I had the chance to briefly look at an iPad today, with the idea of checking out, at least on a superficial level, its security functionality.
My overall impression? A really nice device, with a good touchscreen; although I’m tempted, I can’t imagine what my greasy fingers would do to it – and my iPod Touch 2G scratched pretty easily even with casual use, despite its nice case. It seemed fast enough, with tons of screen space. I’m not exactly sure what I’d do with it (I love typing and am a bit clumsy with things like finger/mouse gestures and with my iPod’s – admittedly miniscule – on-screen keyboard), although my friend Ant came up with the best use I can imagine — photographers showing off their portfolio to potential clients. The same would go for company presentations/electronic note-taking and doodling, and casual news/magazine/book reading, I guess.
In terms of usability, it’s been reviewed to death.
But I was not able to find much of any use regarding data protection and encryption, particularly in an enterprise environment. Privacy and confidentiality issues seem to be limited to personal use, and nobody appears to have done a comprehensive overview, not of its guts, but of security applications in the business world.
The September MISC Magazine (France) has an interesting section on iPhone security, with a lot of detailed technical analysis. By comparison, Apple’s overview of iPad security in the enterprise (pdf) is marketing fluff. Most of the other articles I was able to find were either breathless “the iPad will bring XYZ to your company!” garbage, or fluff pieces of the “in order to secure the iPad in the enterprise, ensure you have proper enterprise security” variety that bored security consultants like me write when they have nothing better to say.
The device I looked at was a 64GB model with GSM (no SIM card), iOS 3.2.2. This appears to fix certain vulnerabilities that allowed, among other things, remote privilege escalation, used in past versions of jailbreaks, but seems to still be vulnerable to a few issues. This is an attempt to collect the useful bits I found; the information may be superseded at time of reading, so do your own research.
The risks I can identify are the following:
- danger of sensitive information compromise from a stolen (or less likely, network-accessed) iPad
- danger to the company network from an iPad connected via wireless/VPN
Security features include:
- Mandatory AES256 filesystem encryption. Although I couldn’t find specifics on this, I assumed it was similar to OSX’s FileVault. This is apparently not the case. The encrypted image can easily be accessed via jailbreak, e.g. RedSn0w, allowing access to files. It looks like the disk crypto allows no protection against this.
- Numeric PIN code, that can auto-lock the device after 2/5/etc. minutes (or never), and manual lock with the top button. PIN protection can also be used to restrict apps (more on that in a moment.) The PIN protection is laughable (4 numbers, no more, no less). 4.1 looks like it fixes this, but it is not out for iPad at the moment.
- Auto-wipe after 10 failed PIN attempts. This is disabled by default in 3.2.2
- Application restrictions. Not much of a security measure; it allows prevention of access to applications based on the iTunes App Store’s age rating. You cannot choose which apps to restrict access to, nor is it possible to allow on-the-fly “unlocking” via PIN code of apps.
- Password encryption of backups via iTunes. This is purely local (on the PC the iPad is being backed up to); Jonathan Zdiarski showed this summer that backup encryption is vulnerable. That said, iTunes device backup is a purely secondary protection mechanism; I would suggest to try and convince employees to never back up sensitive files to their personal PCs anyway.
- Cisco VPN, including L2TP
- Remote wipe using MobileMe — if there is a GSM or wifi connection. MobileMe costs $99 a year. This is also possible via the Exchange management console (over Exchange ActiveSync) or via Outlook Web Access if configured. Again, requires connectivity. Steve Jobs confirmed that there exists a remote kill switch for iPads in case of rogue applications; this would concern me enormously from a compliance perspective — not for the possibility of data loss, but as it implies remote third party access.
- Centralized management is possible in the form of XML configuration files deployed via Apple Push Notification Service, allowing setting of such options; the Apple iPhone configuration tool is used to generate such configurations. Apple has some resources on enterprise management of iPads/iPhones.
Computerworld wisely suggests using something like 1Password, for more granular access control for files. Applications like Lockdown or Locktopus (both jailbreak required) provide password protection on a per-application basis; a quick google search didn’t turn up any Apple-sanctioned apps that do this.
Concerning danger to corporate networks from iPads, the only thing I can come up with is rogue jailbroken apps, and the very low probability that something bad is successfully smuggled into the Apple app store (as has happened in the past). The danger from these would be minimal if the iPad is only sync’ed with a company PC via USB, rather than being allowed to access the company network via wireless or VPN. If you are running an internal wireless network, that’s in front of a dedicated firewall anyway, right?
As always, a little user education goes a long way. Particularly users who buy their own iPads are less likely to lose them, turning Apple’s obscene pricing policy into a bit of a positive thing. If users can avoid connecting external USB devices, restrict themselves to only installing apps that they need, and practice a bit of discipline in terms of what they do with the device, they look like reasonable choices for low-security data. I wouldn’t put anything secret on one, though.