Apple iPad, Day 24: Securing and Protecting the iPad

My 64GB iPad contains a ton of sensitive data and provides easy access to my online networks. I need security in place.

30 Days With the iPad: Day 24

One of the realities of using a PC is that it needs to be protected from malware, and the data it contains must be secured to prevent unauthorized access. The security concerns for tablets may be different, but the iPad still stores plenty of sensitive data, and there has to be a way for me to protect that data if the iPad is going to replace my PC.

Whether you have a 16GB, 32GB, or 64GB iPad, there is plenty of room there for sensitive data. Without some security measures in place, if my iPad were lost or stolen it could grant access to my email, social networks, contacts, calendar events, personal photos and videos, and any files stored on the iPad itself.

I don't really care if a thief gets access to my collection of David Cook, Lady Gaga, Staind, and Colbie Callait MP3s, or even my digital copy of Harry Potter and the Half-Blood Prince. No worries. However, I'd rather not expose my emails, contacts, or access to the data I have stored on

As with any platform, security on the iPad is a balancing act. The more convenient it is to use, the less secure it is. The more secure it is, the less convenient.

For example, it would be more secure if apps like MyPad+,, or Twitter for iPad didn't store my credentials, but then it would be a pain to have type them every time I want to access those apps. I don't want to enter my username and password every time I want to check my email, but it would make my email more secure.

Some apps--the apps where money can actually be spent--do offer additional protection. My Starbucks app,, and even the Apple App Store app all require that I enter a PIN or password before a transaction.

I choose to strike a balance that locks the iPad when not in use, but stores credentials to make it more convenient to use when it is unlocked. In the iPad Settings, under General, there is a section that deals with iPad security.

The first setting determines if or when to auto-lock the iPad. I can set the iPad to automatically lock after two, five, ten, or fifteen minutes of inactivity--or never. I have this set for five minutes. I understand, though, that by setting it to five minutes I am also leaving a thief a five minute window of opportunity. As long as someone initiates some activity on the iPad within those five minutes, the auto-lock will not kick in and the thief could have access to the contents of my iPad.

The second setting is for the Passcode Lock. By default, the iPad does not require any sort of PIN or password. I can turn on a passcode with this setting. The standard passcode for the iPad is a four-digit PIN. There is an option to disable the simple passcode, though, which then lets me assign an alphanumeric password of variable length.

I can also determine how much time can pass before the passcode is required. I can choose Immediately, or after one minute, five minutes, fifteen minutes, one hour, or four hours. In theory, I could set the iPad itself to auto-lock after five minutes, but set the passcode not to be required until fifteen minutes. That means that at five minutes I have push the home button and swipe to wake the iPad up, but I wouldn't have to enter a passcode until fifteen minutes (and neither would a thief).

Again, security counters convenience and requires some sort of balance. Setting the passcode to be required immediately might be too tedious and inconvenient, but setting the passcode to be required after four hours is pretty useless. I have my passcode set for five minutes--just like my auto-lock.

One other important security feature in the General Settings is the setting to erase all data after too many failed login attempts. A dedicated attacker may eventually be able to crack a passcode given a limitless number of attempts. By enabling the Erase Data setting, the iPad will automatically erase all data on the iPad after 10 failed passcode attempts.

There is also a setting to turn on or off the feature on the iPad 2 that automatically locks the tablet when the SmartCover (or any other cover designed to take advantage of the magnets in the iPad 2) is closed. If you set the passcode to be required immediately, you can ensure that the iPad is protected every time you shut the cover.

These iPad settings help secure the tablet from unauthorized access, and protect the data it contains. They don't do anything, however, for malware or phishing attacks. Malware attacks targeting the iPad don't really exist...yet. That doesn't mean they can't or won't. There are a handful of anti-malware apps already available, and I am sure there will be more to come.

When it comes to phishing attacks, and socially engineered attacks like those on Facebook, common sense is still the best defense. You simply have to have enough awareness not to click on suspicious or questionable links, and not to fall for breaking news video scams, or bank account password scams, or any other phishing attacks.

The settings on the iPad may be fine on an individual basis, but for iPads in a business environment, IT admins need more control, and they need the ability to control security policies and protect data remotely--rather than having to configure the security settings on each individual iPad. For IT admins, there are more robust tools and platforms for managing iPads, but we'll look at those another day.

My iPad doesn't have the antimalware, anti-spam, or anti-phishing tools that my Windows 7 notebook does, but it doesn't really need tools like that at this point. When it comes to preventing unauthorized access and protecting data, though, the iPad seems to have adequate security available--but much of it is not enabled by default and requires conscious effort to configure.

Read the last "30 Days" series: 30 Days With Ubuntu Linux

Day 23: Using the Front-Facing Camera on the iPad 2

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleapple ipadapplicationshardware systemstabletssoftwaredata protection

More about Amazon.comAmazon Web ServicesAppleBox.netFacebookLinuxStarbucksUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts