The iPad is one of the safest computing devices you can use. Its combination of hardware and software security translate to a device that’s probably more secure than your PC or Mac—especially if you take the right steps to secure it.
Because there are currently no known remote attacks against iPads, the biggest security risk is physically losing the device. Thus, the first step is to make sure your tablet’s data is safe in case it’s lost or stolen. For that, I’d suggest a combination of encryption and remote wiping.
Passcodes and encryption
All iPads ship with powerful hardware encryption built-in, but you need to enable it. The simplest way to do that is to set a passcode on your iPad: As soon as you do, your data will be automatically encrypted. To enable a passcode, go to Settings -> General -> Passcode Lock and then enter a four-digit code twice. If you’d like to be extra-safe, you can turn the Simple Passcode option on that same page off; you can then use longer codes. While you’re there, you should also set Require Passcode for no more than 15 minutes and turn Erase Data on. (Technically, the iPad deletes your encryption key, not the actual data, but that’s faster and just as effective.)
All modern iOS devices also come with a second layer of encryption, called Data Protection. While the basic encryption enabled by turning on passcodes protects all of the data on the device (including your apps), it can be bypassed by jailbreaking. Data protection encrypts your e-mail messages and their attachments; it can’t be broken even if the passcode is stripped by jailbreaking. Data protection is also available for programmers to use in apps, but few take advantage of it. (At this time, there aren’t any jailbreaks for the iPad 2, so the basic encryption is still safe; but that probably won’t last forever).
Enhance the passcode
To make the iPad’s built-in security features even more powerful, you can use Apple’s (now poorly named) iPhone Configuration Utility. Designed to help enterprises manage iOS devices, it opens up a suite of additional security and business settings, even for individual users.
To start, click on Configuration Profile -> New, and select Passcode from the list that appears. In the subsequent Passcode pane, you have all kinds of options; the settings here override your iPad’s. At the very least, you can specify a minimum length to the passcode.
To activate these password settings, you’ll have to fill in some information on the General tab too—specifically, the name and identifier of the profile. If this is a device that only you will use, you can set the Security drop-down to Always. (That allows you to remove the profile whenever you want.) If you’re configuring an iPad to be used by someone else, you can set it for Never or With Authorization (and then provide a password) so that someone else can’t change the settings without your permission.
Installing the profile is easy: Click Share to e-mail it to your iPad. On the tablet, you then open Mail, find the message, click on its attachment, and select Install. You can also export the profile to a downloadable file and install with the iPad’s copy of Safari.
Enable remote wipe
Remote wiping is an important security tool that allows you to delete the data on a lost iPad if and when it connects to the Internet. If you have a MobileMe account, you can set this up by enabling Find My iPad in Settings -> Mail, Contacts, Calendars -> MobileMe. Business users who connect to a Microsoft Exchange server (or Exchange alternatives such as Kerio Connect) can wipe their devices using Exchange ActiveSync support. This is managed on the server, not your device, so you’ll need to work with your IT administrator.
Remote wipe only works if there’s a network connection. That’s one reason why some companies purchase 3G iPads with data plans only.
Good safety practices
That takes care of the set-up. But there are also things you can do in daily use to make your iPad more secure.
One thing that means is to make your network connections as secure as possible. One of the best ways is to use a VPN.
Another way is to use secure connections for e-mail. Microsoft Exchange servers encrypt data by default. If you use an IMAP or POP3 server, and it supports SSL, you can go to Settings > Mail, Contacts, Calendars > your account > Advanced on your iPad and enable it there.
Although Data Protection encrypts your e-mail attachments, the moment you send them to an app such as Pages, it is protected by the iPad’s basic encryption only. If you’re really worried about such documents, you can use a special secure e-mail server tool like Good for Enterprise and its free companion iPad app. Good locks encrypted e-mail attachments (and files downloaded from its secure browser) inside the app, which means you can read them, but not edit them.
If you do lose your iPad, one of the first things you should do is change your password on any services—such as Dropbox or iDisk—that you connected to from it.
Finally, consider getting the 1Password Pro () app. It enables good password habits (a different, complex password for every site), it syncs with your Mac and other devices over the network or via DropBox, and it stores secure notes and other information as well as passwords. It even includes its own embedded Web browser for logging into sites without having to copy-and-paste your credentials.
Rich Mogull has worked in the security world for 17 years. He writes for TidBits and works as a security analyst through Securosis.com.