How to use your iPad securely

Its combination of hardware and software security translate to a device that's probably more secure than your PC or Mac--especially if you take the right steps to secure it

The iPad is one of the safest computing devices you can use. Its combination of hardware and software security translate to a device that's probably more secure than your PC or Mac--especially if you take the right steps to secure it.

Because there are currently no known remote attacks against iPads, the biggest security risk is physically losing the device. Thus, the first step is to make sure your tablet's data is safe in case it's lost or stolen. For that, I'd suggest a combination of encryption and remote wiping.

Passcodes and encryption

All iPads ship with powerful hardware encryption built-in, but you need to enable it. The simplest way to do that is to set a passcode on your iPad: As soon as you do, your data will be automatically encrypted. To enable a passcode, go to Settings -> General -> Passcode Lock and then enter a four-digit code twice. If you'd like to be extra-safe, you can turn the Simple Passcode option on that same page off; you can then use longer codes. While you're there, you should also set Require Passcode for no more than 15 minutes and turn Erase Data on. (Technically, the iPad deletes your encryption key, not the actual data, but that's faster and just as effective.)

All modern iOS devices also come with a second layer of encryption, called Data Protection. While the basic encryption enabled by turning on passcodes protects all of the data on the device (including your apps), it can be bypassed by jailbreaking. Data protection encrypts your e-mail messages and their attachments; it can't be broken even if the passcode is stripped by jailbreaking. Data protection is also available for programmers to use in apps, but few take advantage of it. (At this time, there aren't any jailbreaks for the iPad 2, so the basic encryption is still safe; but that probably won't last forever).

Enhance the passcode

To make the iPad's built-in security features even more powerful, you can use Apple's (now poorly named) iPhone Configuration Utility. Designed to help enterprises manage iOS devices, it opens up a suite of additional security and business settings, even for individual users.

To start, click on Configuration Profile -> New, and select Passcode from the list that appears. In the subsequent Passcode pane, you have all kinds of options; the settings here override your iPad's. At the very least, you can specify a minimum length to the passcode.

To activate these password settings, you'll have to fill in some information on the General tab too--specifically, the name and identifier of the profile. If this is a device that only you will use, you can set the Security drop-down to Always. (That allows you to remove the profile whenever you want.) If you're configuring an iPad to be used by someone else, you can set it for Never or With Authorization (and then provide a password) so that someone else can't change the settings without your permission.

Installing the profile is easy: Click Share to e-mail it to your iPad. On the tablet, you then open Mail, find the message, click on its attachment, and select Install. You can also export the profile to a downloadable file and install with the iPad's copy of Safari.

Enable remote wipe

Remote wiping is an important security tool that allows you to delete the data on a lost iPad if and when it connects to the Internet. If you have a MobileMe account, you can set this up by enabling Find My iPad in Settings -> Mail, Contacts, Calendars -> MobileMe. Business users who connect to a Microsoft Exchange server (or Exchange alternatives such as Kerio Connect) can wipe their devices using Exchange ActiveSync support. This is managed on the server, not your device, so you'll need to work with your IT administrator.

Remote wipe only works if there's a network connection. That's one reason why some companies purchase 3G iPads with data plans only.

Good safety practices

That takes care of the set-up. But there are also things you can do in daily use to make your iPad more secure.

One thing that means is to make your network connections as secure as possible. One of the best ways is to use a VPN.

Another way is to use secure connections for e-mail. Microsoft Exchange servers encrypt data by default. If you use an IMAP or POP3 server, and it supports SSL, you can go to Settings > Mail, Contacts, Calendars > your account > Advanced on your iPad and enable it there.

Although Data Protection encrypts your e-mail attachments, the moment you send them to an app such as Pages, it is protected by the iPad's basic encryption only. If you're really worried about such documents, you can use a special secure e-mail server tool like Good for Enterprise and its free companion iPad app. Good locks encrypted e-mail attachments (and files downloaded from its secure browser) inside the app, which means you can read them, but not edit them.

If you do lose your iPad, one of the first things you should do is change your password on any services--such as Dropbox or iDisk--that you connected to from it.

Finally, consider getting the 1Password Pro app. It enables good password habits (a different, complex password for every site), it syncs with your Mac and other devices over the network or via DropBox, and it stores secure notes and other information as well as passwords. It even includes its own embedded Web browser for logging into sites without having to copy-and-paste your credentials.

Rich Mogull has worked in the security world for 17 years. He writes for TidBits and works as a security analyst through

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurityhardware systemstablet PCslaptops

More about AppleDropboxetworkMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rich Mogull

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place