Thu, 21 Aug 2008 Apple's MobileMe lacks key security feature

How secure is Apple's push data for MobileMe? Not very, it seems...

Nancy Gohring

Users of Apple's MobileMe have already discovered that the £59-per-year service is sometimes slow and unreliable, and they're now talking about another shortcoming that was intentional.

MobileMe allows users to synchronize email, calendar and contact information among various devices over the internet. Although the log-in process for MobileMe is encrypted, Apple does not encrypt data that users send from browsers through MobileMe. The lack of SSL (Secure Sockets Layer) or any other form of encryption means that if a MobileMe user is connected to the internet via a WiFi hotspot, someone else connected to the same hotspot could relatively easily see all the data that the MobileMe user sends.

"Seems like a pretty major omission for a service that's specifically aimed at roaming users," wrote a person called ShepUK on the Macrumors forum. He called the lack of SSL encryption a deal breaker for him.

Free web mail offerings from Yahoo and Microsoft also don't encrypt data that users send, though Google's free Gmail does offer an SSL encryption option. However, MobileMe has more features for transferring data over the web than do those services.

Because customers must pay to use MobileMe, some people think it ought to have this basic security feature. "MobileMe is suppose to be Microsoft Exchange for the rest of us. But Microsoft Exchange does things in a secure manner," wrote a commenter using the name James Katt in a blog postM about the SSL issue. "As it is, if you run a business using your Mac, then you cannot use MobileMe because it transmits data insecurely."

Still, while security professionals say Apple should offer an SSL option, they don't suggest that this is a major problem. "I wouldn't say that it's a critical issue or something that's a reason not to use the service, but it's definitely something that should be addressed," said Noam Rathaus, CTO of Beyond Security, a company that offers products for discovering security issues in servers, computers and networks. He briefly examined the way MobileMe works and said it does appear that transmissions aren't encrypted.

Apple has not replied to a request for comment.

The setup could open the door to potentially serious situations in which an onlooker could learn passwords used by a MobileMe customer if the user requested a lost or forgotten password to be sent via email.

If MobileMe users are concerned about the security of information, they may want to use another mail mechanism to send sensitive messages, said Wolfgang Kandek, chief technical officer for Qualys, a provider of vulnerability-management and policy-compliance products. VPN (virtual private network) connections could protect users, but some enterprises set up VPNs to protect access only to corporate servers and not to Internet sites. In that case, a VPN wouldn't protect a user of MobileMe, he said.

RSS
Digg

Email A Friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Permalink This Article

This articles permalink is:
http://www.macworld.co.uk/digitallifestyle/news/index.cfm?newsid=22501

<<prev article | back to news index | next article>>

Question of the day!

Mark Hattersley
Editor in Chief

Do you use Adobe Photoshop with a Wacom tablet?

Question of the day!

Do you use Adobe Photoshop with a Wacom tablet?

% of Macworld readers agree with you

Yes

TBC

How does a Wacom tablet improve the Photoshop experience?

Follow the conversation at @TabletChat

paintings & illustrations, mostly, which i upload to flickr.RT @fragmentedm

I draw manga/anime characters. I also do graphic design and photography.RT @spialelo

Yes. I usually put them up on my #deviantart account for feedback on how to improve.RT @spialelo

Comments received

Frank Devine said on Thu, 21 Aug 2008

If a well known and well respected industry expert like "ShepUK on the Macrumors forum" said it, it must be good solid information. I mean the world will be hanging on his every word.

BTW NedUSA on the Grapevine forum said world famine is imminent. No doubt you'll want to let your readers know so they start stocking provisions.

Whatever happened to experienced professional reporters with reliable sources?

Jon T said on Thu, 21 Aug 2008

This site has become a joke.

Why not just employ Rob Enderle and be done with it.

Over and out Macworld.

Me_is_a_joke said on Thu, 21 Aug 2008

"Free web mail offerings from Yahoo and Microsoft also don't encrypt data that users send,..."

How can you compare mobileme with e.g. yahoo? Mobileme is not free. The German Web.de is free and encrypt data that users send...

Mike said on Thu, 21 Aug 2008

@Frank: they just quote him and I agree - it's an issue. And it was already reported years ago - iDisk sync is also unencrypted.

Yes, we pay for it, so it should offer that feature. But as I said above, they know that iDisk is insecure since quite some time and did not fix it.

The only way is the press.

Disclaimer
Opinions expressed here are those of the writers and do not reflect those of Macworld. Macworld accepts no responsibility legal or otherwise for their accuracy of content.
Click here to read the house rules.

Click here for the latest reader comments

Latest News

More news...

iPhone 3G S Video Review

Related News

More Digital Lifestyle news...

Mac Broadband?

Search news

Search Google

Newsletter signup

It's easy and free to get the latest news headlines, reviews and opinions straight to your email inbox. Sign up NOW to make sure you receive the latest Mac news, reviews and tutorials on your favourite topics.

Latest issue: Macworld

Find out what's in this month's Macworld here or buy now.

Macworld reader poll

Are you going to buy an Apple iPad?:

View poll results

Have your say in the
Macworld forums!

Register now

Stay on top of the latest, breaking Mac news and chat with other Mac professionals and enthusiasts about the issues that matter to you. Register with Macworld today to join our forums and receive our twice-weekly email newsletter, Macworld Mainline.

RSS

Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.

Subscribe to our feeds here

Latest PC industry news

MACWORLD MARKETPLACE

	Computer & Laptop At Ciao you can read consumer reviews on a large number of Apple products like iPods, iPhones, Apple laptops and Apple computers. Compare prices of your favourite Apple products today.
	Are you a new customer? Are you doubtful? Try it for free! 4 classic products: try with no risks. 48 hours from now!
	Beat the Credit Crunch - Lease your Mac from Hardsoft. Hardsoft are the only 'one stop' solution for the supply and finance of I.T. to businesses throughout the UK via our regional branch offices. We are uniquely both equipment Apple Approved Reseller and licensed Credit Brokers and have tailored a solution which includes a full 3 year warranty and an equipment upgrade every 18 month.
	50% off ebooks It doesn't get much hotter than Mac OS X and iPhone development - visit http://apress.com/mac. Whatever your level, and whatever your background, Apress offers a complete package of books to get you up and developing for iPhone and Mac OS X. Use the exclusive MacWorld coupon code, MACWORLDOC, at Apress.com to receive 50% off your cart.
	Circus Ponies NoteBook - the easy way to get organized on the Mac NoteBook is the award-winning application that gets you organized. Store notes in electronic notebooks, add text, drag in files, "clip" web pages and other content. Annotate with diagrams, sketches, highlighting, keywords, even voice recordings. Find anything instantly with NoteBook’s patented Multidex^TM. Publish to the web, including MobileMe.