Gartner Blog Network

iPhone’s Spew Sensitive Data – No Success In Capping Yet

by John Pescatore  |  June 2, 2010  |  1 Comment

I blogged about smartphone security issues a while back, where I said the minimal four requirements for a smartphone to be safe enough for business use are:

To even be considered for enterprise use, a smartphone should at least allow an enterprise to enforce:

  1. Mandatory password (real password, not just 4 digit PIN)
  2. Mandatory activity timeout requiring password reentry
  3. Over the air kill capability to wipe and disable device if lost or stolen
  4. Device content encryption

The fifth commandment is generally support for however you interface to your enterprise email, which tends to be ActiveSync.

Last week a security researcher reported that even with all those features on an iPhone, by connecting an iPhone to a Linux PC, he could see all the data, including passwords, stored on the iPhone.  An update this week pointed out the problem is worse – the attack works even on a Windows PC running iTunes. It looks like the attack only succeeds when an iPhone has been shut down in an unlocked state, so there is some policy guidance as a work around until Apple fixes the problem.

But when will Apple fix the problem? Not a peep about the issue from Apple – though if you look at it is hard to find anything meaningful about security, let alone iPhone security. This is one of the dangers of consumerization – vendors aimed at consumer markets are not real big on being rapid or predictable in patching.

As John Girard of Gartner said in “iPhone Security Assessment“:

The Apple iPhone has an improving, but incomplete, security architecture. Basic vulnerabilities in access controls and data protection can be minimized, but not eliminated, with best practices.


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on iPhone’s Spew Sensitive Data – No Success In Capping Yet

  1. A typical page of a digital publication has content produced by editorial and ads which comprise of copy and creatives. Not sure how better content can help – unless you’re terming the combination of copy and creatives as (ad) content.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.