The Standard Chartered Bank is, according to Computer Weekly, moving 15,000 of its staff from Blackberries to iPhones by the end of 2010. Apparently this is because the App Store allows them to “deliver targeted information” and “allow staff to perform more complicated tasks on the go” resulting in “greater employee satisfaction and productivity”.
The article doesn’t specifically mention security issues. SC Magazine’s Ken Munro, however, believes that The iPhone is too risky for use in a corporate environment, and mentions a number of issues that have come to light in recent months relative to 3GS/4 iPhones.
- A default voicemail PIN code on O2 iPhones that allows anyone to access your voicemail if you don’t change it. Well, that’s O2’s issue rather than Apple’s (directly at any rate), and it’s probably not unique to iPhones or even O2, but you might want to change yours. Hopefully, any corporate IT team with half a brain would ensure that didn’t happen on corporate smartphones.
- A PIN-locked iPhone could be accessed via USB from any PC, using IFuse to mount and browse user partitions. No jailbreaking necessary.
- The same attack on a jailbroken iPhone exposes the entire file system, mail, credentials etc.
He also mentions privilege escalation strategies and MITM (Man In The Middle) attacks over wireless by way of forged SSL certificates.
Note that iPhone 4 and iPad “don’t exhibit quite the same behaviour”, but it appears that SC Mag are looking at handling of sensitive protocols by newer devices, so it will be interesting to see what they find.
Still, there’s a pretty good list of measures in the article for reducing risk in a corporate environment:
- address the voicemail PIN default issue
- consider disabling wireless
- ban jailbreaking
- implement an enterprise management solution
- make “good practice” information available
- watch for reports of malware in the AppStore
Meanwhile, Computer Weekly also tells us that “Businesses not taking mobile security seriously, says Vodafone.” The suggestion here is that business users are likelier to leak sensitive corporate data over their smartphones but that few organizations are as careful about securing smartphones as they are about securing laptops.