New, Surprising Facts About iPhone Security

| Analysis

iPhone securityWith all the emphasis Apple puts on iPhone security, one would think that it’s a backburner issue. But there are interesting new developments, and so I had a chat with Juniper Networks to find out more.

Initially, Juniper Networks sent me a copy of its report, “Trusted Mobility Index,” a rather dry title, but full of interesting tidbits about the state of mobile security. That’s a subject near and dear to my heart, so I followed up, and I was invited to chat with Dan Hoffman, Juniper’s Chief Mobile Security Evangelist. That resulted in some interesting revelations.

However, before I go into the the discussion we had, I want to, and have permission to, quote extensively from the report.

The first thing I ask about a survey is the methodology, and Juniper was kind enough to supply that. I’ve cited that at the end of this article so we can get on with the fun stuff straightaway.

Results

The report is short, but is chock full of good information. What follows is a 10,000 meter view and the important results.

Complex Mobile Landscape

The first thing that Juniper confirmed, for me, was that mobile users have lots of diverse equipment connected to the Internet. The average user has three mobile devices and 18 percent have five or more. For example, eReaders, tablets, smartphones and video game systems. Right away, one can see how that creates maintenance and oversight obligations. With that, here’s the first finding:

People are using their mobile devices to access the most sensitive personal information. Over three-quarters (76 percent) of global respondents report they use these mobile devices to access sensitive data, such as online banking or personal medical information.

This trend is even more pronounced with those who also use their personal mobile devices for business purposes. Nearly nine in ten (89 percent) business users, often referred to as prosumers, say they use their mobile device to access critical work information.”

BYOD

A new trend in the business world is Bring Your Own Device (BYOD). That is, rather than spend corporate funds to buy each employee a smart phone, which can run into millions of dollars, employees are told, if you want to work here, own your own smartphone. While that saves money, it also causes the IT managers to lose control. For example, an employee may not bother to (or forget to) password protect an iPhone with sensitive, corporate data and then lose it in an airport. The data could be compromised before the owner can invoke a remote wipe.

Juniper -1

What problems does BYOD cause? (Used with permission)

The New Target

The bad guys have the technology and the incentives to go after modern mobile devices, according to Mr. Hoffman. Juniper’s Threat Center has tracked a significant growth in assaults on mobile devices which, as noted above, have increasing sensitive and personal information. Mr. Hoffman characterized the threat five years ago as non-existent. Nowadays, he said, “it’s unprecedented.”

Who Do You Trust?

All the above brings up the subject of trust. Who do users trust to protect their privacy, credit card info, and so on? Online shopping sites earned the most trust, followed by banks. Least trusted were social networking sites and, interestingly, healthcare services.

What interested me was the page on Key Factors in Trust.

When asked whom they hold most responsible for protecting their sensitive data, 63 percent of mobile users hold those they often have the most direct relationship with accountable –- service providers. [“Wireless carriers.” - JM] Service providers were followed by device manufacturers (38 percent) and, last, software security providers (34 percent).”

 

Juniper 2

Who do users trust to protect their data? (Used with permission)

That sequence raised a question for me, and that was whether mobile users ever consider that their personal policies and practices come into play when it comes to securing their data. By and large, confirmed by Mr. Hoffman, the answer is no. I’ll get into that more below.

The Interview

Mr. Hoffman and I chatted for about 25 minutes, and I learned a few interesting things. Because Apple has assumed so much responsibility for the security of iPhones, users tend to take it for granted that all’s well. There are precious few tools available for iOS that alert the customer or allow them to assess the state of the security of their iPhone —so they don’t bother. Pressured either by business necessity or trust in Apple, customers don’t seem to make conscious decisions to restrict or control the information they may have. Mr Hoffman put a fine point on it with a famous quote, “Trust but verify.”

Also, Mr. Hoffman mentioned that he doesn’t have sense from the survey that Android users are any more cautious than their iOS counterparts.

The chart above suggests that the third tier of trust is the “Software security providers.” Interestingly, in the case of iOS, there are precious few of those software tools. In 2011, Intego did introduce Virus Barrier for iOS, but my personal take was that a lot of customers snickered, and it hasn’t been widely adopted. As a result, the burden is placed by customers on 1) the carrier to police its network and 2) the device manufacturers.

Finally, I asked Mr. Hoffman if they were developing any kind of personal security evaluation tool for, say, iOS. He mentioned, in passing, that the very structure that promotes security in iOS, sandboxing, API restrictions and other Apple developer policies make it very difficult for a single app to get a global feel for the state of an iOS system.

Worse, this makes IT managers nervous. Because they don’t have control and don’t have a good window into what’s happening inside iOS, they are increasingly turning to Android. The intrinsic security of Android may be considered by some lower overall than iOS, but the openness of Android affords the opportunity for apps to be built that can better assess the security state of an Android device.

It’s a classic case of leaving the frying pan to jump into the fire.

As a result of the restrictions placed on iOS, Mr. Hoffman pointed out that it makes more sense to monitor an iOS device from the network, an external view, that shows what the device is doing, who it’s talking to, and what data is being transmitted. This is an ongoing area of research for IT managers.

Summary

I found the report both interesting and eye-opening. My take is that after all those years of struggling to keep our desktops secure, we all may have let out a sigh of relief regarding the simplicity and security of our iPhones and then iPads. There’s been so much written about Apple’s control and security measures for iOS, they many of us may have simply stopped worrying about it. As a result, we don’t consciously have a plan and policy for how to utilize our mobile devices and sensitive data. Or security tools to help assess the situation. Of course, ironically, that’s exactly what both Apple and the bad guys want.

________________________

Methodology

The first Juniper Trusted Mobility Index global survey was conducted by StrategyOne, an independent research firm, on behalf of Juniper Networks. The field dates were March 9 – 26, 2012. Interviews were conducted online in local languages in five countries: United States, United Kingdom, Germany, Japan and China. The total sample sizes were 2,519 consumers who own at least one mobile device and 1,518 IT decision-makers (ITDMs).

For the purposes of this study, ‘Consumers’ are a representative sample of adults (aged 18+) who own at least one mobile device. ‘ITDMs’ are those ‘currently employed as an IT Professional in a role making decisions about which products and services one’s company uses.’ ITDMs in this study included employees of large, mid-size and small companies at the senior management, middle-management and individual-contributor level and across a broad cross-section of industries.”

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

4 Comments

James

In 2011, Intego did introduce Virus Barrier for iOS…

In 2012, I think I will introduce iOS Tiger Barrier. It protects your from all Tigers. I think it is likely to be just as effective as Virus Barrier for iOS. No Tiger attacks yet!

ibuck

Good article, John. I am disappointed with Apple’s failure to provide more options for securing the data on my personal iOS devices than they do. A Passcode that must be entered every time I use the device is an inconvenient pain; so my devices aren’t configured that way. Ideally, the Home button would read my fingerprint and only require my passcode entry when that biometric fails.

But since that’s not yet available, why can’t I configure the Passcode to work intermittently, or after so many minutes, and/or only for certain apps—like Contacts? Crucial apps would all have preferences that specify when and how often the passcode is required. And after a few failures would shut down the device or erase all the data or send an alert. Or some combination of these. Apple should demand such levels of security from developers, but only after implementing better security for iOS itself.

adamC

Apple is still behaving like a startup is because tech bloggers are looking for the weak chinks in their armor to write about and security companies looking for more business.

And a lot of people are also telling them what they should be doing and the worst of the lot even pour scorn on any of their upcoming ventures.

Totally sad.

immovableobject

@iBuck

“...why can?t I configure the Passcode to work intermittently, or after so many minutes?”

In Settings > General > Auto-Lock you can specify delays of 1 to 5 minutes in one minute increments.  This isn’t as versatile as your other suggestions, but is better than nothing.  For better or worse, Apple tends to prefer simplicity rather than overwhelming users with options.

Log-in to comment