Feeds

iPhones now 'safe' for Restricted UK.gov info, but not Secret

iOS 6 hasn't yet done the job on RIM

The Essential Guide to IT Transformation

UK government departments have a green light to use iPhones and other iOS 6 devices for handling sensitive emails. The move may encourage civil servants and ministers to toss their BlackBerries to the wind, provided they don't have to read anything that's more than mildly important.

For years RIM's BlackBerry handsets were the only mobile kit accredited for accessing sensitive information by the Communications-Electronics Security Group. CESG is a GCHQ branch tasked with shoring up computer defences in banks, power stations and other critical systems in Blighty.

But the long-term viability of RIM, which has suffered a steady decline in smartphone market share, and improvements in the security of the iPhone operating system iOS have prompted a rethink on the use of Cupertino's Jesus mobe in government.

In a statement, CESG explained that it updated its guidance on the suitability of iOS 6 devices (available for the iPhone 3GS onwards, and iPad 2 and later models) to support the handling of sensitive emails:

CESG is currently working on updates and enhancements to a number of our mobile security guidance documents. As part of this work CESG has published risk management guidance for iOS 6 devices for protecting sensitive emails - up to and including Impact Level 3 depending on local risk management decisions. The guidance is based on existing CESG security procedures for iOS, but includes updated guidance, additional technical controls and improvements to user guidelines to more effectively manage identified risks with mobile working

Government emails and documents are categorised into one of seven levels that describe the impact caused were the file to leak - from zero for no impact to six for severe. Level 3, now appropriate for accessing with iOS 6 devices, sits in the middle of this spectrum. Typically, information deemed protected, restricted, confidential, secret or top secret fall into levels 2, 3, 4, 5 and 6, respectively.

CESG recommends iPhones and iPads running the latest system of iOS are fortified with additional defences: network monitoring and protections need to be extended, and users should switch on security features bundled in iOS 6.

UK government departments use as many as 20,000 BlackBerry devices which are still considered secure - but the gap between RIM's and Apple's software is narrowing. iOS6 on its most restricted settings, perhaps enforced by third-party tools, is now considered a viable option for sensitive emails, at least.

Full device encryption; remote-wiping capabilities so data can be purged from lost or stolen devices; rock-solid separation of software into sandboxes; an operating system free of security holes; and locking down apps to prevent users from installing leaky apps are key features in any mobile OS to make it suitable for use in either government or large enterprises.

The government is also reportedly considering whether to open up the option of using smartphones running either Android or Windows mobile to handle sensitive information. This fits with the wider bring-your-own-device trend that IT managers in corporates have been grappling with for some months. Corporate security managers we've spoken to tend to accept the need to support email and calendar functions on users' own smartphones, tablets or laptops. Instant-messaging apps can sometimes fall into this category.

However corporates are far more reluctant when it comes to opening up sales, enterprise resource planning and supply-chain applications to phones they don’t own.

Rik Ferguson, director of research at net security firm Trend Micro, told El Reg that the quality of the mobile device management features bundled with iOS is approaching the sophistication of security features build into BlackBerry's technology, which hasn't been updated for some months.

Although iOS started off as a consumer technology, it is now possible to turn off features such as iCloud backups which would be a concern for any enterprise worried about keeping control of sensitive information in its own hands. It's also possible to disable application like Siri and prevent the installation of new unapproved apps among other features explained in greater depth in a security guide from Apple here.

Trend Micro's audit of the security of mobile OS earlier this year found BlackBerry to be the most secure, followed by iOS, Windows Mobile and Android.

Android is moving towards offering enterprise-friendly security features but is further back on this path than iOS. For example, Android only recently supported full device encryption. "iOS is a tight ship and closed but with Android there's no uniformity," according to Ferguson.

Windows Phone is "unproven" while the multiplicity of different versions of Android mean that any government accreditation would be for a specific version of the OS on a specific smartphone, according to Ferguson. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.