Organisations are starting to take the iPhone and iPad seriously as business tools. I’m sure that part of this growing confidence is down to the Apple sandbox environment these devices run within that generally keeps them stable and secure. Tools to jailbreak these devices have been around for a while, however they’ve always relied on the user intentionally running a program that breaks them out of the sandbox over a USB connection.

As long as the USB jailbreaking tool is downloaded from a ‘reputable’ site, this process is relatively safe (i.e. unlikely to be silently installing malicious software) and not something that could be done accidentally. However, anyone could take this recently discovered Mobile Safari exploit, host it on their own website and use email to entice unsuspecting users to visit.

I’m picking on the iPhone here as it is in the news – which is slightly unfair. The situation is the same for almost every other operating system. However something like the iPhone that doesn’t allow you to install 3rd party security software could probably benefit from protection against web threats at the corporate Internet gateway. This is fine when users are inside your environment on your wireless LAN but how about over 3G?

iOS4 introduces SSL VPN support. If we can force iPhones to establish an SSL VPN back to the data centre whenever they are outside of our environment – and force them through a web security gateway in the data centre when accessing the Internet – we may be able to mitigate a lot of the risk. As long as the SSL VPN client supports web authentication (such as BT Openzone, The Cloud etc), I don’t see it being a major support headache. All it would then take is a web security policy that blocks any known bad or uncategorised (grey) websites.

Cisco’s AnyConnect Secure Mobility can do this for Windows Mobile, XP, Vista, 7, Mac OS 10.5+ and Linux right now. They have a solution being developed for the iPhone (watch this space for updates).

In the meantime, while Apple is working on a fix for the Mobile Safari exploit, you may be interested to know about a temporary work around. Unfortunately (and rather ironically), this workaround requires you to jailbreak your device. A developer has released an application called ‘PDF loading warner’ that will prompt you in Mobile Safari should a site attempt to load a PDF. If you’ve not asked it to load a trusted PDF – you should answer ‘NO’ and you’ll be safe.

However, in terms of using this as a way to protect your average corporate iPhone user… we all know how successful relying on users clicking the right button is as a form of security…

UPDATE: Although Apple have now closed this hole with an OS update, from my perspective, the need to protect corporate smart phones from web threats still exists. We are still waiting for the iPhone version of Cisco AnyConnect SSL VPN. I understand from my sources that it’ll be out soon now that iOS 4.1 has been released.