I blogged about smartphone security issues a while back, where I said the minimal four requirements for a smartphone to be safe enough for business use are:
To even be considered for enterprise use, a smartphone should at least allow an enterprise to enforce:
- Mandatory password (real password, not just 4 digit PIN)
- Mandatory activity timeout requiring password reentry
- Over the air kill capability to wipe and disable device if lost or stolen
- Device content encryption
The fifth commandment is generally support for however you interface to your enterprise email, which tends to be ActiveSync.
Last week a security researcher reported that even with all those features on an iPhone, by connecting an iPhone to a Linux PC, he could see all the data, including passwords, stored on the iPhone. An update this week pointed out the problem is worse – the attack works even on a Windows PC running iTunes. It looks like the attack only succeeds when an iPhone has been shut down in an unlocked state, so there is some policy guidance as a work around until Apple fixes the problem.
But when will Apple fix the problem? Not a peep about the issue from Apple – though if you look at http://www.apple.com/security it is hard to find anything meaningful about security, let alone iPhone security. This is one of the dangers of consumerization – vendors aimed at consumer markets are not real big on being rapid or predictable in patching.
As John Girard of Gartner said in “iPhone Security Assessment“:
The Apple iPhone has an improving, but incomplete, security architecture. Basic vulnerabilities in access controls and data protection can be minimized, but not eliminated, with best practices.
Read Complimentary Relevant Research
Predicts 2017: Artificial Intelligence
Artificial intelligence is changing the way in which organizations innovate and communicate their processes, products and services. Practical...
View Relevant Webinars
Bring Your Own: come gestire dispositivi e app in modo sicuro?
Il trend del Bring Your Own continua a crescere, impattando sempre piu' il modo in cui le aziende devono implementare le proprie strategie...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.