Mobile Security: Why I still want my iPad, iPhone
CSO Senior Editor Bill Brenner wants his Apple toys so he can work more efficiently, despite all the security concerns he hears about.
By Bill Brenner , Senior Editor
June 16, 2010 — CSO —
Everything I've learned about mobile security tells me it's bad to use the consumer-based technology for work. That's where all the bad stuff comes from. That includes devices like the iPhone and iPad.
The Apple Army, a group of people that reminds me of a more fanatical, less forgiving version of the KISS Army (even the KISS Army will tell you the band's disco album should be burned) will tell you Apple products are superior to all the rest from a security standpoint. Apple products don't get malware infections and users need not worry about their data falling into evil hands, the Apple Army tells me. That stuff only happens in the Windows universe.
But I've seen enough from the security research community to know better.
The most sobering example for me, perhaps, came from Trevor Hawthorn, founder and managing principal at Stratum Security, who shared research on the iPhone's weaknesses at the most recent ShmooCon security conference.
He demonstrated, for example, how the bad guys could exploit security holes (since fixed) in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device. Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store. For those who hate Apple's heavy hand and welcome any method to thumb a nose at the company's decrees, jailbreaking is very attractive. But there's a problem, Hawthorn said. A big one.
"Jailbreaking wipes away 80 percent of the iPhone's security controls," he said. "Since nearly 7 percent of all iPhones are jailbroken," the bad guys have plenty of targets to choose from.
There are the recent warnings I've heard about the iPad, including this from Forrester Research's CSO blog:
"Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It's time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN Transaction Security Guidelines? There are so many things consumers should know about the security of these new methods of payments before they allow their credit card to be captured by an iPad or iPhone."
ESSENTIAL READING
In-depth information on securing mobile devices and wireless networks. Smartphones, tablets, BYOD - policies, technologies and strategies for protecting corporate data and intellectual property.
20 security and privacy apps for Androids and iPhones
What's the most secure smartphone? | BlackBerry vs iOS vs Android
5 policy questions for mobile device security
Bad policy = bad security
5 questions on tablet security
What are the risks, the support requirements, the best security technologies?
Mobile security threats are heating up
Slow firmware updates, poorly vetted apps, and mobile-specific malware mean trouble
Wireless intrusion detection systems
- Modernizing Wireless Infrastructure for Today's Mobile and Data Driven Enterprise
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Mandiant's APT1: Revisited
The Mandiant APT1 report made our industry stronger by encouraging -- if not forcing -- information sharing. By Nick Selby - Attacks from China: A survival guide
- #FFSec: Infosec pros who bring value to Twitter
More Salted Hash with Bill Brenner
