The iPhone and iPad are not your dad's new-fangled laptop. Or are they?
Part of the security problem has changed, says security expert Jeff Schmidt, CEO of JAS Global Advisors LLC. Schmidt advises Fortune 100 companies on ways to secure mobile devices. Threats are different as curated app stores stymie old-fashioned malware bad guys. But now the curators themselves might be giving too much freedom to app makers trafficking in personal information.
One aspect of the security problem hasn't changed at all-security, or lack thereof, begins and ends with human behavior, Schmidt says. User policies, which are often never read, continue to be the main defense against accidental data loss on the iPad or iPhone.
The merging of business and personal uses in a single computer actually began in the 1990s with the bring-it-home laptop. Schmidt thinks a lesson can be learned from the past that could address today's mobile security dilemma.
How big is the iPhone and iPad security problem?
Schmidt: As market share goes up, people become more interested in the Apple platform. Both the Mac OS and iOS are really hot right now. Mobile devices, however, are kind of a different category; the space is emerging so quickly. The tipping point is probably going to be the wide connectivity. Smart devices have generally been protected by the fact that they're connected to relatively slow networks. But with LTE, things will get very interesting for iOS and Android-related security vulnerabilities, given full-time high-speed connections.
Isn't iOS somewhat safe because of Apple's closed system?
Schmidt: The world is changing from the classic PC-laptop threat model. Sure, bad guys still want to trick you into installing something on your machine. But that vector is going away as app stores clamp down. In addition, browser technology is getting better at preventing you from downloading things you don't want to download.
But the issue about unintended use cases, privacy violations, more data being gathered than people understand from software they knowingly did install is a larger, growing issue. Take the example of a shopping cart app that reminds you to buy oranges while at the grocery store. Most people don't fully understand what that shopping cart is really doing and who it's sending data to.
There's an emerging class of security problems that is not well-understood, unlike the classic model where we just install firewalls or anti-virus software.
Where does this put the Apple-curated App Store?
Schmidt: Because they manage the app stores, this puts Apple and Google in an interesting position. It's not clear that they want to censor that behavior. So what does Apple-approved mean? Let's say the shopping cart app is geographically tracking me and sending that data to someone else, ostensibly to remind me when I'm near a grocery store or to send me coupons or to learn my shopping habits and then sending them to someone like Google that can maybe monetize it in some way. Those scenarios are not clear.
The permissions model is still very obscure. Whenever you install an app, you get a long list of permissions that app is requesting: access to your phone number, access to your geo-location, access to your address book. It's become like a licensing agreement where people don't actually read or understand what they're agreeing to, they just want the shopping cart app to work.
One of things that has happened in the last five years is that it has become extremely easy to monetize information, even mundane information. That's driving behavior.
Can old-fashioned malware infect non-jailbroken iPhones?
Schmidt: There are ways to get software installed on smart devices, particularly Android and less so Apple. If you browse a malicious Web page where there's a vulnerability in the Web rendering on the platform, infected software can get installed on your device. Also, it is possible for applications to be installed through a vulnerability bug in another application that you may have gotten from the app store.
It seems the biggest security threat on the iPad and iPhone is human behavior. How can CIOs do a better job of managing this?
Schmidt: You've nailed the biggest macro issue happening now: the shift from corporate-controlled devices hosting corporate data to personal-owned devices hosting corporate data. That is a seismic shift that is not slowing down but speeding up.
By the way, I think that's a generational change. The current Gen Yers expect work to integrate more with their personal life rather than forcing their personal life to integrate around work. It's kind of interesting.
Now companies have to deal with the expectation that you'll be reading corporate email on your personal iPhone device. This opens up huge policy questions. Now corporate data is sitting on a device that the company doesn't own or control. (See 15 Best iPhone Apps for Busy CEOs.)
One response is for a company to want remote wipe capabilities. Say you fire an employee or he or she leaves. Is it legal and/or ethical to remote wipe a device that you don't own? There's a very large company we're working with right now that's asking this question.
So what's the solution?
Schmidt: The middle ground is that people are going to bring their personal device into enterprises and, as a part of their employment agreement, they'll sign away some management of that device.
Then another issue appears, shared personal devices also being used for business purposes. For instance, we had a vice president of a large company purchase an iPad that he shares with his family. He plays educational games on it with his young child, his wife also uses it. Then he brings it into the office and wants to read email on it. All of a sudden, you've got a child playing on the same iPad that has this vice president's corporate email.
There's no way to get around this other than policy. But, boy, can you imagine the policy that says you won't let your wife or kid use your iPad? You also have limited ability to put edicts on a vice president. So for us, there was no policy, no edict. It was just, "Well, you gotta be careful about that." That was it.
This doesn't sound particularly promising. Is there a technical solution?
Schmidt: I think we're still in the infancy of virtual machines, but at the end of the day virtual machines are the answer to a lot of the problems we have right now. If I can spin up and shut down different machines with different profiles and purposes to keep my data segmented, then that's going to help a lot. To do this, we'll need Apple's help-it needs to be baked into the OS.
There was a very large company in the late 1990s that had a similar problem when issuing laptops. People would plug them into the corporate network and do business stuff, then play games and browse ESPN. As a result, the company was constantly dealing with infected machines.
So the company took an aggressive, draconian approach issuing every employee two physical hard drives for the laptop. One was the company hard drive, the only hard drive that was supposed to be in the machine when you were physically connected to the corporate LAN. If you were connected to any network other than the corporate LAN, you had to have the other drive in.
Any violation of the agreement would lead to termination. They had to fire a couple of people before everyone took it seriously. This policy was in effect for five or six years, the company has since changed the policy as technology changed.
The company recognized that there was both a personal and business use for the laptop, and that there was no way you could deny a personal use. So the next best thing was a forced partition.
Read more about mobile security in CIO's Mobile security Drilldown.