iPhone and iPad Security: The Human Element
Tackling mobile security on a personal-business device isn't new, but it is still a very serious and present problem. Perhaps a lesson from the past holds an answer.
Mon, October 03, 2011
CIO — The iPhone and iPad are not your dad's new-fangled laptop. Or are they?
Part of the security problem has changed, says security expert Jeff Schmidt, CEO of JAS Global Advisors LLC. Schmidt advises Fortune 100 companies on ways to secure mobile devices. Threats are different as curated app stores stymie old-fashioned malware bad guys. But now the curators themselves might be giving too much freedom to app makers trafficking in personal information.
One aspect of the security problem hasn't changed at all—security, or lack thereof, begins and ends with human behavior, Schmidt says. User policies, which are often never read, continue to be the main defense against accidental data loss on the iPad or iPhone.
The merging of business and personal uses in a single computer actually began in the 1990s with the bring-it-home laptop. Schmidt thinks a lesson can be learned from the past that could address today's mobile security dilemma.
How big is the iPhone and iPad security problem?
Schmidt: As market share goes up, people become more interested in the Apple platform. Both the Mac OS and iOS are really hot right now. Mobile devices, however, are kind of a different category; the space is emerging so quickly. The tipping point is probably going to be the wide connectivity. Smart devices have generally been protected by the fact that they're connected to relatively slow networks. But with LTE, things will get very interesting for iOS and Android-related security vulnerabilities, given full-time high-speed connections.
Isn't iOS somewhat safe because of Apple's closed system?
Schmidt: The world is changing from the classic PC-laptop threat model. Sure, bad guys still want to trick you into installing something on your machine. But that vector is going away as app stores clamp down. In addition, browser technology is getting better at preventing you from downloading things you don't want to download.
But the issue about unintended use cases, privacy violations, more data being gathered than people understand from software they knowingly did install is a larger, growing issue. Take the example of a shopping cart app that reminds you to buy oranges while at the grocery store. Most people don't fully understand what that shopping cart is really doing and who it's sending data to.
There's an emerging class of security problems that is not well-understood, unlike the classic model where we just install firewalls or anti-virus software.
Where does this put the Apple-curated App Store?
Schmidt: Because they manage the app stores, this puts Apple and Google in an interesting position. It's not clear that they want to censor that behavior. So what does Apple-approved mean? Let's say the shopping cart app is geographically tracking me and sending that data to someone else, ostensibly to remind me when I'm near a grocery store or to send me coupons or to learn my shopping habits and then sending them to someone like Google that can maybe monetize it in some way. Those scenarios are not clear.