Apple's iOS has the trust of enterprise IT, but users can still pose a security threat.
No software is completely secure, but iOS has a strong reputation because Apple regularly updates the operating system and strictly vets apps that developers submit to the App Store. Still, the behavior-based security risks that threaten every operating system -- such as when people click suspicious links in emails or don't set device passcodes -- should have IT's attention. As a result, the most important Apple iOS security measure organizations should take is to educate their users.
"You can make all the security advancements you want in hardware and software, but if a user just gives their password away, that's all for naught," said Erik Lightbody, assistant director of technical services at Saint Michael's College in Colchester, Vt. "Your security precautions go out the window just by someone clicking a link."
A strength of Apple iOS is its users update the OS more frequently than those of other mobile OSes, which allows users to have the latest security features and patches. Nearly 80% of iOS devices were updated to the newest version, iOS 10, in February, while 16% still needed to upgrade from iOS 9, according to Statista. In comparison, just 6.6% of Android users updated to the latest version of the OS, Android 7, in May, while 31.2% were still on Android 6, and 23.3% were still on version 5.1, according to Statista.
While iOS users are typically more up to date than Android users, there are still many mistakes users make that can affect Apple iOS security.
The most common Apple iOS security issue that IT experts see today is the threat of phishing attacks, which send deceptive links to websites that install malware or trick users into giving up their personal information. To avoid these, IT can whitelist or blacklist websites or install software that detects suspicious sites before users visit them. The most effective way to address phishing, however, is to make users aware of the threat and how to identify suspicious links.
"Educating people is more effective than any security software you can purchase," Lightbody said. "If people know what they're doing, they won't do things they shouldn't be doing."
Lack of passcodes
Another behavior that threatens Apple iOS security is users turning off passcode protection on their devices. Without a passcode, if a device is lost or stolen, any data on it is readily accessible.
"Training and education is hugely important," said Eric Klein, director of mobile software at VDC Research Group Inc. in Natick, Mass. "Organizations need to communicate with users and employees and go over issues on a regular basis to be proactive about security."
Erik Lightbodyassistant director of technical services, Saint Michael's College
Saint Michael's College had problems with students and faculty not putting passcodes on their devices, for instance. But the school recently switched to Microsoft Exchange, which by default requires all mobile devices that access the server to have a passcode.
It's a good policy because it's safe to assume users have sensitive data in their email, Lightbody said.
Organizations can also adopt enterprise mobility management tools to enforce the use of passcodes and remotely wipe devices in the event they are lost or stolen.
A less common but still serious issue is the threat of compromised apps in Apple's App Store.
"One of the biggest things iOS has going for it is the rigidity in the App Store," Lightbody said. "Apple signs off on everything. It's a lot harder to get malicious malware on there."
This doesn't mean that every app is safe. There have been highly publicized security problems deriving from malware in the App Store, such as the XcodeGhost attack in 2015 that infected 4,000 apps.
"Anyone who tells you they're 100% secure because they have an Apple device is living in la la land," said Jack Gold, founder and principal analyst of J. Gold Associates, a mobile analyst firm in Northborough, Mass.
Downloading a malicious app from the App Store isn't the user's fault, but there are some steps they can take to recognize suspicious apps. Because Apple containerizes all apps on iOS, these apps can't communicate with each other unless the user grants permission. If a single-purpose app, such as a flashlight app, asks for access to contacts or location services, the user should recognize that as an odd request.
Users should also be aware of alerts from Apple or their IT departments warning of malicious apps. When Saint Michael's College discovers a security issue with an iOS app, IT alerts users by email and social media.
Follow these Apple iOS data protection best practices
Compare Android vs. iOS security
EMM platforms the go-to for mobile 2017