iPhone insecurity may be a hot topic but at least one analyst says concerns about the device have been overblown.
"I think it has been exaggerated," said Andrew Jaquith, security analyst with the Yankee Group. "You have to start with the observation that many of the people that complain the loudest and say it's a security threat tend to be security companies themselves."
Andrew Storms of vulnerability management software maker nCircle was one of the first when he pronounced the iPhone "our new security nightmare." This before the iPhone was even released.
Gartner analyst Ken Dulaney told IT executives to keep Apple's iPhone away from their networks, eight days before the iPhone hit store shelves.
Jaquith said that security criticisms of the iPhone fall into two categories - that it is not enterprise-ready and that it is insecure. Both of these claims, he said, are exaggerated.
While IT managers may not want to officially support the phone, it will make its way into the enterprise and corporations through the employees whether they like it or not.
"There are reasons not to support the iPhone - you don't want to support IMAP or the flavour of VPN that the iPhone uses - those are policy decisions," said Jaquith. "Security is not the reason."
One argument researchers have against the iPhone is that it has no data security features. Jaquith counters that the iPhone does support SSL and TSL and there is little sensitive data on the iPhone that needs to be encrypted.
The Yankee Group also contends that opening any needed ports to allow email connections not going through VPN can be done on non-standard ports, minimising risk.
Gartner's Dulaney pointed out that the iPhone doesn't have remote wipe (the ability to wipe the phone's data if lost) and it doesn't have a firewall. Again Jaquith said it just doesn't matter because of the type of data the iPhone has on it and none of the iPhone's processes require open TCP/IP ports.
"By contrast, according to Symantec's Ollie Whitehouse, Windows Mobile listens on four ports: 137 and 138 (NetBIOS), 1034 (ActiveSync notifications) and 2948 (WAP push)," said Jaquith. "This does not mean that Windows Mobile is necessarily insecure; it just means that the assumptions underlying the firewall critique do not hold in the case of the iPhone."
In addition, all custom applications that run on the iPhone are web-based, and users do not have access to the underlying file system.
While Jaquith feels analysts have exaggerated security concerns with the iPhone he would like to see Apple deliver software patches over the air and expand key-chain and identity support.
As for enterprises, Jaquith has a few recommendations for them as well, including turning on IMAP-S, using L2TP over IPSec and using non-standard ports.
"Security worries about the iPhone are overblown," said Jaquith. "To boost employee productivity, enterprises would be better served thinking about how to accommodate the iPhone. It's the best phone and iPod I've ever used."