November 24, 2008 by brian
Could someone acquire your corporate data by accessing iPhone backup data that resides on a user’s computer?
This question came up during a discussion a few days ago and I felt compelled to find the answer. Apple included the ability to remotely wipe an iPhone when they released version 2.0 with Exchange support. They also gave the ability to force the use of a passcode lock. But does that mean your corporate data is secure?
Each time a user syncs their iPhone with iTunes, the contents of the device are backed up onto their computer’s hard drive, in which your employer’s IT department has no control over. This means that someone could potentially obtain this data from their computer, which may not be password protected, encrypted, or have basic security controls like patch compliance or a firewall.
I wanted to dig into the backed up content to see what was hidden there for an “attacker” to find. I used a tool called the iPhone Backup Extractor. It allows you to extract the backup data for specific iPhone applications. For this topic, I was only interested in the Mail and Calendar apps, since that’s all I sync with my employer’s Exchange server. The data for the default Apple applications was all located under the application “Other”. To my surprise there was no information stored in the Mail folder other than some configuration information. This, at least, is excellent news.
However, inside the Calender folder I found a SQLite database file. I simply opened it up with a text editor to see what was easily visible. Right away I noticed information that was obviously from appointments on my work calendar. Since I only used a text editor, I was unable to determine if any attachments were included in the backup.
It appears that the answer to the question above is yes, however this would depend if there is any sensitive information in the synced calendar (and potentially contacts, since I didn’t evaluate it). One problem here is that in the event of a lost or compromised personal computer, the employer’s IT department probably wouldn’t be informed, and would have a hard time determining what was in the backup.