

Apple betrays the iPhone's business hopes - trezor
http://tech.yahoo.com/news/infoworld/20090915/tc_infoworld/91723

======
jasongullickson
_"But how does anyone know Snow Leopard won 't have a similar breakdown in the
future, if not for encryption then for something else?"_

Given that the limitation (the ability to handle on-device encryption) only
affects pre-3GS phones I would guess that it's a performance thing and
therefore not an issue on the desktop.

This article is very hard to follow in that the author will reverse position
each paragraph, in one condemning Apple for releasing something that is not
secure and in the next complaining when non-secure functionality is
eliminated.

The Palm Pre is mentioned as an alternative but no evidence is given to
indicate the same problem doesn't exist on that platform as well, and it would
be interesting to know if other remote-exchange-access devices (webmail,
blackberry, etc.) provide client or device-side encryption of local files.

~~~
pyre
> _This article is very hard to follow in that the author will reverse
> position each paragraph, in one condemning Apple for releasing something
> that is not secure and in the next complaining when non-secure functionality
> is eliminated._

He's saying that Apple betrayed trust by implementing secure feature
insecurely (while claiming that it was working correctly) and when they
decided to actually do something about it, they just quietly pulled out the
rug from under their users. There was no Apple announcement or apology. Just a
checklist item burying deep in a list of changes in an OS update. That's why
he says 'double betrayal.'

~~~
jasongullickson
Did Apple explicitly claim that they were encrypting the stored files?

~~~
tvon
It sounds like the iPhone was telling the Exchange servers on the protocol
level that it supported encryption. That's what I'm getting from this article
anyway.

~~~
jasongullickson
I fear we're both working from second (or third)-hand information here and
it's time to do some homework to find out the truth, but let me add this one
thought.

This may sound like a stretch, and Apple themselves have decided that it's not
sufficient, but while the files themselves my not be encrypted the filesystem
of the iPhone itself is protected from all but deliberate (and possibly
illegal) fiddling by third-parties. In this way it's not completely dishonest
for the iPhone's exchange client to report to the Exchange server that the
local files are secured.

Like I said it's a stretch, but perhaps the original implementation wasn't
pure malice/ignorance on Apple's part.

------
numair
This is actually a pretty major credibility issue within the enterprise space,
and one that Apple should move to address quickly. (Not that I think they'll
do that, since they are busy selling videogames...)

~~~
culturestate
In all honesty, everyone in corporate IT knew damn well that iPhones did not
support hardware encryption until the 3GS. Why do you think Schiller made such
a big deal out of it during the keynote ("The #1 request from business users
has been hardware encryption..." or something like that)?

This is yet one more in a string of under-researched, hysterical articles from
InfoWorld that are making that magazine the tech equivalent of US! Weekly.

~~~
kwantam
You're not disagreeing with what the article said. The article claimed
(rightly or not, I cannot comment) that the iPhone software claimed to the
Exchange server that it did support encryption, then just didn't encrypt
anything.

I don't believe for a second that "everyone in corporate IT" knew this and yet
allowed their users to connect with iPhones and endanger the security of the
network.

Again, I don't know that the article's claims are accurate, but your comment
clearly does not clash with the aforementioned claims.

~~~
DrJokepu
As a Microsoft fanboy it's hard for me to acknowledge this, but I think there
is a bit of a problem here on Exchange side's as well. If I unerstand
correctly, it asks the device if it supports on-device encryption of data and
then trusts that the device claims the truth. I think the problem with this
approach is that the security of the network is no longer in the hands of the
network's administrators, even though they might have the reason to believe so
since they have set up Exchange to enforce on-device encryption even though it
can't possibly enforce that in all cases and as the iPhone example shown it,
this is not just a theoretical problem.

~~~
dkarl
It prevents honest mistakes. Here, somebody wasn't honest. I wonder what will
happen to the guy at Apple who made the decision to set the "Yes, we're
encrypted!" bit. (Probably he'll be forced to fire whoever he issued the order
to. Poor guy!)

~~~
Kaizyn
Why? Apple will just fix the bug or have their sales reps say they're sorry
and fix the bug. End of story.

------
jsz0
"How many businesses will revisit their iPhone support now that they know
Apple shipped and promoted a product as fit for business only to later find
that the device had a major security flaw? "

Probably not many. Many products, including ones never patched without a paid
upgrade, have had known security flaws. Including products like Windows,
Exchange and Office. Hasn't stopped their acceptance as industry standard
tools has it? In terms of how it effects the iPhone enterprise user base we
should consider a couple facts:

iPhone OS 3.0 was released at the same time as the iPhone 3GS hardware (June
19th 2009)

iPhone OS 2.x did not support Exchange.

So I think you can make a reasonable case that before June 19th 2009 very few
of these encryption-required companies were buying iPhones since they simply
didn't support Exchange. Post June 19th 2009 how many companies were buying
non-GS models? We could further sub-divide this based on the discovery of the
encryption loop hole which you would hope any of these encryption-required
companies were aware of. So by my crude calculations I think there is probably
a month period where companies may have been buying non-GS iPhones with an
expectation of pure encryption-required support.

~~~
trezor
_iPhone OS 2.x did not support Exchange. So I think you can make a reasonable
case that before June 19th 2009 very few of these encryption-required
companies were buying iPhones since they simply didn't support Exchange._

This is factually incorrect. I've been using the Exchange integration on the
iPhone since fall 2008.

Granted, as this article shows, Apple has been reporting false information to
Exchange, but the Exchange support has been there.

------
mildweed
Not to mention the tethering loophole is gone in 3.1 too.

~~~
eelco
Still works fine here.

------
skwiddor

        echo 'here''s your problem'' | {
            apple
            exchange
        }
    

hmm

------
pmorici
Why does Microsoft even include a client encryption check at all shouldn't it
be up to the businesses buying these end user devices to check how the data is
being stored?

This is like the don't "copy bit" for DRM if you don't follow it it doesn't
matter. Apple never said their device supported on device encryption that I
heard so why are all of these businesses suddenly surprised.?

~~~
StrawberryFrog
_Apple never said their device supported on device encryption_

Actually, their software made exactly that claim, and falsely, if I read the
article correctly.

~~~
pmorici
Maybe it's a trickery of language. Apple said they "supported Exchange" so you
could read your email. There was never any claim they supported encryption on
the client. Maybe a lot of businesses _assumed_ they did.

~~~
rdrimmie
If the article is accurate, then the device itself claimed that it supported
on-device encryption when it communicated with Exchange.

I don't know about the marketing materials, but for the past year, the
software itself has made the claim.

~~~
pmorici
Well yeah, but does that really _mean_ anything? The PalmPre 'claims' to be an
iPod so it can work with iTunes. Is anyone saying Palm is engaging in false
marketing because of that?

~~~
StrawberryFrog
_Is anyone saying Palm is engaging in false marketing because of that_

Why bring marketing into it?

 _Well yeah, but does that really mean anything?_

All that phrase says to me is "you're technically right, but I'm going to
adjust my value system until it doesn't matter to me"

e.g:

Person 1: You said you'd love me forever!

Person 2: Well yeah, but does that really mean anything?

~~~
pmorici
Because the author of the article implies that Apple lied in it's marketing of
the iPhone because it didn't actually support encryption. There are two issues
here that the article mixes.

1) What Apple says the phone supported via product literature, aka marketing.

2) What the iPhone software does to implement exchange support.

Misrepresenting #1 is a crime that the FTC or some government body could fine
them for. #2 on the other hand companies do all of the time to make their
devices work with proprietary software. This article is implying a marketing
lie while describing what is a software compatibility hack or perhaps an
honest bug. Either way saying "I simply can't count on Apple to do the right
thing." is way melodramatic.

