications and Location Services menus, would be ideal. And Apple must allow admins to restrict and enforce Siri access through ActiveSync with the iCU.
This was first published in November 2011