Security Basics mailing list archives

Re: iTunes for iPhone in an Enterprise

From: Francois Lachance <digitallachance () gmail com>
Date: Sat, 27 Nov 2010 01:59:50 -0600

So nobody sees an issue with the number of security related bugs in
iOS, or the fact that at one time you could be jailbroken just by
browsing a web site, or by the fact that you have no way to control
what apps your users can install?  At least with a BlackBerry BES I
can control any aspect of the devices centrally.  I don't think that's
possible on the iPhone, at least not without a third-party add-on.

It seems like every update released by Apple for the iPhone contained
at least one security vulnerability fix.  Not so for the BlackBerries.
 There has been a few vulnerabilities on the BES (all related to the
PDF rendering), and all that was required was to upgrade one server,
not every devices.  I am not saying that there are no bugs in
BlackBerry devices, but so far, none that have had a security
implication. Am I being paranoid here?

Please someone set me straight if I'm wrong here.

Thanks,

Francois

On Tue, Nov 23, 2010 at 5:31 PM, Florian Rommel <frommel () gmail com> wrote:


Actually with the release of iOS 4.2 and a little bit of tinkering we have our iPhones more secure than most of our 
HTCs, Windows mobiles or even device managed Nokias.

Exchange remote wipe and MobileME find my phone service are very nice additions. However, we follow the same 
principle. IT has an iTunes Machine, everyone else has nothing and cannot do anything. We had a few incidents where 
people connected their iphones to their home PC and wiped them to hook them up to their iTunes in order to jailbreak 
or app install. This caused several disciplinary actions up to a dismissal in one country.

Since then it has been nice and smooth. I don't see what the fuzz is about anymore. With passcode wipe and remote 
wipes and lock settings it's all ok on our end... So far that is..

//f

On Nov 24, 2010, at 12:01 AM, Teena Horne wrote:

J. Teddy, Just wondering, what is the need for iTunes to be available in the corporate environment just because you 
use iPhones?  In our environment we support windows mobile, androids, or iPhones.  No one here has iTunes installed 
on any business PC for their iPhones and don't need it.  One machine has it so I can activate the iPhones when we 
first get them.

Adrian, I certainly agree with your assessment of the iphone for a corporate environment, but I was shot down for 
keeping them out on account of the exchange server can remote wipe the phone.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adrian J Milanoski
Sent: Saturday, November 20, 2010 12:56 AM
To: J Teddy
Cc: security-basics () securityfocus com
Subject: Re: iTunes for iPhone in an Enterprise


Hi,

Sorry to burst your bubble about your iPhone in the corporate world
but I personnally not even attempt he iPhone/iTunes in the corporate
world. It was never designed for that.

Personally I have and use an iPhone it's great as a 'personal' phone
and no more. Having the ability to deploy and manage the secuirty
aspects of things is much more important then applications.
Blackberries have dominated that market and allows you to do and
manage everything centerally with a BES server. Both Apple and RIM
took different routes with their business, personal and enterprise.

Honestly I don't mean to be negative about this but, if your talking
this to an enterprise you got to think about Confidentiality,
Integrity, and Availability.

I have herd of companies wanting to deploy iPhones, but I don't think
anything came of it do to these restrictions. I would be interested in
if anyone else has.


Thanks,
Adrian
_________________
Sent from my iPhone

On 2010-11-17, at 7:54 PM, J Teddy <jteddylists () gmail com> wrote:

Yes, my organisation is a little slow of the mark, and we are now
looking at deploying iPhones.

Currently it appears management is not comfortable with users having
iTunes installed on individuals machines.  I am not sure what these
concerns are.  Apparently other organisations have solved this issue
with using kiosks, and this is the golden bullet that CIO's are
talking about in their circles. A kiosk is simply just an internal
computer that can be used by any employee, and has iTunes installed.

If my understanding of iTunes is correct, I had some concerns and wish
for your advise, help, and to understand what you did in this instance
of managing iTunes.

My concern is If all corporate users are to share a single instance of
iTunes on a public kiosk computer they will all be required to share
an iTunes account.  This will involve all users knowing the username
(an e-mail address) and password to the account.  The downfall in this
scenario is if a user wishes to purchase content through iTunes the
same content will be shared among all the users.  Further
investigation needs to be taken if this breaches Apple's acceptable
use policy.  There may also be implications if the user stores their
credit card information for the iTunes account.

A logical solution would be to assign an iTunes account to all users
on the kiosk.  Unfortunately this can cause similar complications to
the above.  All the purchased or downloaded content will be on the
iTunes library which other users will also be able to transfer to
their device (re. investigate acceptable use policy).  If an upgrade
to a purchased application is released and a user other than the
original purchaser wishes to upgrade the application they will be
required to enter in the iTunes account username and password of the
original purchaser.

Individuals will also rely on iTunes to create backups for their
device.  These backups must be encrypted, or another user could
restore their device using another users backup, revealing private
information stored on their device.

If you know anything about the legal side, it would be great to
reference straight from Apple Policy, as I need to find something in
writing.

I have only found the below at this point in time.
* Your Account
** As a registered user of the Service, you may establish an account
("Account"). Don't reveal your Account information to anyone else. Y
ou are solely responsible for maintaining the confidentiality and
security of your Account and for all activities that occur on or
through your Account"

Thank you all for taking the time out to read my mail, and kudos for
those who help.

Mr. Lacanian

---
---------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs
an SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You
will find out how to test, purchase, install and use a thawte
Digital Certificate on your Apache web server. Throughout, best
practices for set-up are highlighted to help you ensure efficient
ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
42f727d1
---
---------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works,
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

iTunes for iPhone in an Enterprise J Teddy (Nov 18)
- Re: iTunes for iPhone in an Enterprise Todd Haverkos (Nov 19)
- Message not available
  - Re: iTunes for iPhone in an Enterprise Florian Rommel (Nov 26)
- Message not available
  - Message not available
    - Message not available
    - Re: iTunes for iPhone in an Enterprise J Teddy (Nov 26)
- <Possible follow-ups>
- Re: iTunes for iPhone in an Enterprise Adrian J Milanoski (Nov 26)
- Re: iTunes for iPhone in an Enterprise Florian Rommel (Nov 26)
  - Re: iTunes for iPhone in an Enterprise Saif El Sherei (Nov 30)
  - Re: iTunes for iPhone in an Enterprise Francois Lachance (Nov 30)
    - Re: iTunes for iPhone in an Enterprise Florian Rommel (Nov 30)