Apple iPad, Day 24: Securing and Protecting the iPad
By Tony Bradley, PCWorld
30 Days With the iPad: Day 24
One of the realities of using a PC is that it needs to be protected from malware, and the data it contains must be secured to prevent unauthorized access. The security concerns for tablets may be different, but the iPad still stores plenty of sensitive data, and there has to be a way for me to protect that data if the iPad is going to replace my PC.
Whether you have a 16GB, 32GB, or 64GB iPad, there is plenty of room there for sensitive data. Without some security measures in place, if my iPad were lost or stolen it could grant access to my email, social networks, contacts, calendar events, personal photos and videos, and any files stored on the iPad itself.
I don’t really care if a thief gets access to my collection of David Cook, Lady Gaga, Staind, and Colbie Callait MP3s, or even my digital copy of Harry Potter and the Half-Blood Prince. No worries. However, I’d rather not expose my emails, contacts, or access to the data I have stored on Box.net.
As with any platform, security on the iPad is a balancing act. The more convenient it is to use, the less secure it is. The more secure it is, the less convenient.
For example, it would be more secure if apps like MyPad+, Box.net, or Twitter for iPad didn’t store my credentials, but then it would be a pain to have type them every time I want to access those apps. I don’t want to enter my username and password every time I want to check my email, but it would make my email more secure.
Some apps–the apps where money can actually be spent–do offer additional protection. My Starbucks app, Amazon.com, and even the Apple App Store app all require that I enter a PIN or password before a transaction.
I choose to strike a balance that locks the iPad when not in use, but stores credentials to make it more convenient to use when it is unlocked. In the iPad Settings, under General, there is a section that deals with iPad security.
The first setting determines if or when to auto-lock the iPad. I can set the iPad to automatically lock after two, five, ten, or fifteen minutes of inactivity–or never. I have this set for five minutes. I understand, though, that by setting it to five minutes I am also leaving a thief a five minute window of opportunity. As long as someone initiates some activity on the iPad within those five minutes, the auto-lock will not kick in and the thief could have access to the contents of my iPad.
The second setting is for the Passcode Lock. By default, the iPad does not require any sort of PIN or password. I can turn on a passcode with this setting. The standard passcode for the iPad is a four-digit PIN. There is an option to disable the simple passcode, though, which then lets me assign an alphanumeric password of variable length.
I can also determine how much time can pass before the passcode is required. I can choose Immediately, or after one minute, five minutes, fifteen minutes, one hour, or four hours. In theory, I could set the iPad itself to auto-lock after five minutes, but set the passcode not to be required until fifteen minutes. That means that at five minutes I have push the home button and swipe to wake the iPad up, but I wouldn’t have to enter a passcode until fifteen minutes (and neither would a thief).
Again, security counters convenience and requires some sort of balance. Setting the passcode to be required immediately might be too tedious and inconvenient, but setting the passcode to be required after four hours is pretty useless. I have my passcode set for five minutes–just like my auto-lock.
One other important security feature in the General Settings is the setting to erase all data after too many failed login attempts. A dedicated attacker may eventually be able to crack a passcode given a limitless number of attempts. By enabling the Erase Data setting, the iPad will automatically erase all data on the iPad after 10 failed passcode attempts.
There is also a setting to turn on or off the feature on the iPad 2 that automatically locks the tablet when the SmartCover (or any other cover designed to take advantage of the magnets in the iPad 2) is closed. If you set the passcode to be required immediately, you can ensure that the iPad is protected every time you shut the cover.
These iPad settings help secure the tablet from unauthorized access, and protect the data it contains. They don’t do anything, however, for malware or phishing attacks. Malware attacks targeting the iPad don’t really exist…yet. That doesn’t mean they can’t or won’t. There are a handful of anti-malware apps already available, and I am sure there will be more to come.
When it comes to phishing attacks, and socially engineered attacks like those on Facebook, common sense is still the best defense. You simply have to have enough awareness not to click on suspicious or questionable links, and not to fall for breaking news video scams, or bank account password scams, or any other phishing attacks.
The settings on the iPad may be fine on an individual basis, but for iPads in a business environment, IT admins need more control, and they need the ability to control security policies and protect data remotely–rather than having to configure the security settings on each individual iPad. For IT admins, there are more robust tools and platforms for managing iPads, but we’ll look at those another day.
My iPad doesn’t have the antimalware, anti-spam, or anti-phishing tools that my Windows 7 notebook does, but it doesn’t really need tools like that at this point. When it comes to preventing unauthorized access and protecting data, though, the iPad seems to have adequate security available–but much of it is not enabled by default and requires conscious effort to configure.