iPhone giving business a false sense of security

Jay Sartori, security analyst from NetworkWorld.com has written an article on the security of the latest version of the iPhone OS and has found it pretty lacking.

insecureiphoneComplaining of “the false sense of security delivered through Apple’s marketing of iPhone features for the enterprise”, he notes 3 flaws in how the iPhone interacts with Exchange server password policies.

The first is that the  iPhone does not handle EAS Policies as expected, with users being able to arbitrarily increase the time-out before the device password locks, despite policies sent out by network admins.

The next is that the passcode prompt reveals too much information about the nature of the password, making it easy for attackers to see when you are using a simple 4 digit numerical password, and therefore revealing there are only 10 000 possible codes (and the first 2 are probably 19—).

The last is that once you realize your simple 4 digit numerical password is insecure the iPhone software makes it impossible to upgrade your password to a longer, more complex password, locking you into using just another 4 digit password.

While commending the device on its usability he maintains “unfortunately, the security features are not quite ready for the enterprise and contain various bugs.”

For more details read the full article here and read our previous article on iPhone security here.