The Defence Signals Directorate has released hardening guidelines for Apple iOS 4 devices as part of its assessments of the operating system.
The DSD has not yet authorised iOS devices for agencies classified as Restricted/Protected and expects to complete its evaluation by September this year.
It has recommened or mandated, according to classification levels, that agencies adopting an iPhone or iPad use cryptography, application whitelists, prevent synchronisation to iTunes and dump the MobileMe application.
Only unclassified agency staff can speak over GSM or use SMS and MMS. VoIP is also out because solutions have not yet been approved by US communications agency Sectera.
External email must also be blocked from hitting the inboxes of iOS devices unless it complies with security policies.
Protected and restricted agencies should also use Mobile Device Management (MDM), use a dedicated mail container, Virtual Desktop Infrastructure, or two-factor authentication with Exchange ActiveSync.
Passwords must be complex, more than eight characters and set for all devices to expire no later than three months. Devices should autolock after five minutes and autowipe after five incorrect password attempts.
The agency also recommended per user RADIUS or 802.1x with a device identity certificate and username and password over WPA2.
Cisco's IPsec was the only VPN to be recommended at the time the document was issued.
The guide, available here, also points out a series of risks that cannot be addressed by technical soultions including:
- iOS devices implement DACA and DACP, but have not completed a DCE. This is a residual risk for data at the Restricted and Protected classifications. The submission of iOS devices for FIPS-140-2 certification is a partial mitigation, but not a substitution for a DCE.
- iOS 4.3.3 does not have a local firewall. This is partially mitigated by firewalling at the network layer, and significantly mitigated by the sandboxed runtime environment in iOS.
- iOS 4.3.3 allows the user to deliberately connect to an untrusted Wi-Fi network. Note that iOS devices will not autoconnect to any unknown Wi-Fi network. The only mitigations available at this time are pre-configured settings, user education and AUP.
- iOS 4.3.3 allows the user to deliberately enable or disable the radios in the device - there is no method for a configuration profile to force a radio off. The only mitigations available at this time are user education, AUP or hardware modification (the latter being permanent and will void the warranty).
- iOS 4.3.3 has no “always-on” setting for VPN. It is either manually initiated, or ondemandbased on a whitelist. Options to mitigate this for PIM data (if EAS and/or VPN on demand are assessed as insufficient mitigations) include using a 3rd party PIM solution such as Good Enterprise or Sybase Afaria, filtering at the EAS, or using approved VDI solution to access sensitive data. For web site access, a SSL reverse proxy may be more suitable than VPN in some scenarios