Smartphones investigate

iPhone now as secure as BlackBerry, say tech chiefs

IT leaders and industry experts believe that Apple now roughly matches RIM on mobile security, removing BlackBerry's last remaining advantage over the iPhone in enterprise.

For a long time BlackBerry was the de facto choice for businesses looking for a secure mobile device.

But BlackBerry appears to be losing its security advantage over the iPhone in the eyes of IT leaders, and in doing so giving up its last remaining advantage over Apple handsets in enterprise.

Since the iPhone launched in 2007 Apple has been slowly increasing security of iOS devices: adding 256-bit, hardware-based encryption for data stored on the device, widespread VPN support and limiting access that each app has to files and hardware resources on the phone. That's in addition to its screening of all software on the app store and centralised control provided by third party mobile device management software.

And while the BlackBerry 7.1 devices provide administrators with granular control over users via BlackBerry Enterprise Server and corporate grade security when it comes to the likes of encryption and password protection - it seems CIOs and industry experts believe Apple can now provide the security most corporates need.

John Turner, IT director at accountancy network BDO LLP, said that after years of being a BlackBerry shop he could no longer see any reason not to let his 2,500 staff use Apple iPhones at work.

"The differentiation in the corporate world used to be security, but that has been significantly eroded to the point where it's gone away now," said Turner at a roundtable event organised by disaster recovery specialist Sungard Availability Services.

"I've satisfied myself that Apple is there or thereabouts [when it comes to corporate security], I think that Apple have caught RIM up."

Not only has the security of iOS devices themselves increased, Turner said, but mobile device management (MDM) platforms are now sophisticated enough to handle unwanted behaviour, such as jail breaking iPhones, and to allow administrators to manage multiple varieties of handset.

Staff at BDO can already access a variety of corporate systems through work issue BlackBerrys. Once BDO has a new MDM platform in place - it finishes evaluating platforms this week - it will allow staff to access its systems through their own iPhones, as well as start issuing iPhones and iPads as corporate devices alongside BlackBerrys.

In Trend Micro's recent ranking of which smartphone handsets had security features best suited to enterprise the Apple iPhone came out second, just behind BlackBerry.

Rik Ferguson, director of security research and communication for EMEA for Trend Micro, said: "Apple recognised long ago that having successfully reinvigorated the consumer smartphone market, they needed to make some big technological changes to really compete and gain acceptance in the enterprise space, and they have been steadily adding features over time."

As in many workplaces, demand from BDO staff to use their personal iPhones at work - the so-called BYOD trend - was a factor in driving Turner to reconsider corporate support for iOS devices.

"People are using iPhones and iPads in their personal lives and asking the question why can't we use them within the company," he said.

Ferguson predicted that BYOD will continue to drive uptake of iPhones into the workplace: "It should come as no surprise that Apple are finally taking on BBOS and RIM on their home turf, the release of iPhone 5 is expected to see a huge surge in handset sales and that can only lead to more consumerisation of enterprise handsets."

If RIM is to fight back against Apple's encroachment into the enterprise via BYOD, Ferguson said, then it needs to really needs provide a user experience that also appeals to the consumer with its forthcoming BlackBerry 10 OS.

"They already have the minds of the enterprise but they need to be aiming for the hearts of consumers, and that's a tall order."

A spokeswoman for RIM said the company was "unable to provide a comment".

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

13 comments
AllanMarcus
AllanMarcus

I've done pretty extensive research between RIM and Apple, and I'm an Apple fanboy, and Apple has a ways to go to catch up. There is no full device encryption for iOS, just Apple Data Protection, and very very few programs take advantage of that. You cannot restrict built in apps, like Notes from syncing to say, Google. The granularity of controls on iOS just isn't nearly as robust as with RIM? That as said, what phone do I use? iPhone. But I don't use an iPad for work as there is no way for me to edit a document and keep the document encrypted. Also, Apple's iOS isn't FIPS 140 validated (although that is in the works). Once it's validated, there are still precious few programs that take advantage of the encryption. Having to rely on end users to know what's encrypted and what isn't is NOT a good security model. Even worse, there no way to tell what's encrypted and how; you have to just know.

Gisabun
Gisabun

One guy says the iPhone is better. The phone isn't even out. *IF* he has one, has it actually been tested in a normal environment? I can say the Surface tablet will be thest out there but I haven't test it.

reddog03
reddog03

Or perhaps the logical answer is to go with an industry leading mobile mail provider such as IBM who can provide you with secure and encrypted email at device level, IOS, BB, Android, Windows, all tablets.. with a consistent look and feel, and also provide complete Mobile Device Management so you can lock down your companies policy and remotely wipe all or only corporate data should a device become lost or stolen. No more security, policy or security worries

Angryshortguy
Angryshortguy

MobileAdmin, I couldn't agree more. The employees (and execs) screaming for BYOD and better productivity are also the first ones to crucify the IT Security department when their data is corrupted or compromised. They want to know how someone could access the company data via their BYOD after you've told them this is a disaster waiting to happen. It's an unsecure device and infrastructure. Security is in place for a reason. Controls are in place for a reason. Once the genie is out of the bottle, all bets are off...

ManlyElectronics
ManlyElectronics

So which iPhone5 features make it "now" more secure then iPhone4 and as "secure as BlackBerry" ? This article does not reveal any.

MobileAdmin
MobileAdmin

The devil is in the details. Apple has released some nice API hooks for MDM solutions to leverage that can achieve similar restrictions as BES to Blackberry. But the overall security of iOS cannot match BB OS or likely BB10. I can hand an iPhone to our forensic group and within 30 mins or less they can get access to the device, pull all data off it, logs, cache etc. The iPhone takes a snapshot of the screen every few seconds to speed up the transition effect. Now if you deploy something like Good Technoloy (which more and more companies are doing) you could achieve the BES as Good uses AES, has FIPS, a NOC etc. This comes with a hefty price as Good is presently 3x the BES CAL cost. This does nothing to secure the larger issue. Apps. Users love them. Their going to want to put corporate data into all kinds of Apps which some use Apple data protection API, so don't. Unlike RIM you have no control over these Apps outside of shutting off AppStore. At the end of the day no employee wants a restricted iPhone anymore than they wanted a restricted Blackberry. Exspecially if it's their own personal iPhone. Thus you'll see more and more companies only providing virtual access to company data via VM VDI, Citrix and similar. To me this totally negates the benefit of using iPhone. The more is layered on the "secure" iPhone the less appealing it is. Thus why we now have employees with a corporate iPhone and their own. BYOD is not about employee choice, it's really about employees not wanting to adhere to security and compliance controls. To them it gets in their way of being "productive", be damned those stupid regulations the company needs to follow. The other side is companies now see BYOD as a way to off load enterprise mobile expenses on the employee. It should be a win - win right? The more things change, the more they stay the same. Apple and Android are primarily a consumer based entertainment company. RIM was and remains an enterprise solution. Sure consumers embraced it as smartphone usage grew but it was moreso a status symbol than being useful (though to this day I'm way more productive with a Blackberry).

Slayer_
Slayer_

They are clearly uninformed idiots.

rhonin
rhonin

ROTFLMAO!!!! If this is the case, why has my company placed strict security policies on the device and limited what it can do (no Siri, limited iCloud, etc..), custom login screen passwords and other measures. Locked and watched to the point I refuse to use it as anything or than a company device. So yeah, they can get close with modification. btw; I am back to carrying two phones again. iPhone for work, GNexus for personal.

Tiger_Cane
Tiger_Cane

They have not caught up with BB in my mind until they get FIPS140-2.

DWFields
DWFields

Even with those supposedly tight controls, data gets stolen on a pretty regular basis anyway--even without bringing mobile devices into the equation. Considering many of the systems already on or available to iOS, it certainly is no worse than what's already in use. At least an iOS device can be wiped remotely--something that doesn't seem to be getting used on those laptops.

Nick Heath
Nick Heath

The article doesn't state that the improvements stem only from the iPhone 5, rather that since the iPhone's launch in 2007 the addition of the security features listed in the third par have led to the perception among IT directors that the iPhone can match BlackBerry handsets for security. That perception that iPhone can provide good enough security for many workplaces is backed up by the assessment by the security vendor Trend Micro referenced in the article - see: http://www.trendmicro.es/media/wp/ent-readiness-mobile-platforms-whitepaper-en.pdf What IT directors think matters as they are they have sway over whether iPhones can be used to access work systems.

Angryshortguy
Angryshortguy

You can never be 100% bulletproof, but you don't want to open up more holes in your security because a user wants to play Angry Birds on their phone. A smart phone is for calls, emails, and texting. I love it when a user says they "need" an iPhone or Android phone to be more productive. Yet when I press them on HOW this would make them more productive, they stammer and can't come up with one reason. Coolness, comfort, and "because everyone else has one" are not valid reasons to add more avenues for breaches and data loss. That's the reason people don't like the IT Security department, but we do know what's best for the security of the company. It's our job to know, not a so-called computer expert working in accounting or engineering...

DWFields
DWFields

Calendar access wherever they are--something a feature phone has difficulty with. Email is easier on a smart phone too--when you're away from the office. Also, other apps (not necessarily games) offer other advantages that could give that user an edge depending on their specific duties and tasks. Better if you think of a smart phone as a supplemental device to their computer than as just a communications device.