Can Apple iOS devices gain confidence of IT security pros?
There’s great enthusiasm for using iPhones and iPads in the workplace, but experts say Apple’s limited transparency about security issues can make enterprise adoption problematic.
IBM’s Chief Information Officer Jeanette Horan recently struck a nerve when she said Big Blue regards Siri on employee iPhones a sensitive security issue and disables it because the voice interactions are uploaded to Apple computers in the cloud.
Already, there had been suspicion as well as curiosity about what Apple might be doing in the background with Siri. Apple does briefly note in its legal licensing terms it will do this Siri uploading. But despite calls for more information about how Apple stores and analyzes the voice data it may be collecting this way, Apple hasn’t offered any explanation, which only heightens the ill ease for some.
It’s not surprising that Apple needs to process human speech and complex speech responses in the cloud, says Chris Eng, vice president of research at Veracode. “It takes computational power,” he says. “The phone may not have the power to do that.”
But what he finds troubling is that so little is known about what Apple might be doing with the Siri-based voice data it collects. “Are they warehousing it? If I’m making an effort to purge information, I’m probably going to come out and say that this isn’t being stored. They should come out and say it isn’t being stored.”
But since Apple hasn’t shown an inclination to discuss this in depth, despite repeated inquiries from Network World and others, there’s no way to understand what’s going on in that Apple cloud.
“You can see why IBM is concerned,” Eng says.
“Siri is more of a novelty now, an infant technology,” says Daniel Ford, chief security officer at Sterling, Va.-based mobile risk management vendor Fixmo. “It’s gathering data about you, digitizing it, and sending it to Apple’s cloud.” He said he thinks Apple doesn’t share the information with anyone else, but he acknowledges, “We don’t know how Apple is parsing it.” He says it’s not surprising enterprises would want to turn it off.
“Siri scares the hell out of me, to be honest,” says Paul Henry, security and forensic analyst at Lumension, adding that Apple has provided no explanation about what it’s mining the Siri data for, if anything. He points out Apple has incited privacy and security concerns before, when it was recognized that Apple was sending location data back to Apple, purportedly to use for targeted ads.
Apple is going to find it hard to win the confidence of the enterprise security manager without addressing Siri, Henry says. Google and Microsoft, as well as VMware, have all been better than Apple in disclosures related to security in their products. But Apple, which is consumer-focused, hasn’t yet reached the level of response that IT security managers traditionally expect, he notes.
But Henry also notes that Apple shows definite signs of change in wanting to be more responsive about security in order to have its Apple iOS smartphones and tablets adopted in the enterprise and government sectors where strict security and detailed technical understanding may be demanded.
For one thing, Apple quietly in the last week or so released “iOS Security, May 2012” that for the first time puts into a simple document an explanation about security in iOS devices, says Henry. He notes it’s not as though no one knew anything about them at all before, with the research community probing Apple mobile devices for years, but the new document represents Apple’s attempt to finally formally explain to the enterprise what’s going on under the covers.
The Apple “iOS Security, May 2012” document is a simple technical explanation of how file-data protection, encryption, passcode system, certificate-signing process, secure boot chain, VPN use, network security, Wi-Fi and device access are all intended to function securely. Many are certain to want to hear more.
In addition, Apple in the past few months worked with the Australian government’s Department of Defence to issue a guide for hardening iOS devices, Henry points out. “This all clearly shows that Apple is trying to embrace the enterprise system,” he concludes, though many will still question if the iPhone and iPad are enterprise-ready at this point. He adds he does like Apple’s basic security model, though, which works to prevent unauthorized apps from devices, much like a whitelisting function.
[Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.]