Any choice links you'd like to share? I'm interested in reading about it.
Copy and paste my current notes. I haven't submitted it, research is still in progress. I think my final reco is going to be to open up the policy to allow iphones but only if they're running a 3rd party app to control encryption.
--------------------------Notes-------------------------------------
Current flaws in Apple iPhone security:
- Bypass password and encryption with forensics and/or hacking tools.
This works with all iPhones as of Feb 2010.
From the wired article below:
“Zdziarski said it’s just as easy to access a user’s private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first generation iPhone, both of which didn’t feature encryption. If a thief got his hands on an iPhone, a little bit of free software is all that’s needed to tap into all of the user’s content. Live data can be extracted in as little as two minutes, and an entire raw disk image can be made in about 45 minutes,…”
““If they’re relying on Apple’s security, then their application is going to be terribly insecure,” he said. “Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward security.”
He added that the ability for the iPhone to self-erase itself remotely using Apple’s MobileMe service isn’t very helpful, either: Any reasonably intelligent criminal would remove the SIM card to prevent the remote-wipe command from coming through.”
http://www.wired.com/gadgetlab/2009/07/iphone-encryption/
Walk-through on how to do it(what is now an hour process will eventually turn into a GUI click-button app for kids):
http://tungchingkai.blogspot.com/2009/04/how-to-decrypt-iphone-os-30-beta.html
I also have a 1 hour walk-through video if anyone would like to watch. It’s interesting.
Olders flaws in Apple iPhone security:
What this shows is apples track record for security. It also shows that without a 3rd party app for security, we’re going to have to upgrade iPhones with security patches unlike with blackberrys.
- Bypass password and encryption simply by turning device off and on while device is changing from 3G to Edge network.
Works with iPhone 2.2, not with 3.x.
http://www.glandell.com/iphone/bypass-passcode-os-2.2.html
http://www.youtube.com/watch?v=4NWORUthyZU
- Bypass password and encryption by clicking to make an emergency call and taping home button.
What makes this more of an concern is that apple patched it, and then re-broke it.
http://blogs.zdnet.com/security/?p=1809
3rd Party Solutions:
IMO, the only way to roll out iPhones given all of our compliance requirements is to use a 3rd part app to handle encryption, remote wipe, password policies, etc.
There are currently 3 software vendors making 3rd party apps to bring iPhones up to blackberrys level of security.
Tangoe, Sybase, and Good.
I’m currently evaluating Good. The server is $1,500 which includes 5 user licenses.
--------------------------Notes-------------------------------------
wtf why would u want to do that?
