[ISN] The other iPhone lie: VPN policy support

From: InfoSec News <alerts_at_private>
Date: Wed, 16 Sep 2009 00:32:11 -0500 (CDT)
http://www.infoworld.com/d/mobilize/other-iphone-lie-vpn-policy-support-865

By Galen Gruman 
InfoWorld
September 15, 2009

It turns out that Apple's iPhone 3.1 OS fix of a serious security issue 
-- falsely reporting to Exchange servers that pre-3G S iPhones and iPod 
Touches had on-device encryption -- wasn't the first such policy 
falsehood that Apple has quietly fixed in an OS upgrade. It fixed a 
similar lie in its June iPhone OS 3.0 update. Before that update, the 
iPhone falsely reported its adherence to VPN policies, specifically 
those that confirm the device is not saving the VPN password (so users 
are forced to enter it manually). Until the iPhone 3.0 OS update, users 
could save VPN passwords on their Apple devices, yet the iPhone OS would 
report to the VPN server that the passwords were not being saved.

The fact of the iPhones' false reporting of their adherence to Exchange 
and VPN policies has caused some organizations to revoke or suspend 
plans for iPhone support, several readers who did not want their names 
or agencies identified told InfoWorld. One reader at a large government 
agency describes the IT leader there as "being bitten by the change," 
after taking a risk to support the popular devices. "I guess we will all 
have to start distrusting Apple," said another reader at a different 
agency.

Last week's iPhone OS 3.1 update began correctly reporting the on-device 
encryption and VPN password-saving status when queried by Exchange and 
VPN policy servers, which made thousands of iPhones noncompliant with 
those policies and thus blocked from their networks. (Only the new 
iPhone 3G S has on-device encryption.) Apple's document on the iPhone OS 
3.1 update's security changes neglected to mention this fix, catching 
users and IT administrators off-guard. Worse, it revealed that Apple's 
iconic devices have been unknowingly violating such policies for more 
than a year.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Tue Sep 15 2009 - 22:32:11 PDT

This archive was generated by hypermail 2.2.0 : Tue Sep 15 2009 - 22:37:50 PDT