iPhone: Enterprise-worthy, perhaps, but secure enough for feds?

iPhone Version 3.1 offers greater security, but some doubt that it’s secure enough for widespread government use

Some of Apple’s recent modifications to the iPhone operating system have made the iPhone enterprise-worthy, according to some network analysts. But it still may be too unsecure for some federal customers.

The first iteration of the iPhone software, back in July 2007, had no corporate e-mail or security support, said Ted Schadler, an analyst with Forrester Research. But two years later, iPhone Version 3.0 offered much more enterprise support for security and policy administration, he said. It allows organizations to turn the iPhone’s camera off and to require stronger password protection, Schadler said.

Then, this October, iPhone Version 3.1 fixed some additional lingering security problems. One of the remaining security stumbling blocks for the iPhone is that application management — the ability to push software updates to an iPhone to make sure that new applications or policies are installed — does not exist. Research in Motion’s BlackBerry had this capability from the start, and information technology departments are notorious for wanting this sort of control down to the device level. But iPhone users have to update their software using iTunes or the iPhone Configuration Utility, Schadler said.

Schadler says that some government agencies, those without classified networks or extremely sensitive information, might want to consider adopting the iPhone for enterprise use.

Not so fast, says Martha Vazquez, a network security research analyst for Frost & Sullivan. Though the iPhone “may have raised the bar enough to enter the enterprise, we believe that it falls short of meeting government requirements, such as FIPS [Federal Information Processing Standard] 140-2 certifications and other common criteria that are needed," she said.

BlackBerry, by contrast, has more than 450 policies that let IT departments control what users can do on their BlackBerry devices, Vazquez said. Further, BlackBerry security features such as code signing—the process of digitally signing executables and scripts to confirm software authorship and integrity — are not available on the iPhone. Nor does the iPhone allow for the installation of anti-malware software, Vazquez said.

About the Author

Trudy Walsh is a senior writer for GCN.

inside gcn

  • artificial intelligence (ktsdesign/Shutterstock.com)

    Machine learning with limited data

Reader Comments

Wed, Dec 23, 2009 Robert Bethesda,, MD

When we talked to Apple about enterprise needs, a high level executive said "our focus is on the consumer. We let them bring it into the enterprise. We don't have to worry about it." Kind of shows you what their viewpoint is.

Tue, Dec 22, 2009 James Alcasid DC

The article hits a point that no one can refute. No FIPS 140-2 validated encryption. The competitors have it and Apple does not. Apple has the hardware and software engineering to create and iPhone just for enterprise but it is not their focus for their consumer oriented device. Apple is making inroads into business and enterprise, driven at their pace and engineering schedule and not by any three letter government agency. As always look to third party vendors to innovate the iPhone for security, policy and encryption.

Mon, Dec 21, 2009 Livermore Ca

There are many good points above. The iPhone is avery user-centric device. By design. I have two concerns that Apple is starting to address. First - as the iPhone is designed to do a recovery boot from the USB interface, it is trivial to load a new OS kernel that does undesired things to the phone - yes, this is similar to a general purpose computer, the point is that this also is a path to circumvent the protections to the data on the device. Corporate, Govt. or otherwise - Second -once you have a device, when you make an image, you get all the cached data that you think is/was deleted - so how can you be sure that the information you wanted deleted really is? Regardless, the security features Apple is incorporating in the device are market driven. This means that if security enhancements are requested - there has to be a market need. Too often security requirements are placed on vendors which result in very little ROI.

Mon, Dec 21, 2009 Brian Murphy, BoxTone Washington, DC

BlackBerry set the standard for enterprise-grade, reliable and secure mobility about a decade ago. History suggests that as the demands of enterprise iPhone users grow, Apple will respond with more native enterprise capabilities.

Mon, Dec 21, 2009

While I agree with all the comments about the shallowness of analysis for this article, one of the comments highlights the usually unspoken dynamic in gov't IT that "it is better to fail conventionally than to success unconventionally" -- a common business concept. In IT, this principle expresses itself through the huge amounts of care-and-feeding Windows PC environments require, with their constant stream of malware and viruses. Yet, the use of these continually unsafe devices with government data is considered normal -- and the more chasing along behind sweeping up the mess, the more stats an organization has about penetration attempts (successful and not), the more they lock down their devices to restrict their use while trying to close the attack vectors that ride on use of the devices, the more an org is lauded as doing "the right thing". Government IT is an exercise in convention; the iPhone threatens that convention, as it is a recognition that consumer tech is really the only viable end user tech. That is the greatest danger of the iPhone, and likely the Android phones as well.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group