Mobile Security: Why I still want my iPad, iPhone
CSO Senior Editor Bill Brenner wants his Apple toys so he can work more efficiently, despite all the security concerns he hears about.
By Bill Brenner , Senior Editor
June 16, 2010 — CSO —
Everything I've learned about mobile security tells me it's bad to use the consumer-based technology for work. That's where all the bad stuff comes from. That includes devices like the iPhone and iPad.
The Apple Army, a group of people that reminds me of a more fanatical, less forgiving version of the KISS Army (even the KISS Army will tell you the band's disco album should be burned) will tell you Apple products are superior to all the rest from a security standpoint. Apple products don't get malware infections and users need not worry about their data falling into evil hands, the Apple Army tells me. That stuff only happens in the Windows universe.
But I've seen enough from the security research community to know better.
The most sobering example for me, perhaps, came from Trevor Hawthorn, founder and managing principal at Stratum Security, who shared research on the iPhone's weaknesses at the most recent ShmooCon security conference.
He demonstrated, for example, how the bad guys could exploit security holes (since fixed) in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device. Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store. For those who hate Apple's heavy hand and welcome any method to thumb a nose at the company's decrees, jailbreaking is very attractive. But there's a problem, Hawthorn said. A big one.
"Jailbreaking wipes away 80 percent of the iPhone's security controls," he said. "Since nearly 7 percent of all iPhones are jailbroken," the bad guys have plenty of targets to choose from.
There are the recent warnings I've heard about the iPad, including this from Forrester Research's CSO blog:
"Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It's time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN Transaction Security Guidelines? There are so many things consumers should know about the security of these new methods of payments before they allow their credit card to be captured by an iPad or iPhone."