16 comments

[ 4.5 ms ] story [ 55.5 ms ] thread
None of the links in the article are useful. Does anyone know what this supposed API is (and, better yet, link to Apple's documentation on it)?
I cannot find anything on it, via Google or in the Apple documentation. I also talked to the authors of some of the recent jailbreaks today, and at least a few of them didn't know anything about this.
The MDM APIs are not public (at least, not to my extensive searching).
http://developer.apple.com/library/ios/ipad/#featuredarticle... states a way to allow a MDM server, "available from third-party solutions providers" to "ask the device to various queries". It also describes in detail what settings can be set (disable the camera, force VPN use, etc), but i cannot find what these queries can be.

If such an API existed I would say it is good that it has been removed, as asking a system 'hage you been compromised?' will not help you find out whether a system has been compromised.

Obviously it's pointless to trust a device to tell you if it can be trusted or not, but it's going to take a while for the enterprise market to figure this out. They want badly for it to be possible and there are plenty of huckster develpers out there to tell them what they want to hear.

What will make it especially hard to accept is that they've had nothing but BlackBerries for a good decade now and that platform can more or less be trusted, but only because it's never been rooted. And the only reason it's never been rooted is because nobody really cares.

Really, I think IT will just have to adapt to the idea that a smartphone is a personal device and can only be trusted as much as its user, and it lives outside the firewall. It's probably for the best anyway because phones are very personal and I would find it creepy to carry one around that was controlled by my employer.

can more or less be trusted, but only because it's never been rooted

Actually, I'd assume that there are a few Blackberries are rooted and have rootkits on them. That's just too useful to not exploit. Someone doing industrial espionage or law enforcement has probably already done this.

"Jailbroken devices pose a serious security threat to the enterprise. Even if the end user doesn't intend to load malware, he will be completely unaware of malware present in unauthorized apps."

This implies that the walled garden, by definition, is more secure. Non sequitur. One could argue that the opposite is true:

1) The walled garden is implicitly trusted. This naturally will mean many companies assuming that the applications which Apple approves need no further security review. Apples review is demonstrably far from perfect. One might even call it arbitrary.

2) If companies could create their own "app store" with only reviewed apps, this would be much more secure than Apple's walled garden. This is possible on a jailbroken device with a customized system image.

You can't customize the "system image", but you can certainly write an application that removes the official App Store and only allows installation from the custom "store".
I can’t disagree with you enough. Taking the standard meaning of “jailbroken”, your examples don’t actually work. The whole point is, you don’t just install “trusted” apps from any source, be it the App Store or your hypothetical corporate whitelist, to a jailbroken iPhone. It is a security problem for an enterprise.

A jailbroken iPhone poses a risk in much the same way a Windows PC poses a risk — that’s why IT forces everyone to run McAfee. Jailbroken phones will also need malware detection!

I bet most of the enterprises that are concerned about jailbroken iOS devices being a threat to their security are the enterprises that force IE6 and its security panacea upon their employees.
I happen to work for a company looking at iPads. I can tell you there is concern about jailbroken devices. My team and the art department uses macs and everyone else uses pcs with up to date copies of XP with IE8 and Firefox. Firefox is the recommended browser for internal use.
However, for those who still use the original iPhone, jailbreaking is the /only/ way to avoid a remote, browser-initiated, publicly available vulnerability. :(
I've always figured that Apple is lazy about fixing holes with jailbreaking their devices because it's the best way to unofficially support devs and development.

For example, if you want to do any sort of real automated app black box testing for QA purposes, you really have jailbreak your phone.