BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Apple has long enjoyed its reputation for delivering secure products that aren’t prone to malware. But there’s a growing sense that those days are numbered, and IT pros have very few security options.
The popularity of the iPhone and iPad, especially among business users, makes the iOS operating system a more appealing target for attackers, IT pros and consultants said. There’s a dearth of iOS security apps and the number of Mac OS X and iOS security vulnerabilities is creeping up, according to a recent report.
“Sooner or later, there will be an outbreak,” said Geoff Le Quelenec, IT director for a large Toronto-based trade organization.
Kevin Hart, CEO of Tekserve, an Apple solutions provider in New York, agreed that iOS security attacks are “an inevitability.”
A false sense of iOS security?
Apple’s total control over the iOS ecosystem -- hardware, software and apps -- and the way it designed iOS keeps iPhones and iPads fairly secure. Users can only download approved apps from the App Store, and Apple has strict approval requirements. Apple iOS also limits how users share apps and data, and how apps interact.
“If [malware] does get into the wild, somebody’s got to download it,” Le Quelenec said. “It’s very difficult to pass an app from device to device, and they designed it that way.”
But the strong reputation of OS X and iOS security may do more harm than good, according to some observers. It leads some Apple users to be less vigilant about security, which “makes them perfect targets,” said Nicholas Raba, president of SecureMac, a Las Vegas-based Mac security software vendor.
Most businesses, however, don’t have this false sense of security, Hart said. They realize that “all hell can break loose” when a potentially unsecure device connects to the corporate network, he said.
Responding to iOS security attacks
The real problem is that IT has limited options for responding to iOS security attacks. Antimalware software is readily available for the Mac, but there are only a handful of apps that promise any sort of iOS virus protection.
And even if more robust antivirus programs were available, most iOS devices in the workplace are employee-owned, so deploying them and enforcing their use would be a challenge for IT.
If successful iOS security attacks were to take place, most of the response would fall on Apple’s shoulders. Nobody knows what Apple’s architecture looks like, but based on the company’s stated capabilities, observers infer there’s some sort of centralized command and control center, much like Research In Motion’s Waterloo, Ont. facility, Le Quelenec said.
“Apple doesn’t like to talk about it and Google even less, but they have the ability to remote wipe at the corporate level,” he said. “You’re trusting [the OS manufacturer] to watch out for malware and reach out and lock down the device.”
IT pros consider this model one of the major downsides of Apple’s high degree of control over iOS security.
“I don’t like giving up that level of control,” Le Quelenec said. “I’d prefer to have everything locked down the way I want to, but I can’t. I have to work within this framework.”
Entry points for iOS security attacks
The most probable iOS attack vector is the App Store. Despite its robust security, it’s the only mechanism for delivering executable code to iPhones and iPads (unless they’re jailbroken, of course).
“Apple vets this stuff so carefully, but it’s not beyond the realm of possibility that somebody could wrap [malware] up in some pretty innocuous-looking code,” Le Quelenec said.
Attackers could find other ways into iPhones and iPads, too. As the HTML5 protocol becomes more popular, for example, they could look for holes to exploit Web apps, Le Quelenec said.
In addition, the number of vulnerabilities in Apple’s products has grown 12% in the past five years, according to a recent report by Danish security vendor Secunia. The Secunia 2011 Yearly Report also ranked Apple seventh on a list of technology vendors with the most vulnerabilities in its products.
Apple’s vulnerabilities aren’t as high-risk as some other vendors’, but they’re still a problem because of the company’s visibility, said Stefan Frei, Secunia’s research director.
“The code is more secure, but Apple is riding on this wave of popularity and increased market share,” he said.
Addressing security requirements for iPad hospital use
Enterprise iPhone security issues and how to address them
iPhone security FAQ
Top enterprise iPad questions facing IT: Management, apps and security