CSO - Everything I've learned about mobile security tells me it's bad to use the consumer-based technology for work. That's where all the bad stuff comes from. That includes devices like the iPhone and iPad.
The Apple Army, a group of people that reminds me of a more fanatical, less forgiving version of the KISS Army (even the KISS Army will tell you the band's disco album should be burned) will tell you Apple products are superior to all the rest from a security standpoint. Apple products don't get malware infections and users need not worry about their data falling into evil hands, the Apple Army tells me. That stuff only happens in the Windows universe.
But I've seen enough from the security research community to know better.
The most sobering example for me, perhaps, came from Trevor Hawthorn, founder and managing principal at Stratum Security, who shared research on the iPhone's weaknesses at the most recent ShmooCon security conference.
He demonstrated, for example, how the bad guys could exploit security holes (since fixed) in AT&T's network, which Apple's iPhone uses, and how an epidemic of "jailbreaking" is disabling critical security controls on the device. Jailbreaking is a process iPhone and iPod Touch users can exploit to run whatever code they want on the device, whether it's authorized by Apple or not. Jailbreaking the phone allows you to download a variety of apps you couldn't get in the Apple App Store. For those who hate Apple's heavy hand and welcome any method to thumb a nose at the company's decrees, jailbreaking is very attractive. But there's a problem, Hawthorn said. A big one.
"Jailbreaking wipes away 80 percent of the iPhone's security controls," he said. "Since nearly 7 percent of all iPhones are jailbroken," the bad guys have plenty of targets to choose from.
There are the recent warnings I've heard about the iPad, including this from Forrester Research's CSO blog:
"Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It's time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN Transaction Security Guidelines? There are so many things consumers should know about the security of these new methods of payments before they allow their credit card to be captured by an iPad or iPhone."
And then there's the fact that bad things have already happened, most notably the case -- now under investigation by the FBI -- where hackers from a group called Goatse obtained the e-mail addresses of an estimated 114,000 Apple iPad users by uncovering a Web application on AT&T's Web site that returned an iPad user's e-mail address when it was sent specially written queries. As my colleague Robert McMillan wrote, after writing an automated script to repeatedly query the site, they downloaded the addresses and then handed them over to Gawker.com.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
