"But how does anyone know Snow Leopard won 't have a similar breakdown in the future, if not for encryption then for something else?"
Given that the limitation (the ability to handle on-device encryption) only affects pre-3GS phones I would guess that it's a performance thing and therefore not an issue on the desktop.
This article is very hard to follow in that the author will reverse position each paragraph, in one condemning Apple for releasing something that is not secure and in the next complaining when non-secure functionality is eliminated.
The Palm Pre is mentioned as an alternative but no evidence is given to indicate the same problem doesn't exist on that platform as well, and it would be interesting to know if other remote-exchange-access devices (webmail, blackberry, etc.) provide client or device-side encryption of local files.
> This article is very hard to follow in that the author will reverse position each paragraph, in one condemning Apple for releasing something that is not secure and in the next complaining when non-secure functionality is eliminated.
He's saying that Apple betrayed trust by implementing secure feature insecurely (while claiming that it was working correctly) and when they decided to actually do something about it, they just quietly pulled out the rug from under their users. There was no Apple announcement or apology. Just a checklist item burying deep in a list of changes in an OS update. That's why he says 'double betrayal.'
It sounds like the iPhone was telling the Exchange servers on the protocol level that it supported encryption. That's what I'm getting from this article anyway.
I fear we're both working from second (or third)-hand information here and it's time to do some homework to find out the truth, but let me add this one thought.
This may sound like a stretch, and Apple themselves have decided that it's not sufficient, but while the files themselves my not be encrypted the filesystem of the iPhone itself is protected from all but deliberate (and possibly illegal) fiddling by third-parties. In this way it's not completely dishonest for the iPhone's exchange client to report to the Exchange server that the local files are secured.
Like I said it's a stretch, but perhaps the original implementation wasn't pure malice/ignorance on Apple's part.
I don't know if they specifically said that they supported it, but he claims that the iPhone software was reporting to Exchange Server that it did support it, and Apple was claiming full Exchange support (while not specifically talking about encryption).
This is actually a pretty major credibility issue within the enterprise space, and one that Apple should move to address quickly. (Not that I think they'll do that, since they are busy selling videogames...)
In all honesty, everyone in corporate IT knew damn well that iPhones did not support hardware encryption until the 3GS. Why do you think Schiller made such a big deal out of it during the keynote ("The #1 request from business users has been hardware encryption..." or something like that)?
This is yet one more in a string of under-researched, hysterical articles from InfoWorld that are making that magazine the tech equivalent of US! Weekly.
You're not disagreeing with what the article said. The article claimed (rightly or not, I cannot comment) that the iPhone software claimed to the Exchange server that it did support encryption, then just didn't encrypt anything.
I don't believe for a second that "everyone in corporate IT" knew this and yet allowed their users to connect with iPhones and endanger the security of the network.
Again, I don't know that the article's claims are accurate, but your comment clearly does not clash with the aforementioned claims.
As a Microsoft fanboy it's hard for me to acknowledge this, but I think there is a bit of a problem here on Exchange side's as well. If I unerstand correctly, it asks the device if it supports on-device encryption of data and then trusts that the device claims the truth. I think the problem with this approach is that the security of the network is no longer in the hands of the network's administrators, even though they might have the reason to believe so since they have set up Exchange to enforce on-device encryption even though it can't possibly enforce that in all cases and as the iPhone example shown it, this is not just a theoretical problem.
It prevents honest mistakes. Here, somebody wasn't honest. I wonder what will happen to the guy at Apple who made the decision to set the "Yes, we're encrypted!" bit. (Probably he'll be forced to fire whoever he issued the order to. Poor guy!)
"How many businesses will revisit their iPhone support now that they know Apple shipped and promoted a product as fit for business only to later find that the device had a major security flaw? "
Probably not many. Many products, including ones never patched without a paid upgrade, have had known security flaws. Including products like Windows, Exchange and Office. Hasn't stopped their acceptance as industry standard tools has it? In terms of how it effects the iPhone enterprise user base we should consider a couple facts:
iPhone OS 3.0 was released at the same time as the iPhone 3GS hardware (June 19th 2009)
iPhone OS 2.x did not support Exchange.
So I think you can make a reasonable case that before June 19th 2009 very few of these encryption-required companies were buying iPhones since they simply didn't support Exchange. Post June 19th 2009 how many companies were buying non-GS models? We could further sub-divide this based on the discovery of the encryption loop hole which you would hope any of these encryption-required companies were aware of. So by my crude calculations I think there is probably a month period where companies may have been buying non-GS iPhones with an expectation of pure encryption-required support.
iPhone OS 2.x did not support Exchange. So I think you can make a reasonable case that before June 19th 2009 very few of these encryption-required companies were buying iPhones since they simply didn't support Exchange.
This is factually incorrect. I've been using the Exchange integration on the iPhone since fall 2008.
Granted, as this article shows, Apple has been reporting false information to Exchange, but the Exchange support has been there.
Why does Microsoft even include a client encryption check at all shouldn't it be up to the businesses buying these end user devices to check how the data is being stored?
This is like the don't "copy bit" for DRM if you don't follow it it doesn't matter. Apple never said their device supported on device encryption that I heard so why are all of these businesses suddenly surprised.?
Maybe it's a trickery of language. Apple said they "supported Exchange" so you could read your email. There was never any claim they supported encryption on the client. Maybe a lot of businesses assumed they did.
Well yeah, but does that really mean anything? The PalmPre 'claims' to be an iPod so it can work with iTunes. Is anyone saying Palm is engaging in false marketing because of that?
Because the author of the article implies that Apple lied in it's marketing of the iPhone because it didn't actually support encryption. There are two issues here that the article mixes.
1) What Apple says the phone supported via product literature, aka marketing.
2) What the iPhone software does to implement exchange support.
Misrepresenting #1 is a crime that the FTC or some government body could fine them for. #2 on the other hand companies do all of the time to make their devices work with proprietary software. This article is implying a marketing lie while describing what is a software compatibility hack or perhaps an honest bug. Either way saying "I simply can't count on Apple to do the right thing." is way melodramatic.
Given that the limitation (the ability to handle on-device encryption) only affects pre-3GS phones I would guess that it's a performance thing and therefore not an issue on the desktop.
This article is very hard to follow in that the author will reverse position each paragraph, in one condemning Apple for releasing something that is not secure and in the next complaining when non-secure functionality is eliminated.
The Palm Pre is mentioned as an alternative but no evidence is given to indicate the same problem doesn't exist on that platform as well, and it would be interesting to know if other remote-exchange-access devices (webmail, blackberry, etc.) provide client or device-side encryption of local files.