Random Thoughts – Randosity!

Rant Time: Apple iPhone, MS Exchange and Security Policies

Posted in Apple, best practices, botch by commorancy on August 7, 2017

If you’re like me, you like to use your phone device as your catch all email reader, including for your company email. Many corporate email solutions choose MS Exchange and/or Office 365 for their mail services. This article is here to inform you exactly what can happen to your iPhone when connecting to Exchange to access your corporate email. Apple has slipped this feature set in under the radar and, worse, doesn’t inform the users or request consent. Let’s explore.

Overreaching Policies and Exchange

I’ve never been one to think that Apple isn’t transparent about its technologies, but in this case, I think I have to make an exception. Apple slipped this technology change in without so much as an eye-blink. What is this change, you’re now wondering? Well, I’ll tell you.

If you connect your iOS device (iPhone, iPad, iPod Touch, etc) to an Active Sync Exchange mail server, the systems administrator operating that Exchange server can muck about with settings on your entire device. What mucking about can they do? We’ll, here’s a short list:

  • They can wipe your entire device through a single exchange server request
  • They can change system settings on your device to prevent using certain functions on iOS, such as disabling the ability to turn off passcodes or modifying other settings on your operating system, possibly even up to disabling iCloud entirely.
  • They can deny connection to the service if your device is set with an insecure setup or jailbroken
  • There are many other security policies they can apply to your device without your knowledge or consent.

Now, I can hear the Exchange Admins all over the world groaning right now. Well, the jig is up. You’ve had your fun for far too long. Unless the company is paying not only for the device, but for the service on the device, these changes are WAY WAY overreaching for the simple act of reading email. The only thing Exchange should be able to do is wipe the mail data left over from that Exchange server. You should not be able to set or change security settings on the entire device. Additionally, users should be able to grant or deny such overreaching settings coming from Exchange. Operating systems have had this feature for years… requesting the root password to make such sweeping changes. This same should be available on the iPhone (or any mobile device).

Mail Service Connectors modifying OS settings?

This was my question… why is this possible?

That the Exchange Service can make these global operating system changes to an iPhone is a way overreaching and abusive use of mail services. Mail applications (or any app for that matter) should NEVER be able to muck about with operating system settings at that level any more than a browser can. This is not only a security risk in itself, it leaves iOS devices open to security vulnerabilities because the mail app could become compromised and used to nefariously mess up iOS. Worse, if there are two or more Exchange Server connections to the mail app, which one rules when policies are applied? They both can’t apply differing security settings and expect them both to work properly.

Of course, the biggest problem is wiping your device. There should be no possible way a mail application should be capable of instantiating a wipe command ever. This is an amazing intentionally introduced vulnerability that I’m surprised to find exists in this day and age. Mail applications should never have this level of access to any device. In fact, the only allowed wiping should be done by the user of the device through a service such as Find My iPhone behind the user’s iCloud login and password and in no other place. I’m sorry… if corporate admins want to be able to wipe lost devices, they should do it through another method… not through the Exchange mail service protocol. Mail services should be for mail services, not for pushing extraneous other functions. This was never the purpose of a mail server and this should never be possible through a mail server connection. It should also not be possible without the user’s prior knowledge or consent.

Devices and Settings

Apple needs to quickly obsolete and remove this capability from the mail app. This was an unnecessarily overreaching decision that has no place on iOS. If corporate admins wish to apply corporate policy to devices, then whatever protocol makes this change needs to inform the user of each and every policy change that will be applied to the device and let the iPhone user make the choice of whether or not to accept those policies changes. If the corporate admins want to make global policy changes to iOS, it should be through an entirely different application and system.

Perhaps Apple needs to roll out a separate application and service that allows corporate admins to make these sweeping changes to iOS. Changes that will inform the user, that the user can track through this new app and that the user can opt out of if they wish. Right now, the only way to remove the applied global settings is to remove the Exchange connector from iOS. Even then, some of the applied settings may remain set and may require a wipe and restore to clear.

Unfortunately today, Exchange can silently push policies to your device up to and including wiping your device. When I say, “wipe the device”, I mean wipe it entirely. Yes, that means data and settings lost in an unrecoverable way. The data lost does include your photos, notes and any other personal information. This means that by connecting Exchange to the built-in Mail app, you’ve given your corporate admins control over your device simply for the convenience of reading email.

How can I protect my iPhone?

Don’t use any Exchange servers with the built-in Mail app on iOS. Instead, if you need access to Exchange email, install the Outlook app which is available on the app store. The Outlook app does not have access to modify any system settings and cannot wipe your entire phone, just as it should be. However, the Exchange server can wipe email data from inside Outlook. I’m perfectly fine with that. As long as Exchange’s modifications remain contained inside the Outlook app alone, that’s perfectly acceptable.

No mail server connection should ever be able to modify an iPhone’s global system settings in such a blatant and sweeping way. Apple, you need to fix this issue pronto. If you want to allow policy changes over the entire phone, then design and build a policy application with an API. Then, like Facebook apps, request the user to approve access to this API for any application that needs to use it and require connection to the iCloud login and password to activate it. Also, allow the user to revoke access to the API and undo all policy changes at any time. Once connected, offer an app with a UI to allow the iPhone user to see what settings are being altered on the phone. Also through this app, allow the iPhone owner to make changes (when possible) to these policy grants on the device. If those changes are incompatible with a specific service’s policies, then notify the user that that service will be removed from the device if changes are made.

Few companies pay for phones today and instead leech off of employees who pay for their own phones and services. If the company is paying for the phone and service, then they can do whatever they want with it. If I’m paying for the phone and monthly service, then it’s my decision over what happens on the device. Granting access to email should never let any mail service take control over my device in such a vulnerable way, especially when I never consented to that give that level of access.

%d bloggers like this: