/ iphone

iPhone security - Still needs work done

Bernd Marienfeldt uncovered a major security hole in iPhones armour (yes, another one).

These risks should be mitigated to acceptable levels. A portable-computing device and -electronic storage media that contains confidential, personal, or sensitive information should use encryption or equally strong measures to protect the data while they are in transit or stored.

The Apple iPhone can’t fully satisfy the requirements. People should understand that the iPhone 3GS fails to provide full disk encryption (FDE) which renders useless by how the phone manages the protection of the encryption key and that the authentication model for the FDE is also broken.
Like most people, I use my iPhone to keep all my personal and professional correspondence within reach whenever I need it. Unlike most people I know what the risks are, both physical as well as logical. And yet I still decided to take my chances. Why? Because the potential loss to me is equal to the cost of obtaining a new device:
  • Probability of someone skilled enough to obtain the information off the pin protected iPhone is very low.
  • It is much more probable that, if my phone was stolen, it would be rebuilt, with all information on it lost.
Now that it is known that logical protection doesn’t afford you much once the attacker has physical access to it, what can you do to keep your data secure?
  1. Treat your electronic wallet the same as you do your money wallet: don’t whip it out everywhere, be careful where you leave it when out on town.
  2. Only carry with you that what you absolutely must: there is no need to have access to absolutely everything from your mobile, just in case.
  3. Keep your mailbox sync to the last few days only. Mail on the go is too keep up with recent stuff, not to archive everything.
  4. Know the risks: if information on your mobile device is damning if it gets public, maybe you shouldn’t keep it on your mobile.