Center releases first security benchmarks for iPhone

Center for Internet Security also plans to set guidelines for BlackBerry this year

The Center for Internet Security has released a set of security benchmarks for configuring the Apple iPhone, the first such guidelines for smart cellular phones.

"The risk from mobile consumer devices is rapidly increasing,” said Steve Piliero, the center’s chief security officer. In addition, the devices are often used as enterprise tools, which increases the possible exposure of personal or sensitive organizational information as the devices become vulnerable to malicious code.

“But our research and experience show that most issues for mobile devices are easily preventable,” Piliero added. “These are simple configuration steps that organizations and users can take” to reduce risks.

CIS produces consensus security benchmarks for commonly used hardware and software that are referred to in a number of government standards and guidelines, including the National Institute of Standards and Technology’s Special Publication 800-53, “Recommended Security Controls for Federal Information Systems and Organizations.” The center’s benchmarks can be downloaded at https://community.cisecurity.org/download.

The benchmarks include settings for Version 2.2.1 of the iPhone operating system and the Safari Web browser and guidance for the iPhone Configuration Utility, a downloadable utility from Apple that lets users create, maintain and sign configuration profiles; track and install provisioning profiles and authorized applications; and capture device information, including console logs.

The user community drives the priorities for creating guidelines, said Bert Miuccio, the center’s chief executive officer.

“The community is interested in both iPhone and BlackBerry,” he said. “Apple stepped up and agreed to participate in the development process,” so the iPhone guidelines were produced first. CIS plans to produce benchmarks for the BlackBerry this year.

There has not yet been a major outbreak of viruses targeted at smart phones, but malicious code for them does exist. There are viruses that can flourish in the right mobile environment, said Albert-Laszlo Barabasi, director of the Center for Complex Network Research at Northeastern University. So far, the right mobile environment does not exist, he added.

“The spread of mobile viruses is a social-networking and market share issue, not a technical issue,” he said.

In a study funded by the National Science Foundation and recently published in the journal Science, researchers studied anonymous calling and mobility data from more than 6 million mobile phone users to simulate the spread of viruses. There are two primary vectors for that spread: wireless Bluetooth connections and Multimedia Messaging Service (MMS) on smart phones.

The short range of Bluetooth connections, from 10 to 30 meters, and users’ behavioral patterns slow the spread of viruses via that technology, which gives administrators time to defend against them. Viruses that rely on MMS use address lists to spread without regard to range, but they are limited to a single operating system. To date, no mobile operating system is common enough to support the rapid spread of a virus, Barabasi said.

But a favorable environment for a virus is probably inevitable, he said. “When the connection happens, it will be a very sudden thing. It will not be gradual.”

Worldwide, the Symbian operating system probably has the largest mobile market share, Barabasi said, but other systems, such as the iPhone, could dominate regionally to provide an environment for infections.

The iPhone benchmarks contain more than 20 recommendations for settings, compared with more than 200 control recommendations for a computer operating system, such as Microsoft Windows XP.

Controls for the iPhone system include:

  • Update firmware to latest version.
  • Turn off Wi-Fi.
  • Set networks to prevent automatic rejoin.
  • Turn off ask-to-join networks.
  • Turn off virtual private network when not needed.
  • Turn off Bluetooth when not needed.
  • Turn off location services.
  • Set a passcode.
  • Set auto-lock timeout.
  • Disable SMS preview when phone is locked.
  • Erase data on excessive passcode failures.
  • Erase all data before return, repair or recycle.

Settings for the Safari browser include:

  • Disable JavaScript.
  • Disable plug-ins.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Jun 30, 2009 EricE NoVA

Interesting study - would be good for them to update it in light of the new iPhone 3.0 OS release and the hardware encryption built into the new iPhone 3Gs

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above