With well over 100,000 apps in the Apple AppStore and the ability for users to install their own software on devices, how does a security team choose which software makes up a business tablet SOE?
In this multi-part series searchSecurity will review a number of applications to help you get started.There are some rules, however.
To be included in our list, an application must have the following pre-requisites:
- Be an approved Apple AppStore application (no apps which require a jailbroken iPad)
- If the application stores data, the application must provide the ability to backup that data to PC/Mac or to the Cloud
- The application must be a native iPad application (ie, must be full screen)
- The iPad must be running an official release of Apple iOS (no beta code)
In this first overview we're concentrating on protecting specific information stored on the iPad. Apple has provided some inbuilt protection to help protect against access by an individual with the device in their cold malicious hands.
Devices can also be configured to automatically initiate a local wipe after several failed passcode attempts. This is a key deterrent against brute force attempts to gain access to the device. If a user repeatedly enters the wrong passcode, iPad will be disabled for increasingly longer intervals. After too many unsuccessful attempts, all data and settings on the device will
By default the iPad will allow 10 attempts. As with other passcode policies, the maximum number of failed attempts can be established via a configuration profile or enforced over the air via Exchange ActiveSync policies.
iPad supports remote wipe. If a device is lost or stolen, the administrator or device owner can issue a remote wipe command that removes all data and deactivates the device. This is typically performed using the 'Find my iPhone' app.
If the device is configured with an Exchange account, the administrator can initiate a remote wipe command using the Exchange Management Console (Exchange Server 2007) or the Exchange ActiveSync Mobile Administration Web tool (Exchange Server 2003 or 2007). Users of Exchange Server 2007 can also initiate remote wipe commands directly using Outlook Web Access.
iPad offers 256-bit AES encoding hardware-based encryption to protect all data on the device. Encryption is always enabled and cannot be disabled by users. This feature stops an attacker mounting the iPad file system and accessing the data stored on the device directly.
Additionally, data backed up in iTunes to a user’s computer can be encrypted. While this isn't enabled by default when an encrypted configuration profile is stored on the user’s device, this capability is enforced automatically. Finally developers have access to APIs which enable them to encrypt data within their own application data stores.
Unfortunately, there have been multiple blog posts detailing how to get around the iPad (and iPhone) passcode locks. Key combinations involving the emergency call functionality while pressing other keys on the iPhone are easy enough to find using your favourite search engine. Even the new Apple iOS version 5, which rumour sites suggest may be released early September, has been reported to have back doors and security issues.
So assuming the bad guy has used a passcode trick, or you've chosen one of the seven most popular passcodes, you will want to protect some of the data on your phone.
Password protection applications
We all have hundreds of logins these days, multiple login names and using the same couple of passwords for everything is a pretty bad idea. Keeping these usernames and password in notepad or Evernote isn't a good idea, and there are a number of reputable applications which require more than just a four number passcode to unlock their data.
These applications are also useful for the storage of other information, such as bank account numbers, tax file numbers, medicare details and loyalty programme information. All these identifiers can be used to steal your identity so it's important to store that data securely, and not in your phone as contacts.
Keeper (Free trial, $10.49 per device for backup and sync)
This app protects your passwords with 128-bit encryption. Keeper is available for iPhone, iPad, Android, Windows Phone, Mac OS X, Windows and as a Chrome extension. Keeper also claims to support the new Cisco CIUS. There is no limit to the number of records you store and the encryption is based on your master password. Creators of Keeper, mobile software specialists Callpod, also offer a cloud backup service. The search function is very useful, but the ability to sort records and show the expanded tree view other applications provide could be improved.
A great deal, this app lets you backup, restore, and view your saved data on your computer using the desktop client. The purchase gets you a 25% off coupon on the desktop client. PasswordWallet can store the (encrypted) synchronised backup with a number of cloud services including Dropbox and any WebDAV compatible service. MobileMe is also supported, for those still using MobileMe through to June 2012.
From the eWallet website "The file eWallet GO! saves on Dropbox is fully encrypted using 256-bit AES encryption. This means that an eWallet GO! data file using a strong password would take thousands of years to hack! Even if someone did get into your Dropbox account over the weekend, your data is safe if you stored your important information in eWallet GO!". One interesting presentation of information is the eWallet built in templates, allowing you to use a credit card template (which includes logos) to present your data.
DataVault Password Manager ($10.49)
This app has a significantly larger number of features than the above options, but because of this may be confusing for some users. However DataVault offers some interesting extras including email alerts if the passcode is entered incorrectly three times. Synchronisation options include cloud services and the desktop client is well designed. DataVault uses 128-bit AES encryption. Users moving from other iOS password applications may be able to import databases using the desktop client.
This was first published in July 2011