Apple gets serious about iPad security, is it enough?

Soon, SAP hopes to sew up a gaping security hole for its 7,000 iPad-toting employees. The Germany-based tech giant is beta testing a product that will allow it to send PGP-encrypted confidential email to employees. In turn, employees will be able to decrypt them using a Symantec viewer iPad app.

Just one problem: Employees won't be able to send encrypted email from their iPads, at least not yet. Blame Apple for an iPad email encryption capability that literally goes only half way--that is, to iPads but not from them.

"Symantec told us the problem is with Apple; they can't get the right interfaces into iOS," explains Wolfgang Krips, senior vice president of global IT infrastructure services at SAP. "It's not a deal killer but very serious, very frustrating."

So goes the love-hate relationship CIOs have with Apple. Now the stakes are higher with iPads invading the enterprise at a meteoric rate. To be fair, Apple has responded recently to security concerns about its iOS. But does the company's newfound interest in enterprise security go far enough?

Not so long ago, Apple would take its sweet time addressing enterprise security concerns to the chagrin of CIOs. Apple's thinking: Malicious attackers target Microsoft Windows machines that contain valuable--and profitable--data, not so much Apple consumer devices. So let Microsoft put out Patch Tuesdays (the second Tuesday of the month when Microsoft releases security patches).

But the tables have turned with iPads pouring into the enterprise. After only 18 months on the market, iPads are now being deployed or tested at 86 percent of Fortune 500 companies, Apple said during its most recent quarterly earnings call. Industries that traffic in highly confidential information, such as hospitals and law firms, have emerged as early adopters.

(Buying iPads? Check out these five price negotiation tactics, reports

Making matters worse, iPads are becoming a kind of proxy for laptops, sending and receiving some of the most sensitive data on the network. "The security problem for iPads becomes even more burning," Krips says. "You're coming to the same situation you have with Windows on the laptops or desktops. It's becoming increasingly attractive to hack those devices."

And malware attackers are plying their nefarious trade with more frequency. The rate of malware attacks more than doubled in the second quarter this year to 287,298 unique instances in June, according to Cisco's quarterly threat report released this week. A company faces an average 335 encounters every month.

So will Apple step up its security practices?

Recent signs show Apple is getting the enterprise security message. For instance, Apple quickly released iOS 4.3.4 in July that patched a PDF vulnerability. Just a week and a half later, Apple released iOS 4.3.5 that fixes a certificate validation vulnerability.

"I was also very pleased to see that Apple released a kind of virus scanner for the devices," says Ralph Salomon, vice president of IT security and risk office at SAP. "We will be evaluating it to make sure we can bring it to the devices as soon as possible. Apple is working really hard to identify issues and close them as soon as possible. They are on the right track."

Yet Apple still has a ways to go, as evident by the iPad's inability to send encrypted emails.

Vendors have been trying to solve the problem of iOS email encryption in various ways. Some developed entirely new email apps, foregoing Apple's native Mail app. Others chose an online-only Web portal approach. With Symantec's PGP Viewer for iOS, an iPad user receives an email with an attachment over the native Mail app.

By tapping on the attachment and selecting the Symantec viewer, the user can decrypt and view the message. The data is kept inside the viewer app, which acts as a kind of sandbox. The viewer doesn't allow the user to forward, reply or even copy and paste the content of the message.

On the reply side, employees will have to send completely separate emails that merely reference the encrypted email but don't contain its details. For instance, back and forth cryptic emails might read, "I agree with step one but not step three " or "please give me feedback on the third slide."

There are workarounds to the Symantec PGP Viewer for iOS that can cause CIOs to lose their hair. A user can choose third-party apps to view decrypted documents in the viewer, for example, GoodReader for PDFs and Quickoffice for Microsoft Office documents. "With a helper app, the data moves out of the container," says Tim Matthews, director of product marketing at Symantec.

Corporate security policies are the only line of defense against this practice. Then again, employees have been using workarounds for sensitive emails since the early days of the iPad. Many would simply decrypt documents on their laptops and email them, unencrypted, to themselves on their iPads.

"Several state laws also require email encryption, so they were putting their companies at risk" by breaking the law, adds Brian Tokuyoshi, senior product marketing manager at Symantec's encryption group.

A recent Sybase-SAP survey of 500 workers found that a third of employees have put company data at risk by sending work-related emails or documents to their personal accounts and accessing the company intranet from remote locations. One in four has conducted work-related email exchanges on a personal mobile device.

Whether or not the Symantec Viewer will discourage people from breaking corporate policy is anyone's guess. One thing, though, is for certain: The inability to send encrypted emails from the iPad won't help matters.

"In doing business, there's always a balance in the risk you're introducing and the advantage you're getting" from the Apple iPad, Krips says. "That's what makes this so difficult."

Quips Salomon, "especially from a security perspective."

Tom Kaneshige covers Apple and Networking for Follow Tom on Twitter @kaneshige. Follow everything from on Twitter @CIOonline and on Facebook. Email Tom at

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurityhardware systemstabletsiPad

More about AppleApple.CiscoetworkFacebookMicrosoftPGPQuickofficeSAP AustraliaSybase AustraliaSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Kaneshige

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts