Thursday, 1 April 2010

Managing iPad Security Weaknesses

Apple is like the Disney of technology--always adding a dash of "magic" to its products. Apple has an established base of dedicated fans of the user experience on its various Mac OS X products, and it has had the Midas touch when it comes to portable devices like the iPod, and the iPhone. However, Apple still needs to come up with a spell that wards off evil spirits.

The debate over which operating system is more secure always evokes passionate responses from both sides, but the reality is that Mac OS X does not offer target valuable enough for malware developers to invest time and effort attacking it. The Mac OS X platform is not widely used in business--Mac OS X only makes up about five percent of the total operating system market.

However, the success of the iPhone, and projected success of the iPad put those devices much higher on the market share food chain. The iPhone has captured the number two spot for smartphone market share with just over 25 percent, and analysts estimate that Apple could ship 10 million iPads by the end of 2010. Now, that is a target that attracts some attention.

"The general consensus is that Apple continues to do only the absolute minimum to address enterprise security and supportability requirements," noted Andrew Storms, Director of Security Operations for nCircle. "We haven't seen any new enterprise iPhone security features from Apple since the summer of 2009 when they introduced their new hardware level encryption, which was almost immediately subverted. This is not the kind of behavior security professionals want to see in vendors."

Recent events seem to illustrate that point. Security researches were able to compromise a fully-updated iPhone 3GS at the recent CanSecWest Pwn2Own competition. Storms warned me "If the iPad has the same OS as the iPhone then enterprises are going to be even more concerned about the data on this device."

The interesting thing about the iPhone hack, though, is that it leveraged weaknesses in the Safari Mobile browser to subvert the OS. Another security researcher has also been able to hack a fully-patched Mac OS X system in a matter of minutes the past two years by exploiting the Safari Web browser. It seems that Apple's Web browser is a bit of an Achilles heel for Apple devices.

Quicktime is another Apple proprietary technology that may represent a weakness in the security of Apple devices. Storms explains "QuickTime is Apple's answer to online media viewing, and it seems to have an above average share of security problems. There were 9 QuickTime bugs in this week's update."

Obviously, this does not bode well for the upcoming iPad launch. The iPad, like the iPhone, is built on the same OS platform and will rely on Apple proprietary applications for online media viewing and Web surfing. The security ramifications for users will be huge.

The iPad represents a more serious concern, though, because it will be used in more notebook-like fashion. The iPhone is capable of acting as a handheld micro computer, but the small display makes it impractical. Surveys have shown that a majority of those interested in the iPad want the device for business-related functions more than as a media gadget.

It is important for businesses to establish ground rules for the use of devices like the iPad, and to develop policies and procedures that take the security limitations of the device into consideration and adequately protect sensitive business data.

A recent survey conducted by nCircle found that 58 percent of the respondents have a corporate smartphone security policy in place, and 65 percent of those have measures in place to enforce it.

Storms points out "The good news from this survey is that a greater number of companies are starting to understand the security ramifications of mobile devices. It is encouraging that a majority of companies have a smartphone security policy and enforce it."

Obviously, 100 percent is better than 58, but we have to start somewhere. The new challenge, aside from increasing awareness to get more companies to understand the security implications of mobile devices, is to figure out whether the iPad is a smartphone on steroids or a notebook on a diet and develop the appropriate security policies to manage it as well.

Tony Bradley is co-author of Unified Communications for Dummies . He tweets as @Tony_BradleyPCW . You can follow him on his Facebook page , or contact him by email at tony_bradley@pcworld.com.

No comments: