InfoWorld Home / Mobilize / Apple betrays the iPhone's business hopes
September 15, 2009

Apple betrays the iPhone's business hopes

Apple’s fix of a security hole reveals a long-simmering flaw and makes many iPhones suddenly incompatible with Exchange

By Galen Gruman | InfoWorld
| Print | 28 comments|
83 Recommendations

Fixing a major but unacknowledged bug in the operating system, last week's iPhone OS 3.1 update has rendered most iPhones and all iPod Touches incompatible with Exchange 2007 servers that require on-device data be encrypted, a standard safeguard used by businesses.

In other words, Apple has fundamentally betrayed its iPhone users and the businesses that have either explicitly or implicitly supported the device.

[ Find business-oriented iPhone apps the easy way with InfoWorld's online app finder. | See the 21 apps Apple doesn't want on your iPhone. ]

If you're like me, you probably ran the iPhone OS 3.1 update late Friday along with all the other Mac OS X updates. And perhaps, like me, you found your device no longer syncing to your company's Exchange 2007 Server. I, for one, assumed something had changed on the back end. After all, a dot-one update is a bug fix, so there shouldn't have been anything major to watch out for. But I learned Monday it was the update itself that was to blame.

My first reaction was, "Damn. Now I can't check e-mail or schedules when not at my desk. I wonder how long it will take for Apple to fix the issue." Our IT department is not about to relax its encryption requirement to deal with a change in Apple's OS. Why should it?

Then it sunk in. The iPhone has been falsely reporting to Exchange servers since July 2008 that it supports on-device encryption.

The lie the iPhone has been telling
That's right. Thousands of users have been accessing e-mail, calendars, and contacts over Exchange connections through their iPhones or iPod Touches, not knowing they were compromising their corporate security. During that entire time, Apple has extolled its support of Exchange and convinced many businesses that the iPhone was a corporate-class device they should embrace or, at least, tolerate.

It also turns out that Apple had a similar issue -- with a similarly stealthy fix -- in its iPhone OS 3.0 update, which corrected misreporting about its VPN policy support.

How many businesses will revisit their iPhone support now that they know Apple shipped and promoted a product as fit for business only to later find that the device had a major security flaw? Apple clearly knew of the flaw at some point; otherwise, it would not have fixed it in the iPhone OS 3.1 update. Worse, how many users or businesses will trust Apple, now that they know it not only hid a major flaw from their attention but also slipstreamed a fix that broke compatibility with most of its devices?

Consider the implications on Mac OS X Snow Leopard, which now boasts the same Exchange support as the iPhone. As of the Mac OS X 10.6.1 update of last week, it still works with our encryption-requiring Exchange 2007 Server. But how does anyone know Snow Leopard won 't have a similar breakdown in the future, if not for encryption then for something else?

I suspect that Apple has set back its enterprise cause several years, if not permanently.

Read more about mobilize in InfoWorld's Mobilize Channel.

Close

On Twitter now

Mobile platforms

Powered by Twitter
Refresh results

On Twitter now

Related Content...
additional resources
White Paper - How to Improve Delivery of Advanced Web Applications

White Paper

Virtual Workforce: The Key to Expanding The Business While Cutting Costs

Get the independent advice and expertise you need to support a virtual workforce.

Go inside:
The three-step approach to making a virtual workforce a reality.
The four flavors of client virtualization technologies.
The three key initiatives that solve IT challenges.
Download now »
White Paper: Successfully Secure Your Wireless LAN With Wi-Fi firewalls.

White Paper

Addressing Linux Threats Leveraging Fewer Resources

The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.

Download now »
White Paper - The 2009 Handbook of Application Delivery

White Paper

The 2009 Handbook of Application Delivery

Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.

Download now »
White Paper - Is Your Backup System Outdated?

White Paper

Mid-range Storage Considerations

A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.

Download now »
3 of 28 comments
Sign In or Register to comment
Erich Schmidt 15-Sep-09 5:40am
1 reply
"I suspect that Apple has set back its enterprise cause several years, if not permanently." Do you really believe that? Really?
Galen Gruman 16-Sep-09 3:11pm
1 reply
I really do believe this iPhone situation has severely hurt Apple among larger corporations whose users have been begging for iPhone support, citing people like me saying that Apple has enough of the enterprise goods to at least be given a test shot. I've heard from many large organizations since the story ran saying this incident had shut down iPhone support in their organizations. It's not the bug per se that's the issue; it's how the bug was handled, with the fix quietly slipstreamed. That resulted in a flood of user calls to IT, often by execs, who then had to explain why they couldn't "fix" the problem and in fact that the problem meant that their iPhone users were now banned from accessing Exchange. In many of these organizations, regulations such as HIPAA and Sarbanes-Oxley and various state privacy notification require certain security policies be in place, such as on-device encryption. Some organizations may face fines for violating these policies (the fact that it was a bug not of their making doesn't free them from their certification-of-compliance statements, which many have to make to get government dollars). As an example, if someone lost an iPhone with personal data on it (Social Security numbers, medical records, home phone numbers) and the business had the Exchange policy requiring on-device encryption turned on, state laws exempt that business from having to notify everyone whose information might have been compromised (note the "might"). The laws say if the data is encrypted, it can be presumed safe even if the device is lost or stolen. But now IT knows the data was NOT encrypted, so you could easily argue (and lawyers will) that they now must now go back and find out if any devices were lost or stolen, figure out who might have had personally identifiable information on them, and notify them. This is very costly, and you can bet your bottom dollar that it puts the question of continued iPhone support up in the air. Had Apple warned people of this issue as soon as it was known, that would have made huge difference. The issues above still apply, but IT can at least act about it quickly and limit future damage. Apple didn't give its users that courtesy, and worse caused their users a big headache. For the small business and individual user, I can see how this feels like a silly "IT control" issue. But it is huge in enterprises and government. This is why I was so strong in my article's presentation.
Gary54 19-Dec-09 10:47am
I think Apple had (has) a simple fix available they overlooked. Replace all the phones that can't meet the standard. The points you have made are all good ones. This is a case of false advertising and making claims for a devices abilities it did not have with same end result of anyone making purchase decisions based on false advertising. For those people who need and rely on this mail service, they should supply the hardware which actually meets the stated abilities. All the silly and frivolous petty lawsuits which have been thrown Apple's way over the years, this is asking for a big one and a legit one. Every phone sold and used prior to 3.1 which accessed Exchange encrypted services compromised the security of the organization which used them. I have been an Apple user and advocate for years, but this was a "there is NO excuse for this" stupid blunder of major proportions that they should take equally serious measures to address.
View ALL Comments

Sign up to receive InfoWorld Resource Alerts

Subscribe to the Mobilize Newsletter

Receive the latest news, reviews and discussions on everything mobile.

©1994-2010 Infoworld, Inc.