Mobile Security: Why I still want my iPad, iPhone

Security incidents are always about more than just the vulnerabilities

Everything I've learned about mobile security tells me it's bad to use the consumer-based technology for work. That's where all the bad stuff comes from. That includes devices like the iPhone and iPad.

The Apple Army, a group of people that reminds me of a more fanatical, less forgiving version of the KISS Army (even the KISS Army will tell you the band's disco album should be burned) will tell you Apple products are superior to all the rest from a security standpoint. Apple products don't get malware infections and users need not worry about their data falling into evil hands, the Apple Army tells me. That stuff only happens in the Windows universe.

But I've seen enough from the security research community to know better.

The most sobering example for me, perhaps, came from Trevor Hawthorn, founder and managing principal at Stratum Security, who shared research on the iPhone's weaknesses at the most recent ShmooCon security conference.

He demonstrated, for example, how the bad guys could exploit security holes (since fixed) in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device. Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store. For those who hate Apple's heavy hand and welcome any method to thumb a nose at the company's decrees, jailbreaking is very attractive. But there's a problem, Hawthorn said. A big one.

"Jailbreaking wipes away 80 percent of the iPhone's security controls," he said. "Since nearly 7 percent of all iPhones are jailbroken," the bad guys have plenty of targets to choose from.

There are the recent warnings I've heard about the iPad, including this from Forrester Research's CSO blog:

"Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It's time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN Transaction Security Guidelines? There are so many things consumers should know about the security of these new methods of payments before they allow their credit card to be captured by an iPad or iPhone."

And then there's the fact that bad things have already happened, most notably the case -- now under investigation by the FBI -- where hackers from a group called Goatse obtained the e-mail addresses of an estimated 114,000 Apple iPad users by uncovering a Web application on AT&T's Web site that returned an iPad user's e-mail address when it was sent specially written queries. As my colleague Robert McMillan wrote, after writing an automated script to repeatedly query the site, they downloaded the addresses and then handed them over to

Here's the thing:

Despite all this bad stuff, I want an iPhone and maybe an iPad later on. And I want them so I can work more efficiently. It's what security experts might call a classic case of choosing usability over security.

Guilty as charged, assuming I WILL be charged by some of my friends in the industry.

I'm drawn to the ability to drag images around on a small screen with my finger and access work-related websites that will show up in a much more easy to read fashion than they do on my BlackBerry Curve. Since I travel to a lot of security conferences, I'm smitten with the idea of leaving my clunky laptop behind and writing off of more light-weight devices. I've heard that the touch-screen keypad is still not ready for prime time in that regard, but I think they will be sooner rather than later.

But those security issues: Oh, those security issues.

Does my craving for these consumer toys make me a hypocrite? I've written quite a bit about the security dangers of smartphones and mobile devices in general, after all.

Perhaps. But I've also learned something else about security over the years.

As buggy as these devices may be, security incidents are always about more than just the vulnerabilities the attackers exploited.

There's always the part about the corporate IT network that was so badly configured the bad guys could easily take advantage of them even without all those software holes. And there are the users who cause problems even on fully patched, ironclad machines because they so easily fall for social engineering tricks. [You can see some examples in Social engineering techniques: 4 ways criminal outsiders get inside.]

Surely, I've learned enough from the leaders of information security to avoid the social engineering traps, at least.

I hope so.

Because I want an iPhone. And an iPad.

In the interest of gaining the full understanding of what I'm dealing with, I've been asking experts for their thoughts on whether it's possible to use these devices securely in the enterprise. I'm getting a lot of mixed responses. But one thing everyone agrees on is that companies can't ban these devices forever. It's like social networking. It's become too big to avoid. So companies may as well figure out how to use them safely.

I'll be writing that article next week. In the meantime, feel free to shoot me some feedback at or BillBrenner70 on Twitter. If you think I'm out of my mind, tell me so. I can take it.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityiPhonemobile securityiPad

More about AppleAT&TAT&TBlackBerryetworkFBIForrester ResearchISS Group

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Brenner

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place