iPhone Security Worthless, Says Developer

Apple’s red-hot iPhone may be gaining ground in the enterprise and government but it’s severely lacking the kind of security features big companies need, claims one developer. Jonathan Zdziarski, a developer and author who specializes in iPhone forensics, told Wired that the iPhone 3GS is as insecure as previous generations of iPhones, which he claims similarly lacked security.

“I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security,” he told the site.

It’s a big issue as the iPhone grows more and more popular with business and government. During the second quarter earnings call, Apple (NASDAQ: AAPL) COO Tim Cook said about 20 percent of Fortune 100 firms had purchased at least 10,000 iPhones, with some going as high as 25,000. Government agencies were also making mass purchases.

The iPhone is gaining across the board as not just a specific, narrowly-defined device but a general purpose one, said Ben Bajarin, analyst with Creative Strategies. “It’s interesting to watch how it’s being used. Universally they are being deployed in a general sense, for everyone to use across the board. It’s because of the power of the platform they can write so many apps for it,” he told InternetNews.com.

Palm and Windows devices were being rejected by many corporations that needed a full computing device, not a narrowly-defined one like PDAs. “They didn’t want a truncated app to run their ERP or CRM apps. Now you are seeing that kind of power in the iPhone, with the same kind of power that can tie back into your back end systems,” said Bajarin.

Easily broken?

Obtaining data still requires one to physically possess the iPhone; it’s not like it can be hacked remotely while in one’s possession. That said, Zdziarski said if a thief were to obtain a phone, live data (like the contact list) can be extracted in as little as two minutes, and an entire raw disk image can be made in about 45 minutes.

The vaunted self-destruct command, demonstrated by Apple at the 3GS launch last June, is easily circumnavigated with a paper clip. Just leave the phone off and pop out the SIM card.

Zdziarski used his own tools to break the encryption, and has uploaded videos to YouTube showing how easy the process is. He has not distributed the tools he used but said they would be easy enough to create.

He said it’s possible to steal an iPhone’s disk image with a jailbreak tool, which breaks Apple’s security and allows, among other things, for installing a custom kernel on the phone. It’s then possible to install a Secure Shell (SSH) client to copy the entire raw disk image to another computer.

Apple did not return calls for comment, nor did Zdziarski reply to a request for comment.

Bajarin said that while the phone may have security shortcomings, it’s not like people store their sales databases on it.

“From an enterprise standpoint, that sensitive data doesn’t reside on the client, they reside on the cloud. So even if a device like that was stolen, no critical data resides on the client,” he said.

News Around the Web