InfoWorld Home / Mobilize / Apple betrays the iPhone's business hopes
September 15, 2009

Apple betrays the iPhone's business hopes

Apple’s fix of a security hole reveals a long-simmering flaw and makes many iPhones suddenly incompatible with Exchange

By Galen Gruman | InfoWorld
| Print | 28 comments|
77 Recommendations

Fixing a major but unacknowledged bug in the operating system, last week's iPhone OS 3.1 update has rendered most iPhones and all iPod Touches incompatible with Exchange 2007 servers that require on-device data be encrypted, a standard safeguard used by businesses.

In other words, Apple has fundamentally betrayed its iPhone users and the businesses that have either explicitly or implicitly supported the device.

[ Find business-oriented iPhone apps the easy way with InfoWorld's online app finder. | See the 21 apps Apple doesn't want on your iPhone. ]

If you're like me, you probably ran the iPhone OS 3.1 update late Friday along with all the other Mac OS X updates. And perhaps, like me, you found your device no longer syncing to your company's Exchange 2007 Server. I, for one, assumed something had changed on the back end. After all, a dot-one update is a bug fix, so there shouldn't have been anything major to watch out for. But I learned Monday it was the update itself that was to blame.

My first reaction was, "Damn. Now I can't check e-mail or schedules when not at my desk. I wonder how long it will take for Apple to fix the issue." Our IT department is not about to relax its encryption requirement to deal with a change in Apple's OS. Why should it?

Then it sunk in. The iPhone has been falsely reporting to Exchange servers since July 2008 that it supports on-device encryption.

The lie the iPhone has been telling
That's right. Thousands of users have been accessing e-mail, calendars, and contacts over Exchange connections through their iPhones or iPod Touches, not knowing they were compromising their corporate security. During that entire time, Apple has extolled its support of Exchange and convinced many businesses that the iPhone was a corporate-class device they should embrace or, at least, tolerate.

It also turns out that Apple had a similar issue -- with a similarly stealthy fix -- in its iPhone OS 3.0 update, which corrected misreporting about its VPN policy support.

How many businesses will revisit their iPhone support now that they know Apple shipped and promoted a product as fit for business only to later find that the device had a major security flaw? Apple clearly knew of the flaw at some point; otherwise, it would not have fixed it in the iPhone OS 3.1 update. Worse, how many users or businesses will trust Apple, now that they know it not only hid a major flaw from their attention but also slipstreamed a fix that broke compatibility with most of its devices?

Consider the implications on Mac OS X Snow Leopard, which now boasts the same Exchange support as the iPhone. As of the Mac OS X 10.6.1 update of last week, it still works with our encryption-requiring Exchange 2007 Server. But how does anyone know Snow Leopard won 't have a similar breakdown in the future, if not for encryption then for something else?

I suspect that Apple has set back its enterprise cause several years, if not permanently.

Close

On Twitter now

Mobile platforms

Powered by Twitter
Refresh results

On Twitter now

Related Content...

White Paper

D2D Virtual Tape Library Replication Primer

This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.

Download now »

White Paper

An Alternative to Virtualization for Datacenter Cost Savings

Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.

Download now »

White Paper

Why Your Firewall, VPN, and IEEE 802.11i Aren't Enough to Protect Your Network

The emergence of WLANs has created a new breed of security threats to enterprise networks.

Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation

Download now »

White Paper

Bringing the Edge to the Data Center

Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.

Download now »
3 of 28 comments
Sign In or Register to comment
Erich Schmidt 15-Sep-09 5:40am
1 reply
"I suspect that Apple has set back its enterprise cause several years, if not permanently." Do you really believe that? Really?
Galen Gruman 16-Sep-09 3:11pm
I really do believe this iPhone situation has severely hurt Apple among larger corporations whose users have been begging for iPhone support, citing people like me saying that Apple has enough of the enterprise goods to at least be given a test shot. I've heard from many large organizations since the story ran saying this incident had shut down iPhone support in their organizations. It's not the bug per se that's the issue; it's how the bug was handled, with the fix quietly slipstreamed. That resulted in a flood of user calls to IT, often by execs, who then had to explain why they couldn't "fix" the problem and in fact that the problem meant that their iPhone users were now banned from accessing Exchange. In many of these organizations, regulations such as HIPAA and Sarbanes-Oxley and various state privacy notification require certain security policies be in place, such as on-device encryption. Some organizations may face fines for violating these policies (the fact that it was a bug not of their making doesn't free them from their certification-of-compliance statements, which many have to make to get government dollars). As an example, if someone lost an iPhone with personal data on it (Social Security numbers, medical records, home phone numbers) and the business had the Exchange policy requiring on-device encryption turned on, state laws exempt that business from having to notify everyone whose information might have been compromised (note the "might"). The laws say if the data is encrypted, it can be presumed safe even if the device is lost or stolen. But now IT knows the data was NOT encrypted, so you could easily argue (and lawyers will) that they now must now go back and find out if any devices were lost or stolen, figure out who might have had personally identifiable information on them, and notify them. This is very costly, and you can bet your bottom dollar that it puts the question of continued iPhone support up in the air. Had Apple warned people of this issue as soon as it was known, that would have made huge difference. The issues above still apply, but IT can at least act about it quickly and limit future damage. Apple didn't give its users that courtesy, and worse caused their users a big headache. For the small business and individual user, I can see how this feels like a silly "IT control" issue. But it is huge in enterprises and government. This is why I was so strong in my article's presentation.
jpm2009 15-Sep-09 8:02am
2 replies
Lets try to rethink this. Exactly HOW is an iPhone insecure? You can lock it. You can't get the info off it without hacking.... i think this is a bit overblown
View ALL Comments

Sign up to receive InfoWorld Resource Alerts

Subscribe to the Mobilize Newsletter

Receive the latest news, reviews and discussions on everything mobile.

©1994-2009 Infoworld, Inc.