Report: Apple iPhone fails security 101

Posted by Aharon Etengoff

A security researcher has claimed that Apple's iPhone fails to adequately protect user data from unauthorized access.

"People should understand that the iPhone 3GS fails to provide full disk encryption (FDE) which renders useless by how the phone manages the protection of the encryption key and that the authentication model for the FDE is also broken," Bernd Marienfeldt wrote in a recent blog post.

Report: Apple iPhone fails security 101"Most of automatic sync and update features are built around Microsoft's Exchange Server. However, important security profile management and updates can be achieved by manual interaction of the user without using Exchange."

Marienfeldt also noted that the iPhone's operating system was specifically designed to "only run" software with an Apple-approved cryptographic signature.

"This should protect from malicious third-party applications but it certainly leaves authority and actual security management fully in the hand of Apple," he explained.

"There is no open source code involved and applications can only be chosen from Apples apps store. Apples recent removal of random content and apps makes users wonder if the trust in Apple is justifiable."

According to Marienfeldt, security restrictions can be easily "overcome" by jailbreaking the device, which involves replacing the iPhone's firmware with a slightly modified version that does not enforce signature checks.

"Jailbroken phones are at risk for an iPhone worm and system compromise through malicious applications...[And] there is no way to directly encrypt or sign your email."

Finally, Marienfeldt revealed that he had discovered a critical data protection vulnerability on PIN-code protected, non-jailbroken 3GS iPhones.

"This...flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents...in my opinion, [this is] the quickest compromising read/write access discovered so far, without leaving any track record by the attacker.

"It's about to imagine how many enterprises (e.g. Fortune 100) actually do rely on the expectation that their iPhone 3GS's whole content is protected by encryption with an PIN code based authentication in place to unlock it."