Getting & Securing Your iPhone

How you can justify the company buying your iPhone - and how to keep it safe from attack

Dark Reading Staff, Dark Reading

July 5, 2007

5 Min Read

With the near insane level of interest in the iPhone now at a dull roar, it's time to figure out how to get the company to buy you one. And it's way past time we really started nailing down what level of security is adequate for a phone -- and to require it. (See i Caramba! iPhone Hacked Already.)

First, if you want the company to buy you an iPhone, there are at least two guys who figured out how, and you can likely justify a couple of the devices as easily as they did. Gartner is clearly helping to keep these phones out of our shops, but when was the last time a non-IT executive listened to Gartner? IT often doesn’t get a vote.

What we need is a set of rules that every approved mobile phone must follow, allowing us to more effectively block unapproved phones. This will help us keep out phones that aren’t secure, like the first generation iPhone (although Microsoft is evidently working with Apple to make a future generation of the phone better), to cover our backsides when execs need to have the coolest new toy.

Application Control
With every device, there is likely a list of applications, such as virus checkers, that should be running on it to ensure it isn’t broadcasting out things it shouldn’t be. The idea that phones can be hijacked and used as spy devices is incredibly scary and likely to become a reality as smartphones from all vendors become more commonplace. Users love to take stuff off of their PCs that they think they don’t need, and the result is often a breach that could have been avoided had they left the damned anti-malware tools alone. The mobile phone needs to be able to report what it's running on it so we can lock it out of the enterprise network if it isn’t adequately protected.

Users have a nasty habit of installing things that look fun but are actually malware in disguise. A phone, like a PC, is increasingly a target for all kinds of hostile software. And if the user can install anything, you know some things will bypass the security settings and anti-malware software on the phone, thus enabling them to install something that they shouldn’t. You can lock down an iPhone if you detect a threat that could lead to disaster.

Device Control
Phones are increasingly becoming portals to the outside world, with their own networks that can bridge WiFi security and provide an unauthorized laptop access. Their built-in cameras can capture confidential information, too, but telling users their cameras are off limits isn't as effective as actually being able to simply turn the camera feature off altogether.

In addition, we need to be able to encrypt and protect the data on the phone because these things grow legs: A loss could require public disclosure if the mobile phone contained customer, patent, unreported financial, or employee information.

If the data is stolen or lost from the phone, we need to be able to lock out and possibly destroy that data.

These devices will become portals through corporate security, so we need to find a way to shut that down before the wrong folks get access to things they shouldn’t be able to touch.

User Authentication Management
Until phones come with consistent biometrics (and likely even after), we need management control over phone passwords. Password-protected notebooks and phones are becoming similar repositories for your data, and there's a good chance that policies initially written for PCs apply to smartphones. We need to enforce these policies on iPhones and other mobile phones.

Passwords (which should have been made obsolete years ago) get lost, forgotten, and need to be reset. Mobile phones should not require a password, but instead should have the ability to lock up their data. The danger of password-protected phones would be an emergency situation where, say, a woman was being raped and couldn’t call for help because she didn’t remember her iPhone password.

Notification Control
If you're sending out an emergency message about anything from a natural disaster to a terrorist attack, you need to be able to alert the employee that this is no spam message. The ability to tie notifications to specific alerts would be a massive help to preventing the kinds of communications problems over the last few months in natural and man-made disasters.

We need to be able to set alert sounds so employees know that means immediately drop everything and move -- to save their own lives and the lives of their co-workers.

Who Can Do This Now?
I only know of two companies that offer most of these security features now -- HP, with its new enterprise cellphone offering, and Good Technology.

In the meantime, you can probably scare potential iPhone buyers half to death by showing them what the total cost of this phone is likely to be. You can also check out the HTC Touch, which is the only iPhone-like product that can be set up to meet most of these requirements. You can only buy it currently at Dynamism.

And, you can share with your family the high-quality customer the iPhone is attracting and use him as an example of what you don’t want your kids to grow up to be.

Seriously, though, it's well past time we secured these things.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights