Apple’s MobileMe Fails Security 101?
There are reports that Apple is using poor security in Apple’s not-ready-for-primetime MobileMe email and file storage service. MobileMe was billed by Apple as a Microsoft Exchange server email account “for the rest of us.” One of the best features of an Exchange server is it’s use of Secure Socket Layer (SSL) 128-bit encryption. In a nutshell, SSL is considered a secure, open standard to protect data in motion over the Internet.
An Exchange server can be configured to use SSL for both the username/password combo and the user’s actual data. The means that users of a properly-configured Exchange server and computer can use email, contacts, calendars, notes, memos, and tasks in airports, cafe’s, cell connections, and other out-of-the-office locations, and not have one’s data exposed to the world.
Over at Apple, they don’t seem to think that SSL is important for MobileMe users. The reports are that Apple is using an Apple-created proprietary encryption method. If this is true, that’s not good, since proprietary encryption is not validated by the information security community to be sound. Any security pro worth his salt knows to run, not walk, when a vendor offers proprietary encryption.
To make matters worse, it appears Apple is only encrypting the username/password combo with this special encryption solution, not the user’s data.
There have been many reports of the poor reliability of MobileMe. Now, if these new reports are true, there may be poor data confidentiality and data integrity for MobileMe users.
Email is the most important internet application for most people today. Many business people use email as their digital file cabinet. For $99/year, MobileMe does not look like a smart file cabinet, nor an alternative to a well-configured Exchange account.
You can find more technical details on the Benlog blog.