Home > iPhone Apps, iPhone Espionage > Breaking Enterprise iPhone Application Security ?

Breaking Enterprise iPhone Application Security ?

There are a couple of enterprise iPhone applications out there that promises over the air and device encryption. (e.g. MS Exchange email sandbox apps).

However, there is a fundamental issue. Some of these iPhone applications are built upon the iOS frameworks like UIViewController which provides the layout of the applications.

It is possible to hook onto these classes on a jailbroken iPhone to perform screen captures of confidential emails in your so called sandbox applications. When used together with a iPhone keyboard logger (https://github.com/milo2012/iPhone-Espionage/tree/master/kbhook2) which hooks on the UIKeyboardImpl class and captures all keystrokes that you have entered, including any passwords.

In this case, if your jailbroken device is compromised, there is only so much you can do even if you are using an iPhone application that provides encryption or security.

Should you allow jailbroken iPhones in your organization?

Should your enterprise application detect if the device is a jailbroken iPhone and exit the application if a jailbroken iPhone is detected ?

Please let me know what you think.

Source code can be found at the below link
https://github.com/milo2012/iPhone-Espionage/tree/master/demoScreenCapture1

About these ads
  1. Anton
    October 19, 2011 at 7:20 am | #1

    I don’t think jailbroken phone is the problem. It’s just like an administrative access on your workstation. Will you be more secure without it? Probably yes. Will it solve all security issues? No, not really. You still need to compromise it. The biggest problem for the an attacker is to get access to the phone. Privilege escalation (getting root) is much easier and it’s almost guaranteed job.
    From a user point (not only iPhone, Android as well) of view, he might want to have administrative privileges. As an example, people may want to have application firewall (droidwall) which requires root access.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: