Securing your iPhone 2.0

The iPhone 2.0 software update released earlier this month offers some dramatic improvements from earlier versions in security management for corporate users. But even these welcome changes aren’t enough to make the iPhone seamlessly secure.

A year ago, I criticized a number of design and interface decisions Apple made with the original iPhone that increased the difficulty in creating secure network connections, and keeping your data free from prying eyes when using unsecured networks, like free and commercial Wi-Fi hotspots. The 2.0 software has a number of gaps, but it’s increased the ease with which you can take steps to secure your data. However, Apple still needs to open its arms to network security clients, to meet what enterprises (and many individuals) demand from a secure mobile device.

This isn’t to say that other devices exceed where Apple is at; rather, Apple is uniquely positioned to provide desktop operating system levels of security in the iPhone.

Reviewing the original vulnerabilities

Much of the iPhone’s original set of security problems stem from the device’s willingness to let you connect to any open access point that you pass by. That’s still a problem. As of this writing, AT&T hasn’t yet opened up its Wi-Fi network to iPhone users—although the service provider has let it slip that free access is apparently coming, with the latest false start occurring on Friday. But when AT&T opens its U.S. network to iPhone users, there’s still no security beyond means you take into your own hands.

AT&T doesn’t include corporate-grade secure connections at its hotspots as an option. In contrast, competitor T-Mobile has offered that option for four years. The iPhone now supports this kind of connection, and it could be a trivial way to render your network activities impenetrable to other hotspot users. (The option is 802.1X, explained below, and found nearly universally in enterprise networks in medium-to-large corporations.)

You must still maintain vigilance in connecting to Wi-Fi networks that you don’t know about. That’s why I continue to recommend, that iPhone users (and all laptops users) connect with a virtual private network (VPN). A VPN creates an encrypted connection between a device, like an iPhone and a remote VPN server. Any snooper who intercepts this data on a hotspot network sees just scrambled nonsense that, with current technology, can’t be turned back into sense by anyone except by the parties on both ends. (802.1X encrypts the connection between a computer or mobile device and the Wi-Fi gateway; a VPN encrypts the connection through the gateway all the way to a network endpoint somewhere far away.)

The iPhone now supports three types of VPN connections, up from two in the 1.x firmware, and several services provide a VPN for a monthly fee. may be the best option for iPhone owners. It charges $40 per year for its VPN service, which requires the installation on a desktop or laptop computer of a VPN client that uses SSL, which is not available on the iPhone yet. However, WiTopia throws in a free PPTP connection for the iPhone, which is one of the supported types.

The Advanced settings screen for your SMTP mail account lets you enter a port for retrieving e-mail.

Other ways of securing your traffic have improved, though. If your ISP’s secured SSL mail server uses an unusual port (the equivalent of a numbered cubbyhole at an IP address at which certain kinds of traffic are expected), you can avoid a workaround to enter that port.

In Settings -> Mail, Contacts, Calendars -> mail account -> Advanced, you can enter a port for retrieving e-mail. Likewise in your mail account, select SMTP and choose a mail server, and you can enter a special port in the Server Port setting. This goes a long way towards dealing with anything unique your ISP may have used.

So far, the App Store features no software designed to create SSH (Secure Shell) tunnels, VPN beyond the built-in types, or other elements that would make it simpler to create a secure connection. This makes sense, because the terms of use for Apple’s iPhone software developers kit (SDK) allow only sandboxed applications which have no access except through specific channels to underlying information. It’s likely that any additional security options will have to be developed in conjunction with Apple or licensed by the company.

Better security through VPN profiles, WPA/WPA2 enterprise

In two areas, Apple has made it much easier to maintain secure communications and join secure networks. You can set up multiple VPN profiles, each with unique information. Also, an average user can join a network secured with WPA/WPA2 Enterprise, a method of requiring a unique login to a Wi-Fi (or Ethernet) network by each user.

The VPN improvements are notable, because for folks who require two or more VPNs for their job—which can include a personal one on the road and a corporate one in the office—they simply couldn’t make iPhone 1.x work for them. The original firmware series offered PPTP (Point to Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol, which is paired with IPsec or Internet Protocol Security as L2TP over IPsec). But you could only set up one connection for each type. If your work or life required two L2TP connections, you were out of luck.

In iPhone 2.0, you navigate to Settings -> General -> Network -> VPN, where you click tap Add VPN Configuration to get started. The Add Configuration dialog allows you to choose among L2TP, PPTP, and IPsec, the last of which is Cisco’s particular flavor of IPsec.

If you choose L2TP, for instance, you enter a description that’s displayed in the main VPN setting page, the VPN server’s host name, and your account name. Some VPN servers require just a password; others use two-factor authentication, where you also enter a code that appears on an RSA SecurID token generator that you carry with you. If your corporation requires that, you turn on the SecureID switch. If a password is required, you can choose to either enter it in the setup and the iPhone will automatically use it; leave the field blank, and the iPhone prompts you each time you connect to the VPN. L2TP connections require a shared secret that a system administrator would give you. Selecting Send All Traffic allows the iPhone to encrypt all connections, the recommended choice.

Here’s the profile that appears in the VPN setting screen after you’ve saved your VPN configuration.

Tap Save, and the profile appears in the VPN setting screen. Tap the profile to select it as your default.

You can enable your VPN through the On/Off switch on the VPN setting screen; that switch is also found on the main Settings screen below the Airplane Mode and Wi-Fi if you have just a single profile. If you have multiple profiles, you’ll see the message Not Connected which, when tapped, takes you to the VPN setting screen.

Since an iPhone might switch among Wi-Fi, 2G, and (for new models,) 3G, VPN connections still lack a critical element for roaming users—continuity. Several firms make software that allows mobile devices to maintain a continuous stable IP address, and use some acceptable network trickery that relies on simple client network software on the mobile device and a remote server to keep a connection constant even as it switches among network types. I saw this demonstrated as long ago as 2003.

Apple hasn’t invested in such a technique, nor has AT&T, and as noted above, a third party couldn’t simply write the missing piece. It’s a gaping hole, because a VPN, once activated, shouldn’t need to be managed by users until they decide to turn it off. With the iPhone, the VPN fails whenever a network transition happens, and it must be turned off and back on manually.

Setting up a basic WPA/WPA2 Enterprise connection is far simpler. This connection method is a form of 802.1X, which is called a port-based access control protocol. In plain English, 802.1X lets you connect to a Wi-Fi access point without gaining access to the network to which that access point is itself connected until you prove your identity. Once you prove yourself, the network assigns you a unique set of encryption key material (which is broken down into all the various keys your Wi-Fi adapter needs). No two users on an 802.1X network can snoop on each other’s traffic, making it more secure as well.

Apple chose wisely to offer support for modern 802.1X, which is called WPA Enterprise or WPA2 Enterprise. The older WEP (Wired Equivalent Privacy) encryption standard is broken, and few companies rely on it in combination with 802.1X. Rather, they use WPA (Wi-Fi Protected Access) or WPA2. WPA has one strong encryption key standard built in; WPA2 has a government-grade option as well.

The iPhone includes basic WPA/WPA2 Enterprise connection settings among its security options.

To set up a WPA/WPA2 connection, you need to be trying to connect to such a network, or set up a network yourself. Software from Periodik Labs is an affordable way for a smaller company to add WPA/WPA Enterprise service, and it works with nearly any consumer or business Wi-Fi router.

The iPhone has its basic WPA/WPA2 Enterprise connection settings alongside normal Wi-Fi network connection tools. Tap Settings from the Home screen, and then tap Wi-Fi. Either select a network protected in this way from the list of networks that appears, or tap Other to create a network profile.

The iPhone should recognize when you’re connected to a network protected by 802.1X, and provide you the right fields. If you tap Other, you enter the network’s name in the Name field, and tap the Security field to select WPA Enterprise or WPA2 Enterprise. You then tap Other Networks at the top left to return to the profile setup. With either of those options selected, a Username and Password field appear in which you enter your 802.1X login information.

Once you’ve selected WPA Enterprise or WPA2 Enterprise, you can enter the user name and password info in their respective fields.

Now many corporate networks may require more security than is offered for an 802.1X login in this screen. This has puzzled some early iPhone 2.0 users, because Apple promised more elaborate 802.1X support and doesn’t show that support here. For that, you need to step up to iPhone Configuration Utility, a free program from Apple that includes the extra options, as well as providing tools for mass configuration of iPhones in an enterprise.

Creating an iPhone configure profile

Download the iPhone Configuration Utility, which requires OS X 10.5. There are Web 2.0 applications for Windows XP/Vista and OS X 10.5 as well that have a slightly smaller feature set.

The utility lets you create profiles for iPhones that include all the salient details for network connections for e-mail and Microsoft Exchange, device security (such as requiring a passcode and setting passcode policies), and network security profiles for Wi-Fi and VPN connections. The program also lets you distribute digital certificates, widely used in corporations to make sure that devices only connect to legitimate networked systems—a key factor in securing 802.1X connections. (iPhone Configuration Utility also handles the tasks involved in distributing iPhone applications developed for in-house use.)

The Wi-Fi tab contains all the details necessary to distribute profiles for any kind of secured or unsecured Wi-Fi network. A slightly subtle set of plus and minus buttons at right (below the row of configuration tabs) lets you add and remove Wi-Fi profiles.

Apple’s iPhone Configuration Utility can create iPhone profiles as well as distribute digital certificates.
Enterprises use certificates to confirm the authenticity of their 802.1X authentication servers. Before you start configuring the Wi-Fi connection, you might want to gather any certificates used on the network, click the Credentials tab, and select those certificates. This makes them available to other parts of the configuration profile.

Now follow these steps:

  1. Click the Wi-Fi tab.
  2. Click the Configure button.
  3. Enter the network name in Service Set Identifier (SSID), which is the 802.11 protocol’s name for a network.
  4. From Security Type, select WPA/WPA2 Enterprise. (It’s possible, but unlikely, that you’d be using WEP Enterprise or Any Enterprise, which encompasses WEP, WPA, and WPA2.)

Three tabs appear under Enterprise Settings.

  1. Protocols: 802.1X isn’t a secure protocol. It uses EAP (Encapsulated Authentication Protocol), a kind of generic version of PPP, to handle talking back and forth between the device that wants access and the access point. EAP can be secured using one of several methods. A network administrator would know which was used. PEAP (Protected EAP) is most common.
  2. Authentication: For whatever EAP methods were selected in Protocols, you enter the corresponding details here. For EAP-TLS, which requires a unique personal certificate, you install that certificate in Credentials, and then select it from the Identity Certificate here, for instance.
  3. Trust: The server you’re communicating with sends a certificate for all EAP methods. You can install the expected public certificate and the name found in the certificate in this tab, and that allows an iPhone to have full confidence in the integrity and validity of the connection that’s made.

There’s no “save” button needed in the tab; File -> Save saves the current state of the configuration profile. You can add multiple Wi-Fi profiles by tapping the plus (+) button at middle right just below and to the right of the Advanced tab.

You can do the same for setting up VPN profiles, although this is more to avoid the tedium of having users enter the details themselves, as the settings are the same on the iPhone as in the utility, unlike with 802.1X.

The iPhone receives profiles via e-mail (or by visiting a Web site).

After settling any additional details, including filling out the Summary tab with a required name, you need to export or e-mail the profile so that an iPhone can use it. That requires a bit of caution. Even though the configuration profiles don’t contain passwords, they can contain a VPN shared secret stored in the clear, and Apple warns in its enterprise configuration guide that these profiles aren’t encrypted, just obscured. Best practices would suggest that you only allow users to download profiles from a secured SSL/TLS server where the user has to enter a username and password to gain access to the server.

In testing, I e-mailed a configuration profile to myself, and then selected that profile as an attachment in Mail. I was presented with a screen about the profile with an Install button if I wanted to add it to the iPhone. Tapping Details showed me the two Wi-Fi profiles I’d created. After tapping Install, I was warned that this wasn’t a signed profile, and tapped Install Now to proceed.

Left: After selecting a profile in e-mail or on the Web, the Install Profile dialog appears. This profile is unsigned, meaning it can’t be validated by the phone using stored digital certificates as absolutely being issued by the legitimate owner or corporation for whom the owner works. (Signing profiles is highly recommended.) Center: Tapping the More Details button shows the configuration elements that are part of the profile. In this case, two Wi-Fi network setup profiles are included. Right: The profile installation program on the iPhone pops up a warning when you tap Install to let you know that settings will be changed. In this case, because the profile is unsigned, it also makes sure you understand that it could be a profile from a source other than a legitimate one.
The iPhone then prompted me to enter the passwords associated with the two Wi-Fi profiles I’d created. Once entered, the profile appears in a new Settings item nearly at the bottom of the list, labeled Profiles. From there, you can select profiles and tap a Remove button to uninstall them.

After installing the profile, you’re prompted for passwords for any elements in the profile that require them. Center: Profiles appear in the Settings -> General list. Right: To remove a profile, you select it from the Profiles list, and then tap Remove.

New, improved, but room to grow

Apple has definitely ratcheted network security and configuration options up several marks with its latest iPhone releases. But there’s a way to go still. The company needs to consider finding a better way to offer continuous VPN access across networks while roaming, and it should centralize enterprise profile installation without using an export option for full remote management.

However, it’s far easier than it was at the beginning of July to make sure your iPhone activity remains private, confidential, and IT manager-approved.

[Glenn Fleishman writes daily about wireless networking at his site Wi-Fi Networking News. He also runs the Glenn Fleishman on Hardware blog at PC World.]

Subscribe to the Best of Macworld Newsletter