The Defence Signals Directorate (DSD) has released a guide (PDF) for government iOS users and administrators that sets down a raft of measures to shore up the security of the Apple platform, while saying that iDevices like iPhone and iPad still aren't suitable for handling information classified above "In-Confidence".
"At this time, DSD does not recommend iOS for use at the PROTECTED/RESTRICTED level. This guide is intended for use at UNCLASSIFIED and UNCLASSIFIED IN-CONFIDENCE," it said in the iOS Hardening guide.
"Agencies choosing to use iOS devices for RESTRICTED/PROTECTED information must obtain a dispensation in accordance with the Australian Government Information Security Manual."
The guide is designed to provide users with the right policies and procedures to have in place for users at different clearance levels running iOS 4.3.3. The guide includes a checklist for the secure deployment and ongoing management of iOS devices, right down to infrastructure and audit requirements.
Security measures recommended by the DSD to strengthen network-based communications to and from an iOS device include:
- Using SSL to encrypt "any traffic that has sensitive data on it"
- Implementing a virtual private network (VPN) for "more general internet access"
- Protecting Wi-Fi networks with a minimum of EAP-TLS level security
- Working with telcos to develop and implement a custom Access Point Name (APN) to "compartmentalise 3G data traffic to defined security domains".
The iOS security guide also notes that voice and SMS communications over GSM networks are less secure than data traffic over trusted connections and advises government staff to consider them as such.
"GSM voice and SMS networks have a number of security weaknesses where the security or authenticity of a voice or SMS communication cannot always be ensured, due to both 'Man-in-the-Middle' attacks and the variation in the security features implemented by carriers," the guide said.
"As such, voice and SMS communication should generally be considered less secure than methods that implement a chain of trust back into a user's own agency such as SSL tunnelled email."p>
The hardening guide released by the DSD comes ahead of an official decision over the security certification of iOS.
John Sheridan, first assistant secretary of the Australian Government Information Management Office, told a Senate Estimates committee in February that the DSD hadn't yet certified Apple's mobile operating system for use with private wireless networks that handle material of national security.
Sheridan said in a tweet on Friday, however, that an official evaluation of iOS by the DSD is set to be completed by September.