One of the announcements Apple made during this week’s WWDC conference was that the iPhone 3GS will include an extra security feature aimed mostly at enterprise deployments: “encryption” that will enable a remote wipe feature. The only thing missing are details about what will be encrypted; this text is the only information I’ve managed to find on Apple’s website so far:
iPhone 3G S offers highly secure hardware encryption that enables instantaneous remote wipe. You can even encrypt your iTunes backups.
While this sounds very good, the careful way in which Apple chose their words suggests that this might not be as great a feature as it appears at first glance. Here are some points that Apple might want to clarify:
- What data will be encrypted? Will this apply to all data on the flash drive, or just data for which Apple decides encryption is needed?
- How will the encryption key be protected? To make sure the encryption is safe enough, you’ll need a decent encryption key; and by definition, that key will be very hard to enter if it’s needed any time the phone is used. A way to work around this might be to store the encryption key on the device itself, and require a PIN or other simpler password to unlock it.
- The wording of Apple’s announcement suggests that backups to iTunes won’t be encrypted, but that data will be encrypted in iTunes as soon as it is received.
- There are no details about the “remote wipe” feature either. I’m assuming the remote wipe feature requires a network connection to an Apple server that decides whether or not to empty the phone; how will this work if the phone doesn’t have any connection to a mobile network? It would be trivial for anybody interested in your private data to obtain a cell phone jammer, preventing the “wipe” signal from reaching the iPhone.
The second question is, IMHO, the most important one; from a usability perspective, you’d want the key to be somewhere in memory instead of requiring the user to enter it multiple times per day. This makes it vulnerable to more sophisticated attacks in which the iPhone is opened and the flash card removed. This might sound like a lot of work, but if the data on the phone is so sensitive it requires encryption it is a scenario that you’ll have to take into account.
I hope Apple will provide more information later this week; if they do I’ll update this post. If anyone has extra information feel free to leave it in the comments below!