iPhone and iPad security:

The human element

The iPhone and iPad are not your dad's new-fangled laptop. Or are they?

Part of the security problem has changed, says security expert Jeff Schmidt, CEO of JAS Global Advisors LLC. Schmidt advises Fortune 100 companies on ways to secure mobile devices. Threats are different as curated app stores stymie old-fashioned malware bad guys. But now the curators themselves might be giving too much freedom to app makers trafficking in personal information.

One aspect of the security problem hasn't changed at all-security, or lack thereof, begins and ends with human behavior, Schmidt says. User policies, which are often never read, continue to be the main defense against accidental data loss on the iPad or iPhone.

The merging of business and personal uses in a single computer actually began in the 1990s with the bring-it-home laptop. Schmidt thinks a lesson can be learned from the past that could address today's mobile security dilemma.

How big is the iPhone and iPad security problem?

Schmidt: As market share goes up, people become more interested in the Apple platform. Both the Mac OS and iOS are really hot right now. Mobile devices, however, are kind of a different category; the space is emerging so quickly. The tipping point is probably going to be the wide connectivity. Smart devices have generally been protected by the fact that they're connected to relatively slow networks. But with LTE, things will get very interesting for iOS and Android-related security vulnerabilities, given full-time high-speed connections.

Isn't iOS somewhat safe because of Apple's closed system?

Schmidt: The world is changing from the classic PC-laptop threat model. Sure, bad guys still want to trick you into installing something on your machine. But that vector is going away as app stores clamp down. In addition, browser technology is getting better at preventing you from downloading things you don't want to download.

But the issue about unintended use cases, privacy violations, more data being gathered than people understand from software they knowingly did install is a larger, growing issue. Take the example of a shopping cart app that reminds you to buy oranges while at the grocery store. Most people don't fully understand what that shopping cart is really doing and who it's sending data to.

There's an emerging class of security problems that is not well-understood, unlike the classic model where we just install firewalls or anti-virus software.

Where does this put the Apple-curated App Store?

Schmidt: Because they manage the app stores, this puts Apple and Google in an interesting position. It's not clear that they want to censor that behavior. So what does Apple-approved mean? Let's say the shopping cart app is geographically tracking me and sending that data to someone else, ostensibly to remind me when I'm near a grocery store or to send me coupons or to learn my shopping habits and then sending them to someone like Google that can maybe monetize it in some way. Those scenarios are not clear.

The permissions model is still very obscure. Whenever you install an app, you get a long list of permissions that app is requesting: access to your phone number, access to your geo-location, access to your address book. It's become like a licensing agreement where people don't actually read or understand what they're agreeing to, they just want the shopping cart app to work.

One of things that has happened in the last five years is that it has become extremely easy to monetize information, even mundane information. That's driving behavior.

Can old-fashioned malware infect non-jailbroken iPhones?

Schmidt: There are ways to get software installed on smart devices, particularly Android and less so Apple. If you browse a malicious Web page where there's a vulnerability in the Web rendering on the platform, infected software can get installed on your device. Also, it is possible for applications to be installed through a vulnerability bug in another application that you may have gotten from the app store.

It seems the biggest security threat on the iPad and iPhone is human behavior. How can CIOs do a better job of managing this?

Schmidt: You've nailed the biggest macro issue happening now: the shift from corporate-controlled devices hosting corporate data to personal-owned devices hosting corporate data. That is a seismic shift that is not slowing down but speeding up.

By the way, I think that's a generational change. The current Gen Yers expect work to integrate more with their personal life rather than forcing their personal life to integrate around work. It's kind of interesting.

Now companies have to deal with the expectation that you'll be reading corporate email on your personal iPhone device. This opens up huge policy questions. Now corporate data is sitting on a device that the company doesn't own or control. (See 15 Best iPhone Apps for Busy CEOs.)

One response is for a company to want remote wipe capabilities. Say you fire an employee or he or she leaves. Is it legal and/or ethical to remote wipe a device that you don't own? There's a very large company we're working with right now that's asking this question.

So what's the solution?

Schmidt: The middle ground is that people are going to bring their personal device into enterprises and, as a part of their employment agreement, they'll sign away some management of that device.

Then another issue appears, shared personal devices also being used for business purposes. For instance, we had a vice president of a large company purchase an iPad that he shares with his family. He plays educational games on it with his young child, his wife also uses it. Then he brings it into the office and wants to read email on it. All of a sudden, you've got a child playing on the same iPad that has this vice president's corporate email.

There's no way to get around this other than policy. But, boy, can you imagine the policy that says you won't let your wife or kid use your iPad? You also have limited ability to put edicts on a vice president. So for us, there was no policy, no edict. It was just, "Well, you gotta be careful about that." That was it.

This doesn't sound particularly promising. Is there a technical solution?

Schmidt: I think we're still in the infancy of virtual machines, but at the end of the day virtual machines are the answer to a lot of the problems we have right now. If I can spin up and shut down different machines with different profiles and purposes to keep my data segmented, then that's going to help a lot. To do this, we'll need Apple's help-it needs to be baked into the OS.

There was a very large company in the late 1990s that had a similar problem when issuing laptops. People would plug them into the corporate network and do business stuff, then play games and browse ESPN. As a result, the company was constantly dealing with infected machines.

So the company took an aggressive, draconian approach issuing every employee two physical hard drives for the laptop. One was the company hard drive, the only hard drive that was supposed to be in the machine when you were physically connected to the corporate LAN. If you were connected to any network other than the corporate LAN, you had to have the other drive in.

Any violation of the agreement would lead to termination. They had to fire a couple of people before everyone took it seriously. This policy was in effect for five or six years, the company has since changed the policy as technology changed.

The company recognized that there was both a personal and business use for the laptop, and that there was no way you could deny a personal use. So the next best thing was a forced partition.

Tom Kaneshige covers Apple and Networking for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Tom at tkanshige@cio.com

Read more about mobile security in CIO's Mobile security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags Networkingwirelesshardware systemsiPhoneAndroidmobileiPadSecurity | Mobile securityAppleconsumer electronicssecuritymobile securitysmartphonestablets

More about Amazon Web ServicesAppleApple.FacebookGoogleLANSmart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Kaneshige

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place