Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

iPhone and MobilMe syncing and encryption?

From: David Farber <dave () farber net>
Date: Mon, 28 Jul 2008 15:56:03 -0700
MobileMe is in my opinion a work just starting. It is buggy and restrictive. It seemed to be conceived to service 
simple users with just one computer. Lots of problems using it. They even screwed up the Exchange mechanisms , at least 
for me djf

________________________________________
From: Glenn Tenney CISSP CISM [gt-ip080725 () think org]
Sent: Monday, July 28, 2008 5:31 PM
To: David Farber
Subject: iPhone and MobilMe syncing and encryption?

( for the IP list as you wish )

Before enabling syncing of calendar, contacts, and other data through
MobileMe I'm trying to find an answer to the question:

  What data is, or is not, encrypted over the Net when syncing your
  calendar, contacts, email, or other application data between your
  desktop and iPhone through MobileMe.

I've not been able to find anything completely definitive on Apple's
web sites.  I asked the Apple Support staff on the phoneline, and
someone at a Genius bar and they didn't know either.  For email,
setting up an account on an iPhone allows an SSL setting for incoming
mail only, not outgoing mail.  The only other thing that I CAN find is
that when using Exchange ActiveSync, SSL (and an enterprise
certificate on your iPhone) is used for syncing to a corporate
Exchange system (although, the Apple setup guide kb/HT2480 says " If
it cannot do this, it will try a non-SSL connection.")

So I did some simple tests:

1) With a browser going to http://www.me.com logging in uses https,
but after that, everything is strictly http -- un-encrypted and in the
clear... looking at your email, contacts, calendar, or even your
iDisk.  Trying to use https with me.com gives a page not found error.

2) Capturing packets with tcpdump while using iDisk on a Mac indicates
that this uses http as well.  tcpdump clearly shows the contents of
files accessed from my iDisk being sent in the clear.

So, it would seem that syncing data to/from MobileMe and an iPhone, or
even with iDisk is being sent in the clear over the Net.  Is enabling
encryption an option that wasn't obvious?  Or is encryption not even
an option?

What about applications that sync their data through MobileMe that are
not calendar / contacts (e.g. OmniFocus) -- is that data sent in the
clear too?

Exchange ActiveSync on an iPhone might raise an interesting
question...  When an iPhone user wants to sync both Exchange and iCal
contacts / calendars, this is only supported if you chose to sync your
iCal through MobileMe and NOT through plugging in your iPhone via USB
to iTunes. The interesting question is: is there any syncing through
MobileMe of your Exchange contacts / calendars which would then put
that data in the clear?

Where on Apple's web site is there a description of what is and what
is not encrypted when using MobileMe?  If, as it seems from these
brief observations, synced data is being sent in the clear, shouldn't
Apple be advising iPhone users about this?

I really am trying to find out what IS being encrypted here... to
decide whether or how to sync data to my iPhone.

Thanks

--
Glenn Tenney CISSP CISM



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: