iPhone Security Fix May Reveal Longstanding Vulnerability

The latest release of the OS for iPhones and iPod Touches breaks the Microsoft Exchange Server compatibility of many existing devices. In doing so, it may have revealed that businesses that trusted Apple's assurances about the devices' security were misled.Version 3.1 of the iPhone OS, released last week, apparently fixes a security vulnerability in the previous version that came out last June. But in so doing, it has uncovered what some observers believe to have been deceptive practices by Apple for more than a year. Users who installed the new version on pre-GS iPhones and iPod Touches suddenly found that they could no longer connect to their companies' Exchange servers. When they tried, they got an error message saying that "the account [name] requires encryption which is not supported on this iPod/iPhone."

The encryption requirement is set on the Exchange side, and the wording of the message indicates that the device itself is unable to support encryption, period. The problem is, many iPhone owners have been blithely accessing Exchange servers with that requirement since July 2008, when iPhone 2.0 added that capability. One conclusion is that the iPhone has been confirming to Exchange that it supported encryption when in fact it did not, meaning that business users have been toting around insecure data all this time while thinking they were meeing their company's security policies.

At the moment, there are three fixes for the immediate problem: first, have your company remove the encryption requirement from Exchange. Few companies who bothered to establish that requirement in the first place are likely to remove it just to support old iPhones. Second, replace your iPhone with a new iPhone 3GS -- a great solution from Apple's standpoint, but not so great for a cost-conscious business. Or third, downgrade your iPhone to version 3.0 of the OS if you still have it. That'll restore access to your Exchange server, but if that access was enabled by false confirmation from the iPhone, this approach won't solve the security problem.

So far, Apple has not addressed the issue, so we don't know whether the OS can be modified to support encryption on older devices, or indeed whether those devices can manage encryption at all. This episode highlights in a dramatic fashion the headaches that come with the consumerization of business technology, particularly the addition of personal smartphones to the workplace systems mix. Even more, it raises issues of trust for Apple. As a booster of Apple solutions for small and midsize businesses, I'll be watching closely to see if the company acknowledges and addresses the issue.

Don't Miss: Help Arrives to Secure Mobile Devices