Tip: Securing iPhone E-mail

By Kenneth van Wyk

May 11, 2009

Kenneth van Wyck addresses some of the Wi-Fi-related e-mail security concerns iPhone users face.

I upgraded last month from Windows 1.0 to Apple’s OS X. OK, I didn’t really, but it sure felt like I did. Transitioning from a BlackBerry 8800 to an iPhone 3G felt a big of a leap forward, from a user interface perspective.

But what about the security of my information?

All right, it’s no secret I’ve become an ardent Apple supporter—some might even say “fanboy.” But let’s get past that and take a real look at just how secure this iPhone gizmo is.

My reasons for going through all the hassle associated with switching mobile phone carriers are varied, and I’m completely happy with the choice I made.

But I’m also not so blinded by this game-changing device that I was willing to sacrifice security to use it. During the transition, I was very aware of security issues and I always looked into what security choices I could make.

Let’s explore some of those a bit here. But first, let’s look at some of the bigger security exposures from using the iPhone.

Risky business

From a stand-alone sense, many of the security issues are similar to what BlackBerry owners and administrators face daily. You’re probably concerned with locking down the device itself, along with its data, in case you lose it or the phone gets physically stolen, for example.

That is, you’re concerned about the sensitive data that sits at rest on your device. That’s a fair concern.

Next, you’re probably concerned about your sensitive data in transit between the device and the server-side applications you’re using. Again, a very fair concern. You certainly don’t want to fall prey to what I call a “coffee shop attack” where an attacker with a Wi-Fi network sniffer captures your sensitive data, such as login credentials, documents, e-mails, etc.

For much mobile business data—e-mail, calendars, contacts, and such—there are three modes of connections that are common for iPhones.

You can tether the device to an enterprise e-mail server, such as a Microsoft Exchange server. You can use Apple’s own MobileMe service to deliver and synchronize the data. Or, you can simply run the iPhone as a “stand-alone” mobile device, where you synchronize your data with a regular Windows or Mac computer via a USB cable.

Most enterprise users will use a Virtual Private Network (VPN) to connect their iPhones to their corporate networks, and from there to their company’s Exchange server. That combination goes a long way to protecting sensitive company data in transit between the iPhone and the company’s infrastructure. It pretty much makes you immune to the coffee shop attack, for example, since all the data in transit is likely to be encrypted via the IPsec-compatible VPN.

Similarly, from what I can gather, connections to MobileMe are encrypted to protect the sensitive data in transit. By default, for example, incoming e-mails are encrypted using SSL between MobileMe’s e-mail servers and the iPhone.

But if you’re not using Exchange or MobileMe, e-mail is a little different.

Say, for example, you’re using your standard ISP for e-mail via IMAP or POP3, and SMTP for outgoing messages. There are definitely some things you need to consider for securing those connections so your sensitive data can’t easily be captured while it’s in transit.

Many ISPs, for example, support SSL-encrypted e-mail connections via IMAPS, POP3S, and SMTPS. If your ISP supports these, use them!

Sure, Internet e-mail isn’t private by even the wildest stretch of imagination. But with IMAP, POP3, and authenticated SMTP, it’s quite likely that your login credentials are being sent to the remote server during each transaction. Although there are plenty of other options for protecting those credentials from disclosure in transit, SSL is quick and simple.

There’s good news on this front, though. If your Mac e-mail is already set up with secure e-mail settings like I’ve described, your iPhone will automatically get those same settings the first time you set it up via an iTunes synchronization.

Nonetheless, spend the time to step through the iPhone’s e-mail settings and verify this is the case. It’s no guarantee, but it will provide pretty good protection against that coffee shop attack.

More resources:

Article adapted from Datamation. 



Comment and Contribute
(Maximum characters: 1200). You have
characters left.