iPhone apps can hack your data, even on 3GS

An iPhone app can steal your private data, even on the super-secure, hardware-encrypted iPhone 3GS. In IT Blogwatch, bloggers debate Jonathan "NerveGas" Zdziarski's astonishing revelations.

Richi Jennings is your humble blogwatcher, who selected these bloggy morsels for your enjoyment. Not to mention pork...

Brian X. Chen had the scoop:

Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes.
...
But contrary to Apple’s claim that the new iPhone 3GS is more enterprise friendly, the new iPhone 3GS’ encryption feature is “broken” when it comes to protecting sensitive information such as credit card numbers ... said Jonathan Zdziarski, ... who teaches forensics courses on recovering data from iPhones.

Dan Nosowitz says it's "incredibly, dangerously easy":

The ease and speed with which he did it is worrisome. Zdziarski claims the iPhone 3GS is thus "useless" to businesses. The iPhone certainly isn't as ubiquitous for corporate use as BlackBerry or even Windows Mobile, but that's starting to change, and Zdziarski is very concerned that the iPhone 3GS's security puts sensitive data at unnecessary risk.

He claims that with easily-available software, anybody can break into an iPhone 3GS and start extracting data within two minutes, and access everything on the phone within 45. After reading this, we could see why companies might just be reluctant to trade their BlackBerrys in for a shiny new iPhone 3GS.

Reports Rene Ritchie (no relation):

We’ve heard before that Jailbreaking strips away security layers on the iPhone, though that’s been in the context of the users own device. This is using the Jailbreak process to actively get at another device’s data.

Is Apple going to change the way they implement their hardware-based iPhone 3GS encryption in light of this? Can the current model be made more robust? And what, if any, changes made to keep bad guys out of the iPhone will effect users who simply want to gain access to their own iPhones?

Devin Coldewey thinks business users should take note:

This comes despite assurances from Apple regarding the 3GS’s encryption feature. Bad news for businesspeople of the 21st century, who have glommed onto the iPhone and its service halo like no other device. The wonder-phone has certainly changed the way smartphones and other devices are made, but this isn’t the first time Apple’s security measures have been described as being seriously lacking. ... Apple’s unprecedented success with the iPhone has increased their liability and their vulnerable surface area.
...
If a large business has deployed thousands of iPhones as their official device (which is certainly happening), you can bet there are trade secrets and company files on there somewhere. Whether the risk is worth the convenience of an all-iPhone business network is up to you. But if I had my powerpoints and investors’ balance sheets on a device proven to have a, shall we say, porous perimeter, I’d reassess.

Andrew Charlesworth has the British summary:

The Iphone's built-in encryption software, which has helped to make the posey device so popular with businesses, is about as useful as a chocolate teapot.
...
Live data can be extracted in two minutes. ... The remote kill feature can be circumvented simply by removing the SIM card. ... Last Tuesday, Apple ... was bragging that millions of Iphones have been bought by Fortune 100 companies, US Government departments and universities.

Perhaps they would like to form an orderly queue outside One Infinite Loop to ask for their money back.

Chris Ziegler sums up:

The lesson? As overwhelmingly popular as the iPhone may be across every market segment, these guys are still the new kids on the enterprise block -- and RIM (and heck, Microsoft, too) would be wise to stand their ground here.

So what's your take?
Get involved: leave a comment.

• Microsoft's awful Q4: will Windows 7 save the day?
• Windows 7 ready (to manufacture): 7600.16385 is RTM ID
• Apple Q3 concall causes cheering fanbois
• Size is important: Kingston's huge 256GB USB stick
• NASA phased by ISS toilet-fail, 40 years after Apollo 11 moon landing

Don't miss out on IT Blogwatch:

• Subscribe to the Computerworld Blogs newsletter
• Catch up with posts from the previous few days

And finally...

• Pork (the remix)
  [here's the original, in case you missed it]

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and spam. A 24 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter or richij on FriendFeed, pretend to be Richi's friend on Facebook, or just use good old email: itblogwatch@richij.com.