iPad is becoming increasingly popular in the enterprise: it’s a new and fashionable device to read mails and documents, arrange meetings and expose your presentations and probably your top management is pushing IT dept. to acquire and deploy the new platform. It could be a good solution or not but our mission is to secure the device improving overall security. To do this we need to implement or enforce security features: setting up devices manually, creating your personal security profile using IPCU (iPhone Configuration Utility) or installing a third party suite.
IPCU is available for Mac OS X and Windows platform. Using this tool you can create a profile (based on XML) for your mail, vpn, security settings and more to be transferred via iTunes, mail or HTTP/HTTPS on your devices. You can choose to encrypt the configuration using a Digital Certificate. I have made some test using an iPad 64Gb WiFi + 3G and iOS 4.0.2
The purpose of the test was to create an iPAD platform that supports the following features:
- Push Mail connected with Exchange Server
- Intranet access
- Device Encryption
- Application Control
- Password Protection
Please upgrade your firmware to the last available. Actually I’m testing 4.0.2 (multitasking, Cisco AnyConnect Mobile support, PDF vulnerability fix and more…)
Do you have a PIN code on your iPhone? Well, while that might protect you from someone making a call or fiddling with your apps, it doesn’t prevent access to your data as long as the person doing the snooping around is using Ubuntu Lucid Lynx 10.04.
Security experts Bernd Marienfeldt and Jim Herbeck discovered something really interesting when they hooked up a non-jailbroken, fully up-to-date iPhone 3GS to a PC running Lucid Lynx
I uncovered a data protection vulnerability , which I could reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with different iPhone OS versions installed (3.1.3-7E18 modem firmware 05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all PIN code protected which means the vulnerability bypasses authentication for various data where people most likely rely on data protection through encryption and do not expect that authentication is not in place.
This is what you get via an auto mount without any PIN request:
This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game content by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker. It’s about to imagine how many enterprises (e.g. Fortune 100) actually do rely on the expectation that their iPhone 3GS whole content is protected by encryption with an PIN code based authentication in place to unlock it.
This, quite honestly, is a staggering flaw. It basically allows anyone capable of driving a Linux PC to copy data off of an iPhone without the owner of the phone having any idea whatsoever that this has happened.
What’s more worrying is that Marienfeldt and Herbeck think that write access to the iPhone is only a buffer overflow away, which means serious access.
I have added full iPhone/iPod/BlackBerry/Android/Mobile support on fantaghost.com installing and customazing the WPTouch Plugin.
What is WPtouch ?
“More than just a plugin, WPtouch is an entire theme package for your WordPress website. Modeled after Apple’s app store design specs, WPtouch makes your WordPress website load lightning fast on touch mobile devices, show your content beautifully, all while not interfering with your regular theme.” (WPTouch Home Page)