Securing your iPhone 2.0
The iPhone 2.0 software update released earlier this month offers some dramatic improvements from earlier versions in security management for corporate users. But even these welcome changes aren’t enough to make the iPhone seamlessly secure.
A year ago, I criticized a number of design and interface decisions Apple made with the original iPhone that increased the difficulty in creating secure network connections, and keeping your data free from prying eyes when using unsecured networks, like free and commercial Wi-Fi hotspots. The 2.0 software has a number of gaps, but it’s increased the ease with which you can take steps to secure your data. However, Apple still needs to open its arms to network security clients, to meet what enterprises (and many individuals) demand from a secure mobile device.
This isn’t to say that other devices exceed where Apple is at; rather, Apple is uniquely positioned to provide desktop operating system levels of security in the iPhone.
Reviewing the original vulnerabilities
Much of the iPhone’s original set of security problems stem from the device’s willingness to let you connect to any open access point that you pass by. That’s still a problem. As of this writing, AT&T hasn’t yet opened up its Wi-Fi network to iPhone users—although the service provider has let it slip that free access is apparently coming, with the latest false start occurring on Friday. But when AT&T opens its U.S. network to iPhone users, there’s still no security beyond means you take into your own hands.
AT&T doesn’t include corporate-grade secure connections at its hotspots as an option. In contrast, competitor T-Mobile has offered that option for four years. The iPhone now supports this kind of connection, and it could be a trivial way to render your network activities impenetrable to other hotspot users. (The option is 802.1X, explained below, and found nearly universally in enterprise networks in medium-to-large corporations.)
You must still maintain vigilance in connecting to Wi-Fi networks that you don’t know about. That’s why I continue to recommend, that iPhone users (and all laptops users) connect with a virtual private network (VPN). A VPN creates an encrypted connection between a device, like an iPhone and a remote VPN server. Any snooper who intercepts this data on a hotspot network sees just scrambled nonsense that, with current technology, can’t be turned back into sense by anyone except by the parties on both ends. (802.1X encrypts the connection between a computer or mobile device and the Wi-Fi gateway; a VPN encrypts the connection through the gateway all the way to a network endpoint somewhere far away.)
The iPhone now supports three types of VPN connections, up from two in the 1.x firmware, and several services provide a VPN for a monthly fee. WiTopia.net may be the best option for iPhone owners. It charges $40 per year for its VPN service, which requires the installation on a desktop or laptop computer of a VPN client that uses SSL, which is not available on the iPhone yet. However, WiTopia throws in a free PPTP connection for the iPhone, which is one of the supported types.
Other ways of securing your traffic have improved, though. If your ISP’s secured SSL mail server uses an unusual port (the equivalent of a numbered cubbyhole at an IP address at which certain kinds of traffic are expected), you can avoid a workaround to enter that port.
In Settings -> Mail, Contacts, Calendars -> mail account -> Advanced, you can enter a port for retrieving e-mail. Likewise in your mail account, select SMTP and choose a mail server, and you can enter a special port in the Server Port setting. This goes a long way towards dealing with anything unique your ISP may have used.
Better security through VPN profiles, WPA/WPA2 enterprise
In two areas, Apple has made it much easier to maintain secure communications and join secure networks. You can set up multiple VPN profiles, each with unique information. Also, an average user can join a network secured with WPA/WPA2 Enterprise, a method of requiring a unique login to a Wi-Fi (or Ethernet) network by each user.
The VPN improvements are notable, because for folks who require two or more VPNs for their job—which can include a personal one on the road and a corporate one in the office—they simply couldn’t make iPhone 1.x work for them. The original firmware series offered PPTP (Point to Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol, which is paired with IPsec or Internet Protocol Security as L2TP over IPsec). But you could only set up one connection for each type. If your work or life required two L2TP connections, you were out of luck.
In iPhone 2.0, you navigate to Settings -> General -> Network -> VPN, where you click tap Add VPN Configuration to get started. The Add Configuration dialog allows you to choose among L2TP, PPTP, and IPsec, the last of which is Cisco’s particular flavor of IPsec.
If you choose L2TP, for instance, you enter a description that’s displayed in the main VPN setting page, the VPN server’s host name, and your account name. Some VPN servers require just a password; others use two-factor authentication, where you also enter a code that appears on an RSA SecurID token generator that you carry with you. If your corporation requires that, you turn on the SecureID switch. If a password is required, you can choose to either enter it in the setup and the iPhone will automatically use it; leave the field blank, and the iPhone prompts you each time you connect to the VPN. L2TP connections require a shared secret that a system administrator would give you. Selecting Send All Traffic allows the iPhone to encrypt all connections, the recommended choice.
Tap Save, and the profile appears in the VPN setting screen. Tap the profile to select it as your default.
You can enable your VPN through the On/Off switch on the VPN setting screen; that switch is also found on the main Settings screen below the Airplane Mode and Wi-Fi if you have just a single profile. If you have multiple profiles, you’ll see the message Not Connected which, when tapped, takes you to the VPN setting screen.
Since an iPhone might switch among Wi-Fi, 2G, and (for new models,) 3G, VPN connections still lack a critical element for roaming users—continuity. Several firms make software that allows mobile devices to maintain a continuous stable IP address, and use some acceptable network trickery that relies on simple client network software on the mobile device and a remote server to keep a connection constant even as it switches among network types. I saw this demonstrated as long ago as 2003.
Apple hasn’t invested in such a technique, nor has AT&T, and as noted above, a third party couldn’t simply write the missing piece. It’s a gaping hole, because a VPN, once activated, shouldn’t need to be managed by users until they decide to turn it off. With the iPhone, the VPN fails whenever a network transition happens, and it must be turned off and back on manually.
Setting up a basic WPA/WPA2 Enterprise connection is far simpler. This connection method is a form of 802.1X, which is called a port-based access control protocol. In plain English, 802.1X lets you connect to a Wi-Fi access point without gaining access to the network to which that access point is itself connected until you prove your identity. Once you prove yourself, the network assigns you a unique set of encryption key material (which is broken down into all the various keys your Wi-Fi adapter needs). No two users on an 802.1X network can snoop on each other’s traffic, making it more secure as well.
Apple chose wisely to offer support for modern 802.1X, which is called WPA Enterprise or WPA2 Enterprise. The older WEP (Wired Equivalent Privacy) encryption standard is broken, and few companies rely on it in combination with 802.1X. Rather, they use WPA (Wi-Fi Protected Access) or WPA2. WPA has one strong encryption key standard built in; WPA2 has a government-grade option as well.
To set up a WPA/WPA2 connection, you need to be trying to connect to such a network, or set up a network yourself. Software from Periodik Labs is an affordable way for a smaller company to add WPA/WPA Enterprise service, and it works with nearly any consumer or business Wi-Fi router.
The iPhone has its basic WPA/WPA2 Enterprise connection settings alongside normal Wi-Fi network connection tools. Tap Settings from the Home screen, and then tap Wi-Fi. Either select a network protected in this way from the list of networks that appears, or tap Other to create a network profile.
The iPhone should recognize when you’re connected to a network protected by 802.1X, and provide you the right fields. If you tap Other, you enter the network’s name in the Name field, and tap the Security field to select WPA Enterprise or WPA2 Enterprise. You then tap Other Networks at the top left to return to the profile setup. With either of those options selected, a Username and Password field appear in which you enter your 802.1X login information.
Now many corporate networks may require more security than is offered for an 802.1X login in this screen. This has puzzled some early iPhone 2.0 users, because Apple promised more elaborate 802.1X support and doesn’t show that support here. For that, you need to step up to iPhone Configuration Utility, a free program from Apple that includes the extra options, as well as providing tools for mass configuration of iPhones in an enterprise.
Creating an iPhone configure profile
Download the iPhone Configuration Utility, which requires OS X 10.5. There are Web 2.0 applications for Windows XP/Vista and OS X 10.5 as well that have a slightly smaller feature set.
The utility lets you create profiles for iPhones that include all the salient details for network connections for e-mail and Microsoft Exchange, device security (such as requiring a passcode and setting passcode policies), and network security profiles for Wi-Fi and VPN connections. The program also lets you distribute digital certificates, widely used in corporations to make sure that devices only connect to legitimate networked systems—a key factor in securing 802.1X connections. (iPhone Configuration Utility also handles the tasks involved in distributing iPhone applications developed for in-house use.)
The Wi-Fi tab contains all the details necessary to distribute profiles for any kind of secured or unsecured Wi-Fi network. A slightly subtle set of plus and minus buttons at right (below the row of configuration tabs) lets you add and remove Wi-Fi profiles.
Enterprises use certificates to confirm the authenticity of their 802.1X authentication servers. Before you start configuring the Wi-Fi connection, you might want to gather any certificates used on the network, click the Credentials tab, and select those certificates. This makes them available to other parts of the configuration profile.
Now follow these steps:
- Click the Wi-Fi tab.
- Click the Configure button.
- Enter the network name in Service Set Identifier (SSID), which is the 802.11 protocol’s name for a network.
- From Security Type, select WPA/WPA2 Enterprise. (It’s possible, but unlikely, that you’d be using WEP Enterprise or Any Enterprise, which encompasses WEP, WPA, and WPA2.)
Three tabs appear under Enterprise Settings.
- Protocols: 802.1X isn’t a secure protocol. It uses EAP (Encapsulated Authentication Protocol), a kind of generic version of PPP, to handle talking back and forth between the device that wants access and the access point. EAP can be secured using one of several methods. A network administrator would know which was used. PEAP (Protected EAP) is most common.
- Authentication: For whatever EAP methods were selected in Protocols, you enter the corresponding details here. For EAP-TLS, which requires a unique personal certificate, you install that certificate in Credentials, and then select it from the Identity Certificate here, for instance.
- Trust: The server you’re communicating with sends a certificate for all EAP methods. You can install the expected public certificate and the name found in the certificate in this tab, and that allows an iPhone to have full confidence in the integrity and validity of the connection that’s made.
There’s no “save” button needed in the tab; File -> Save saves the current state of the configuration profile. You can add multiple Wi-Fi profiles by tapping the plus (+) button at middle right just below and to the right of the Advanced tab.
You can do the same for setting up VPN profiles, although this is more to avoid the tedium of having users enter the details themselves, as the settings are the same on the iPhone as in the utility, unlike with 802.1X.
After settling any additional details, including filling out the Summary tab with a required name, you need to export or e-mail the profile so that an iPhone can use it. That requires a bit of caution. Even though the configuration profiles don’t contain passwords, they can contain a VPN shared secret stored in the clear, and Apple warns in its enterprise configuration guide that these profiles aren’t encrypted, just obscured. Best practices would suggest that you only allow users to download profiles from a secured SSL/TLS server where the user has to enter a username and password to gain access to the server.
In testing, I e-mailed a configuration profile to myself, and then selected that profile as an attachment in Mail. I was presented with a screen about the profile with an Install button if I wanted to add it to the iPhone. Tapping Details showed me the two Wi-Fi profiles I’d created. After tapping Install, I was warned that this wasn’t a signed profile, and tapped Install Now to proceed.
The iPhone then prompted me to enter the passwords associated with the two Wi-Fi profiles I’d created. Once entered, the profile appears in a new Settings item nearly at the bottom of the list, labeled Profiles. From there, you can select profiles and tap a Remove button to uninstall them.
New, improved, but room to grow
Apple has definitely ratcheted network security and configuration options up several marks with its latest iPhone releases. But there’s a way to go still. The company needs to consider finding a better way to offer continuous VPN access across networks while roaming, and it should centralize enterprise profile installation without using an export option for full remote management.
However, it’s far easier than it was at the beginning of July to make sure your iPhone activity remains private, confidential, and IT manager-approved.