Securing your iPhone 2.0

Apple chose wisely to offer support for modern 802.1X, which is called WPA Enterprise or WPA2 Enterprise. The older WEP (Wired Equivalent Privacy) encryption standard is broken, and few companies rely on it in combination with 802.1X. Rather, they use WPA (Wi-Fi Protected Access) or WPA2. WPA has one strong encryption key standard built in; WPA2 has a government-grade option as well.

The iPhone includes basic WPA/WPA2 Enterprise connection settings among its security options.

To set up a WPA/WPA2 connection, you need to be trying to connect to such a network, or set up a network yourself. Software from Periodik Labs is an affordable way for a smaller company to add WPA/WPA Enterprise service, and it works with nearly any consumer or business Wi-Fi router.

The iPhone has its basic WPA/WPA2 Enterprise connection settings alongside normal Wi-Fi network connection tools. Tap Settings from the Home screen, and then tap Wi-Fi. Either select a network protected in this way from the list of networks that appears, or tap Other to create a network profile.

The iPhone should recognize when you’re connected to a network protected by 802.1X, and provide you the right fields. If you tap Other, you enter the network’s name in the Name field, and tap the Security field to select WPA Enterprise or WPA2 Enterprise. You then tap Other Networks at the top left to return to the profile setup. With either of those options selected, a Username and Password field appear in which you enter your 802.1X login information.

Once you’ve selected WPA Enterprise or WPA2 Enterprise, you can enter the user name and password info in their respective fields.

Now many corporate networks may require more security than is offered for an 802.1X login in this screen. This has puzzled some early iPhone 2.0 users, because Apple promised more elaborate 802.1X support and doesn’t show that support here. For that, you need to step up to iPhone Configuration Utility, a free program from Apple that includes the extra options, as well as providing tools for mass configuration of iPhones in an enterprise.

Creating an iPhone configure profile

Download the iPhone Configuration Utility, which requires OS X 10.5. There are Web 2.0 applications for Windows XP/Vista and OS X 10.5 as well that have a slightly smaller feature set.

The utility lets you create profiles for iPhones that include all the salient details for network connections for e-mail and Microsoft Exchange, device security (such as requiring a passcode and setting passcode policies), and network security profiles for Wi-Fi and VPN connections. The program also lets you distribute digital certificates, widely used in corporations to make sure that devices only connect to legitimate networked systems—a key factor in securing 802.1X connections. (iPhone Configuration Utility also handles the tasks involved in distributing iPhone applications developed for in-house use.)

The Wi-Fi tab contains all the details necessary to distribute profiles for any kind of secured or unsecured Wi-Fi network. A slightly subtle set of plus and minus buttons at right (below the row of configuration tabs) lets you add and remove Wi-Fi profiles.

Apple’s iPhone Configuration Utility can create iPhone profiles as well as distribute digital certificates.

Enterprises use certificates to confirm the authenticity of their 802.1X authentication servers. Before you start configuring the Wi-Fi connection, you might want to gather any certificates used on the network, click the Credentials tab, and select those certificates. This makes them available to other parts of the configuration profile.

Now follow these steps:

Click the Wi-Fi tab.
Click the Configure button.
Enter the network name in Service Set Identifier (SSID), which is the 802.11 protocol’s name for a network.
From Security Type, select WPA/WPA2 Enterprise. (It’s possible, but unlikely, that you’d be using WEP Enterprise or Any Enterprise, which encompasses WEP, WPA, and WPA2.)

Three tabs appear under Enterprise Settings.

Protocols: 802.1X isn’t a secure protocol. It uses EAP (Encapsulated Authentication Protocol), a kind of generic version of PPP, to handle talking back and forth between the device that wants access and the access point. EAP can be secured using one of several methods. A network administrator would know which was used. PEAP (Protected EAP) is most common.
Authentication: For whatever EAP methods were selected in Protocols, you enter the corresponding details here. For EAP-TLS, which requires a unique personal certificate, you install that certificate in Credentials, and then select it from the Identity Certificate here, for instance.
Trust: The server you’re communicating with sends a certificate for all EAP methods. You can install the expected public certificate and the name found in the certificate in this tab, and that allows an iPhone to have full confidence in the integrity and validity of the connection that’s made.

There’s no “save” button needed in the tab; File -> Save saves the current state of the configuration profile. You can add multiple Wi-Fi profiles by tapping the plus (+) button at middle right just below and to the right of the Advanced tab.

You can do the same for setting up VPN profiles, although this is more to avoid the tedium of having users enter the details themselves, as the settings are the same on the iPhone as in the utility, unlike with 802.1X.

The iPhone receives profiles via e-mail (or by visiting a Web site).

After settling any additional details, including filling out the Summary tab with a required name, you need to export or e-mail the profile so that an iPhone can use it. That requires a bit of caution. Even though the configuration profiles don’t contain passwords, they can contain a VPN shared secret stored in the clear, and Apple warns in its enterprise configuration guide that these profiles aren’t encrypted, just obscured. Best practices would suggest that you only allow users to download profiles from a secured SSL/TLS server where the user has to enter a username and password to gain access to the server.

In testing, I e-mailed a configuration profile to myself, and then selected that profile as an attachment in Mail. I was presented with a screen about the profile with an Install button if I wanted to add it to the iPhone. Tapping Details showed me the two Wi-Fi profiles I’d created. After tapping Install, I was warned that this wasn’t a signed profile, and tapped Install Now to proceed.

Left: After selecting a profile in e-mail or on the Web, the Install Profile dialog appears. This profile is unsigned, meaning it can’t be validated by the phone using stored digital certificates as absolutely being issued by the legitimate owner or corporation for whom the owner works. (Signing profiles is highly recommended.) Center: Tapping the More Details button shows the configuration elements that are part of the profile. In this case, two Wi-Fi network setup profiles are included. Right: The profile installation program on the iPhone pops up a warning when you tap Install to let you know that settings will be changed. In this case, because the profile is unsigned, it also makes sure you understand that it could be a profile from a source other than a legitimate one.

The iPhone then prompted me to enter the passwords associated with the two Wi-Fi profiles I’d created. Once entered, the profile appears in a new Settings item nearly at the bottom of the list, labeled Profiles. From there, you can select profiles and tap a Remove button to uninstall them.

After installing the profile, you’re prompted for passwords for any elements in the profile that require them. Center: Profiles appear in the Settings -> General list. Right: To remove a profile, you select it from the Profiles list, and then tap Remove.

New, improved, but room to grow

Apple has definitely ratcheted network security and configuration options up several marks with its latest iPhone releases. But there’s a way to go still. The company needs to consider finding a better way to offer continuous VPN access across networks while roaming, and it should centralize enterprise profile installation without using an export option for full remote management.

However, it’s far easier than it was at the beginning of July to make sure your iPhone activity remains private, confidential, and IT manager-approved.

[Glenn Fleishman writes daily about wireless networking at his site Wi-Fi Networking News. He also runs the Glenn Fleishman on Hardware blog at PC World.]