I don’t think any of us [developers] have seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.
It is kind of like storing all your secret messages right next to the secret decoder ring.
Apple also claimed that the new iPhone 3GS is more enterprise friendly. On the contrary, according to Zdziarski, the new iPhone 3GS encryption fails in protecting sensitive information such as credit card numbers and social-security digits. Infact, it is as easy to access illegal private information just as it was on iPhone 3G or iPhone – while both didn’t feature encryption. Live data can be extracted in hardly two minutes, while a complete raw disk image can be made in about 45 minutes.
To steal an iPhone’s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install an Secure Shell (SSH) client to port the iPhone’s raw disk image across SSH onto a computer.
Zdziarski also added that it’s all upto the app developers to add security to their apps because the encryption is of no help here:
If they’re relying on Apple’s security, then their application is going to be terribly insecure,Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward security.
With so many security issues highlighted and so many criticisms; its a blow on the face of Apple!
Will this harm the image of Apple? Will its users stop trusting it? Will you stop trusting Apple?
Lance Kidd, chief information officer of the Halton company said:
…Our culture is such that our general manager is saying, ‘I’m willing to take the risk for the value of the applications..
Are YOU willing to take this risk?
Does the fancy apps of the iPhone matter to you more than security of your personal information?