iOS device only as safe as the apps your users are allowed to load, says security analyst.
As more business smartphone users demand remote access to corporate documents, organisations need to be wary of what app makers mean when they claim their apps are “business class”.
Symantec recently gave Apple’s iOS devices the thumbs up for enterprise use, at least compared with Android, thanks to iOS encryption, application sandboxing and Apple’s process for vetting apps.
But third-party iOS business apps that store corporate information may still undermine the organisation’s security controls and are one more reason to ensure a policy that requires more than the stock standard four character password used by consumers.
The key feature to consider for apps that staff use to remotely access corporate files or store files locally to the device is that they support Apple’s Data Protection application protocol interface (API), NSS Labs chief research officer, Bob Walden explained to CSO.com.au.
“Data Protection is not full disk encryption, although encryption is turned on globally. However, it only encrypts data in applications that support the Data Protection APIs. Out of the box, that is the iOS Mail client, for example,” says Walder.
While there are some remote business apps that support Data Protection, others, like Readdle’s document viewer, which has received positive reviews for its ease of use, fail the security test.
“Folks like Readdle make a big deal out of pushing their apps as business-class apps, yet spend more time making nice user interfaces and not enough securing the data that they are supposed to be protecting,” says Walder.
Commercial apps that Walder notes do support Data Protection include GoodReader, USB Disk Pro, mobilEcho and Box.net.
“These apps will typically be used to access corporate docs, in some cases storing locally outside the control of corporate IT. That data needs to be encrypted.”
Apps that take advantage of Apple’s Data Protection API also provide another layer of security by preventing an attacker from accessing information if they were able to either bypass the passcode or jailbreak the device.
“If someone jailbreaks my iPhone they will be able to access all of the documents stored in the ReaddleDocs or PDF Expert (Readdle) sandbox because the iPhone will decrypt on the fly as the data is accessed,” Walder points out.
In that case, Apple’s encryption remained intact, but information would be available to an attacker. The same would not be true if the app had used the Data Protection API available to it.
“Jailbreaking or bypassing the passcode does not break encryption - it merely bypasses the basic protection on the device. Anything stored using Data Protection APIs will remain encrypted even following jailbreak,” Walder stresses.