iPhone vs Blackberry
A mobile device comparison
iPhone* vs. BlackBerry**
The BlackBerry has been favored over other smartphones for corporate use for a number of reasons. However, in today’s workplace, enterprises are adopting iPhones at a rapid pace, because of a push by employees who want to use them in both their personal and professional life.
Yes, there will always be great debate over which mobile device is superior from a usability standpoint. But when it comes to security, which device is best suited for the enterprise?
Mobile device comparison
BlackBerry®:
- Robust management ecosystem: The significant differentiator in security is the management flexibility that the BlackBerry provides. The BlackBerry Enterprise Server® provides rich controls that allow scalable management for thousands of users.
- Application policies: Administrators can define precise policies to control which applications can be downloaded to and run on the device. The security model allows administrators to translate and enforce acceptable use policies.
- Transport security: The BlackBerry uses a secure and encrypted connection back to the enterprise that enables it to access corporate resources. This transparent VPN connection allows accessibility without exposing resources to the cloud.
- Device/data encryption security: The BlackBerry has robust encryption and data security built in. Policies can be centrally defined. This ensures web traffic passes through scanning proxies and the device itself is kept very secure with very strong data encryption.
- Remote wipe/restore: If a device is lost it can be remotely disabled and the data removed very quickly. Moreover, new devices can be provisioned with a complete copy of the original data, policies and applications. Research in Motion (RIM) provides the right tools for secure mobile computing — they just need to be configured. In particular, take advantage of the device's configuration capabilities to lock down the methods by which software can be installed. The recent spyware distributed by Etisala is an example of increasing focus on mobile devices. RIM produced a whitepaper paper that thoroughly explains how to lock down the device to control applications and prevent such threats.
iPhone™:
- Lack of computer policies: Unlike the BlackBerry, the iPhone does not have rich central management. A simple portal is provided to allow device location (using the built-in GPS) and remote wipe, which works reasonably well, compared to earlier versions that took many hours to remove the the vulnerabilities. Unfortunately, there are no controls over allowed applications, configuration or security. Users must set up their own configuration (and they make it very easy) but this doesn’t mean that secure protocols are necessarily used.
- Too much user privilege: The iPhone essentially provides all users with administrator capabilities. They can install any applications or change any of the configurations. While this delivers user satisfaction, it is a security nightmare. This pushes the security policy on to the user with a severe dependence on education.
- Exposure to cloud: While BlackBerry provides seamless and secure access to corporate resources within the perimeter, the iPhone requires exposure to the internet. Smaller businesses, or those embracing cloud exposed mail systems or corporate resources, will find the device easy to configure. Those with internal systems with controlled exposure may find the iPhone requires them to break their security model or to have users VPN in to access resources. This can degrade the usability of the solution but is key to avoid exposing sensitive data in a cloud where the security model is still not yet broadly defined.
*iPhone is registered trademark of Apple Inc. Copyright © 2009 Apple Inc.
**BlackBerry is a registered trademark of Research In Motion. Copyright © 2009 Research In Motion Limited.
So you have an iPhone?
What to do to ensure secure use:
1. Education — Users need to know the risks of the web or vectors of data loss on the device as there are insufficient policy controls to technically enforce the acceptable use policies. Two examples of these shortfalls are:
- Web proxies: While BlackBerry devices provide a proxy path and route through a central server, iPhone users have to set proxy details on a per connection basis. Because of this, users will likely browse directly to a variety of of unsecure or inappropriate sites.
- Patch: There have been a few Apple vulnerabilities recently (such as the Apple SMS vulnerability). In most cases, iPhone users have to synchronize via iTunes to receive a patch. Unfortunately, with unlimited data packages and readily available wi-fi, users do not synch with iTunes on a regular basis. While this un-tethered life is liberating, users must understand the significant risks of not patching and must be prudent applying patches.
2. Encryption — With the release of the 3GS, the iPhone includes hardware encryption. iPhone encryption is absolutely worth using for compliance, but do not expect it to hold up against a determined attacker. For example, this encryption can be trivially disabled by 'claiming to be iTunes' according to recent analyses. Users with legacy iPhones should take extra precaution as encryption is not offered.
3. Acceptable use policies — Aside from the standard practices in your corporate acceptable use policies, ensure you:
- Set defined intervals for users to check for and apply patch.
- Carefully check how they handle corporate data (scan content at the gateway). Data loss can occur when email is forwarded with little policy distinction between internal/external.
- Ensure a complex pin (e.g. NOT 0000) is set and the device set to lock.
- Provide a VPN connection (ideally with two-factor authentication) back to sensitive corporate resources if mobile access is required — do not fall in to the trap of exposing such assets to the internet with basic authentication.
More hot topics
Read our other guides to current security issues written by Sophos experts.
