When it comes to wireless connections, Apple’s iPhone is not unlike an excited toddler who first learns to point out animals. “Dog! Dog! Cat! Dog! Bird!” the toddler might shriek walking down the street. The iPhone’s equivalent when you walk down the street? “Linksys! Default! T-Mobile! Surf and Sip! FreeNetSpot!”
The iPhone wants to connect, and, in its default mode, it’s not shy about trying to get you from AT&T’s 100 to 200 Kbps EDGE network on to some faster Wi-Fi, whether it’s in your home or in a coffee shop.
But that eagerness to join other networks is not necessarily good for you when you're trying to ensure your data sent through the air doesn't wind up in someone else's hands. While we shouldn’t imagine that ne’er-do-wells lurk on every street corner, there’s plenty of evidence that some number of network snoopers spend a fair amount of time scooping up private e-mail and private information. Security firms that specialize in monitoring for intrusions and bad behavior find “evil twins” even in airports—hot spot software running on a laptop that creates a network that mimics the real network, luring users.
The iPhone has several in-transit data security options, but it’s not designed to be a device that securely handles data as it enters and leaves the operating system. So far, the iPhone appears to be very well designed for securing data that’s already on it, but what’s a networked communications device without communications?
The abundance of communication options may be the iPhone’s Achilles’ Heel for securing in-transit data. The iPhone hops from EDGE to Wi-Fi without a second thought. It retains passwords for encrypted Wi-Fi networks. Its Safari browser allows easy access to hotspots that use Web page login or redirection to gain access. Most hotspots require that you first connect to their network, then view a Web page before being granted access. You pay, view an ad, or agree to terms of service before proceeding. The iPhone is so good at all these tasks, that increases the likelihood that you could use unknown, untrusted, and perhaps unsavory networks, and that you’ll be switching between EDGE and Wi-Fi without even knowing it.
With millions of iPhone users hitting the streets and hotspots in the next few months, there’s a high degree of concern over whether they will be able to keep their data from the hands of the many crackers and sniffers out there who routinely grab any login information or other personal data that passes over these networks.
What the iPhone reveals
A Yahoo Mail push transaction captured over Wi-Fi using Interarchy shows the user’s mailboxes being listed. Anything sent in the clear, including the content of e-mail, can be captured.
It’s a simple matter to see what data the iPhone is giving away to anyone savvy enough to connect to a public Wi-Fi and watch packets flow by. With a simple test setup (I’ll show you how to run it below ), I was able to see the following:
- E-mail passwords for unprotected accounts
- The contents of e-mail sent or received from unprotected accounts
- The contents of e-mail pushed to the iPhone by Yahoo! Mail
- Unencrypted Web page contents—typically anything not involving e-commerce or banking
- The list of stocks followed in the Stocks widget
- Map information requested with the Maps widget
- The cities followed in the Weather widget
Because Apple is using its own servers to feed data to widgets, it’s particularly galling that the company didn’t choose to add a tiny bit of data overhead and make these connections secure. While the city temperatures, stocks, and locations you might be tracking and viewing don’t reveal information that can be used in identity theft, they still tell a lot about you and your habits.
What does the iPhone protect in transit? Only a few items.
- Secured e-mail accounts (the default for Yahoo, Gmail, and newly created accounts)
- A Yahoo! Mail user name and password when push e-mail is engaged (but not the contents)
I set up a test account on one of my mail servers called “foobar,” and, after disabling protection on the account—to simulate an Internet service provider that doesn’t offer encrypted email connections—I captured this nifty exchange between the iPhone and my servers:
Packet received at 1184617871.163083
TCP packet from 10.0.2.2:51387 to [IP deleted]:pop3(110) (15 bytes)
ACK PUSH PASS g00ber!!
Packet received at 1184617871.237409
TCP packet from [IP deleted]:pop3(110) to 10.0.2.2:51387 (59 bytes)
+OK foobar has 0 visible messages (0 hidden) in 0 octets.
line reveals my (fake) super-secret password, now exposed for anyone sniffing to retrieve.
To protect and to server
The iPhone isn’t all about exposing your data. In fact, Apple took one key measure to try to prevent e-mail account information and e-mail contents from being sniffable. By default, the iPhone uses SSL (Secure Sockets Layer) encryption for POP, IMAP, and SMTP. SSL e-mail connections work just like secure Web sessions: the iPhone’s e-mail software exchanges digital certificate information with the mail server and creates an encrypted tunnel that can’t be broken using any known techniques.
For AOL, Gmail, Yahoo!, and .Mac, SSL is the default option and shouldn’t be changed. Some hotspot networks try to restrict e-mail traffic handled over non-secure and secure channels to mail servers, and you might have to resort to Web mail in those cases, itself a problem.
But if you think you could just switch to Webmail to gain security, think again. Yahoo, Gmail, and Mac.com don’t offer SSL-protected Webmail reading. (Gmail does, however — but be sure to visit
. The latter redirects to the former, causing a discontinuity in SSL certificates which doesn’t bother a Mac OS X-based Web browser much, but hangs iPhone’s Safari.)
For accounts other than those four service providers, you may be out of luck: Your ISP may not support SSL e-mail. One way around this email security dilemma if your ISP doesn’t give you a secured option is to forward or copy email coming in to your ISP to a secure service like Hushmail. You could then set up a Mail account on your iPhone to retrieve e-mail from Hushmail with full confidence.
If your ISP just uses an unusual port for its secured e-mail, Macworld editorial director Jason Snell reports a workaround in his iPhone review, which isn’t otherwise documented. (Port numbers are like numbered cubbies in a mailroom: Each cubby corresponds to a particular service, like chat, FTP, or e-mail.) Instead of entering just the mail server name in Settings -> Mail -> Other, like
pop.gmail.com, you append a colon and the port number, like
pop.gmail.com:995. The colon-plus-port style is an Internet standard, just hidden here.
For other kinds of data, Apple offers no comprehensive way to add protection. For computer-based Web browsing, for instance, you could work with a secure Web proxy service, like Secure-Tunnel. The secure proxy creates an SSL connection between your browser and Secure-Tunnel’s servers, rendering your sessions inaccessible to local Wi-Fi network snoopers.
But Apple—which did not take advantage of our request for comment on this article—made a poor interface choice on the iPhone for this option. You can set a secure proxy for Web access in Settings -> Network -> Wi-Fi, but the setting is on a per-connection basis. You would have to re-enter the same proxy data tediously every time you connected to a different network. In Mac OS X, by contrast, each network interface has a Proxy tab in the Network preference pane that lets you offer a global setting for all connections.
Rent a VPN
There is a comprehensive way to protect all connections made from your iPhone, including mail, Web, and widget communications: use a virtual private network (VPN). VPNs wrap all data entering and leaving an operating system over a network in strong encryption.
Apple supports two popular forms of VPN client software: PPTP (Point-to-Point Tunneling Protocol) and L2TP, often known as IPsec (IP Security) over L2TP (Level 2 Tunneling Protocol). The server sides of these VPN types are found in Mac OS X Server, and are available in Windows Server and other security packages. VPN connections are configured in Settings -> Network -> VPN. Once configured, a VPN On/Off slider appears in the main Settings area below Wi-Fi.
There are several firms that specialize in “rent-a-VPN” service for travelers who don’t have a corporate information technology department behind them handling VPN service. For a few dollars a month or $30 to $120 per year, these firms provide a link from your computer to their servers in a network center. From there, data comes and goes unprotected (unless there’s a wrapper inside as with a banking transaction or SSL e-mail), but your local link over Wi-Fi and the connecting service providers above that don’t see your traffic in the clear.
However, Apple again made several decisions in the first iPhone release that make using VPNs problematic, whether for corporate users or rent-a-VPN users. First, Apple has left out SSL VPN support. VPNs that use SSL are considered somewhat more flexible. A popular open-source server project has made SSL among the cheapest options to use. This could be added through a later software update, or support for third-party software additions. Corporations will clamor for this in iPhones used as business tools.
Second, the iPhone can store a single PPTP and a single L2TP configuration. For users who have multiple VPNs—perhaps one for office use and another for the road—they’re out of luck at present. Mac OS X supports multiple, named configurations for the same VPN types. This is an issue of simplicity, and could be fixed later.
Third, Apple doesn’t automatically disconnect and reconnect the VPN as you roam across Wi-Fi networks or between Wi-Fi and EDGE. VPNs over EDGE can work rather slowly as they do add overhead and latency in carrying and encoding/decoding data. But Apple doesn’t make the easier choice to offer an option to keep the VPN active whenever a user is on Wi-Fi. A user thus needs to keep their eyes on the VPN connection.
(EDGE itself isn’t considered fully secure. As Stephan Somogyi, once a Macworld contributor and now an independent security consultant said, with EDGE, “you’re safe from the determined 12-year-old across the street, but only just.” A few thousands of dollars of equipment along with special software are needed to break EDGE encryption, but it’s within the reach of interested individuals, not just governments.)
Entering the VPN settings on an iPhone
Fourth, two bugs make using VPN connections even harder. In testing, I found that although you can enter a VPN password in the configuration set-up, that password isn’t always retained. That problem wouldn’t be so bad if it weren’t for the second bug: Instead of displaying a full alphanumeric and punctuation keyboard for password entry, when you are asked to re-enter the VPN password, only a telephone-style keyboard appears. Also, if you need to restore a funky iPhone, all Wi-Fi and VPN passwords are wiped clean, requiring re-entry; a smart move on Apple’s part, but it adds to the frustration.
An Apple KnowledgeBase note also explains a very technical detail, which will prevent many of you who work in corporations and at some academic institutions from using the iPhone’s VPN client. Apple supports only the very basic method of authenticating PPTP and L2TP/IPsec and one more advanced method. If your company requires the use of a RSA SecurID token—a key fob or card key—to generate a special password for access, you’re out of luck. The L2TP/IPsec client will support tokens from CryptoCard, however, as long as the “shared secret” method is used. Likewise, users of VPN systems that use digital certificates or Kerberos, as well as a few other options, can’t make connections, either.
Despite those provisos, a VPN is currently the best way to keep your iPhone’s in-transit data safe. Of the several rent-a-VPN firms, most support only SSL-based connections. However, HotSpotVPN.com and WiTopia.net both have PPTP as an option, and the companies, when contacted, confirmed that they will work with iPhone owners to deal with the numeric-password entry. (WiTopia first reported part of the problem to me.)
HotSpotVPN.com offers their PPTP service as HotSpotVPN-1 for $8.88 per month or $88.88 per year. It bundles PPTP with SSL service as HotSpotVPN-2 for $10.88 to $13.88 per month or $108.80 to $138.80 per year. WiTopia.net is just rolling out an SSL plus PPTP bundle itself for $39.99 per year in a limited offer.
The bottom Line
The point of this article is not to make you feel that a criminal lurks beneath every rock; rather, I hope to alert you to the potential risk of exposure of personal data that an iPhone carries with it. For general purposes with secure e-mail, your over-the-air data is relatively innocuous. But the more you want to protect what you reveal about yourself, the harder you’ll work until Apple updates or opens up the iPhone for simpler, less frustrating security.
[ Glenn Fleishman writes daily about wireless networking at his site Wi-Fi Networking News. ]
Sidebar: See what your iPhone reveals
Configure the Sharing -> Internet tab to turn on an AirPort network your iPhone can connect to in order to capture data.
You can duplicate the test I ran above with any Mac that has both Ethernet and AirPort built in by following the steps below. You’ll need to have the FTP program Interarchy from Nolobe installed. (The single-user version costs $60, though there is a free demo available.)—GF
- Launch System Preferences.
- Click Sharing.
- Click the Internet tab.
- Select your Ethernet connection from the Share Your Connection From menu.
- Check AirPort in the list under To Computers Using.
- Click AirPort Options to set WEP encryption (optional).
- Click Start. Click Yes when warned about network sharing issues.
- Launch Interarchy.
- From the File -> Net menu, choose Traffic.
- In the Network Interface popup menu at the right, choose AirPort. (AirPort will be followed by something like
(en1), which is the operating system’s interface identifier, and isn’t significant here.)
- From the Packet Filter menu, choose Everything.
- On your iPhone, choose the computer network you just created.
Updated 7/18 3:07 p.m ET: Clarified correct and incorrect URLs for using Gmail securely. Credit: Macworld.com forum user Ron Castry.
Updated at 7:23 p.m. ET to correct information regarding CryptoCard tokens.