Security Advisor

iSecurity: Keeping Your E-mail Safe

How to keep your corporate e-mail and info safe when employees use iPhones to access data.

• By Joern Wettern
• 04/01/2010

As a long-time Windows Mobile user, I've been resisting the iPhone hype. But when I was given a shiny, new, top-of-the-line iPhone last month, I finally gave in. It only took a day until you couldn't pry my new toy from my hands. But after a few days of excitement, I started thinking about iPhone security in a corporate environment, and realized how scary this particular type of cell phone can be. Sure, iPhones are marketed towards consumers, but many people who buy them use them to access their work e-mail and other corporate resources. The good news is that there are ways to address the resulting security risks.

Get Out of Jail Free

One of the iPhone's unique features is the control that Apple exercises over what you can install on it. To put any of the thousands of available "apps" on your iPhone, you must install it from Apple's AppStore, and Apple keeps tight control over what's available there. The primary reason for this may be to maximize Apple's revenue and to block high-bandwidth applications that may create a lot of traffic on its carrier partners' networks. However, it also keeps insecure or dangerous apps off your device.

At the same time, this restriction forces iPhone owners who want functionality that's not available out of the box or with approved apps to take a potentially dangerous route to getting what they want. A process called "jailbreaking" removes Apple's restrictions and lets iPhone owners install whatever they want. Apple insists that doing this voids the device's warranty, but the process is explained in detail on numerous Internet sites and can be easily reversed if needed.

There are many incentives for jailbreaking, starting with the ability to change the iPhone's desktop theme. But jailbreaking also lets you install apps and tweaks that add the ability to save e-mail attachments, use the device as a wireless modem and synchronize to do true multitasking. Unfortunately, jailbreaking can leave the always-connected iPhone open to attacks from the Internet. Few users change their phones' default root passwords after performing the jailbreaks, making it easy for someone to hack into an iPhone or for viruses to spread to the device.

The first reported worm that used this method was confined to Australia and simply changed the desktop wallpaper. But more serious attacks that use the same method are sure to come. If your users synchronize corporate e-mail to private devices or keep other confidential data on an iPhone, you should be worried about an outsider gaining access to this data.

ActiveSync Conundrums

If you let users access corporate e-mail remotely, you need to come up with a strategy to mitigate the resulting risks. One way to address this is to prevent ActiveSync connections from iPhones. You can do this by configuring a policy in Exchange that prevents connections from unapproved devices. If you use ISA Server, Microsoft TMG or another firewall that can examine HTTPS traffic, you could also block HTTP packets containing "DeviceType=iPhone" access.

Of course, this only works if you don't offer IMAP or POP3 connectivity. As an alternative to ActiveSync for e-mail access, you can point users to Outlook Web Access, which doesn't store data on the device. However, OWA is quite usable with Safari -- the iPhone's native browser. If you do want to enable ActiveSync access for iPhones, it's imperative that you work with your users to address the security risks. This includes becoming familiar with the jailbreaking process and assisting users who want to go this route with changing passwords for both the root and the built-in "mobile" user account. Maybe you can even convince your boss to buy you an iPhone so you can adequately prepare yourself.

Another strategy is to allow access only for users who are willing to accept some corporate control over their personal devices. Starting with Version 2 of the iPhone, it's possible to use the Exchange "remote wipe" functionality to remotely clear all data from a device that has been lost or stolen. As with Windows Mobile devices, you and your users should be familiar with this feature and you should establish procedures for when and how to do this. Other Exchange controls, such as requiring a minimum password length and complexity, are also available when an iPhone uses ActiveSync to connect to an Exchange server. Alas, Exchange-enforced encryption of data that's stored on an iPhone is only available for the very latest models.

Since iPhones are still primarily consumer devices, most of them are set up to synchronize with the owners' home computer to transfer music, video and other content. As part of this process, all device data is backed up locally. Unless users select to encrypt this data, your corporate information may be stored insecurely on home computers. To prevent this, users must know about this risk and be trusted to not turn off the encryption. Plus, you should establish clear boundaries as to which corporate data and e-mails may be stored on an iPhone in the first place.

Corporate Solutions

You can avoid many of the security risks by issuing iPhones to users who want to use them for access to your corporate network. In this scenario, you can provision the devices using Apple's enterprise- deployment tools. For example, you can create a profile that sets a password policy, creates application restrictions and pre-defines VPN settings.

If you're willing to go through a rather involved process of registering with Apple, you could even deploy your own custom applications to corporate iPhones using a Web server. However, users could still bypass many of these settings by downloading a different profile from another Web site; it could even be a malicious Web site posing as a legitimate configuration server. And, as you may have guessed, all bets are off if someone decides to jailbreak a company-issued iPhone. So, even if you decide to take control by proactively issuing iPhones to your users, you still need to convince users to not modify them or educate users to break out of Apple's jail securely.