Up in the Cloud: Debating How to Secure iOS 5

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The question is about as blunt as they get in IT security: Is enough being done to deem iPhones and iPads reliable and trustworthy, particularly as they seek access to corporate networks?

The bad news: Apple insists on an architecture that, fundamentally, makes traditional virus and malware protection impossible.  Third party apps, by design, cannot see or access other installed apps. Period.  Right there, that rules out all the background anti-virus apps.  A stark bottom line is that IT needs a different approach to securing iOS devices, the tried and true techniques that work on Android phones, laptops, and the like just do not apply in an iOS world.

One sliver of good news, per Kevin Mahaffey, CTO at San Francisco based Lookout, a mobile security company, is that there still have not been meaningful numbers of virus or malware threats that target the iPhone and iPad and the better news, also per Mahaffey, is that developers are beginning to nibble around the edges of iOS security and are rolling out niche apps designed to fill holes.

Know that, right there, a hot debate is beginning to bubble up.  Where the debate is centered is on the value of the first-generation iOS security apps.

Case in point: Lookout’s own recently released iPhone/iPad security app (available free from the Apps Store).  What is notable about this app is that it provides no protections against viruses or malware. “We did not see the need,” said Mahaffey.  Lookout certainly considered building in anti-malware tools but at day’s end, the company decided not to go there.

“The time may come when iOS is a target for malware, but it isn’t now,” said Mahaffey.

What the Lookout app does provide is alerts when the device’s iOS needs updating, backup for contacts, a beefed up “find me” tool for locating misplaced iPhones and iPads, and warnings for when a user logs into an unsecure public WiFi. 

“Fifty percent of iPhone users say they are concerned about security. Our app addresses that,” said Mahaffey, who acknowledged that some of the features of the Lookout app are readily available elsewhere (Apple for instance offers a “find me” tool for lost devices) but, he said, the Lookout versions are more robust and, beyond that, the convenience of a suite delivers heightens usability.

Mahaffey added that, right now, the Lookout app stands alone in the app store in offering a security bundle but count on this: there will soon be an avalanche of similar apps.  Android Marketplace is chock-a-block with security apps and, as developers sniff opportunity in iOS, they will move to grab a share of what quickly could become a huge market.

But do we need these apps? Do they provide real security or just an allusion?

Definitely, the Lookout app at least takes baby steps in the direction of more secure devices. But then what?

There are skeptics who see scant value in such apps. “These are basically gimmicks,” said Amhit Sinha, CTO at ZScaler, a Sunnyvale, Calif. based cloud security company.  Sinha is not dissing the value of a warning about an insecure WiFi network, for instance, but to his mind that and alerts about out of date OS and the like are tiny gestures that do little to address the legitimate worries of IT.

And Sinha does not see that security ever coming from endpoint apps resident on iOS devices, not with the Apple architecture standing in the way.

Sinha elaborated that to really achieve security with mobile devices solutions will happen in the cloud and with inline scanning of network activity. The argument here is that, with the protections built into iOS (a plus of its architecture is that it effectively rules out old-fashioned viruses), the threats that arise come via malevolent websites and the only way to guard against that is to screen the network for suspicious activity.  Build out a system of smart, persistent screening of traffic into and out of iOS devices and, suggested Sinha, that’s the formula for calming IT’s nerves. 

Moving mobile device security into the cloud also is a huge step around the persistent problem of battery life and battery drain is another reason the old-fashioned antivirus tactics just do not work in a mobile world. This is because the traditional always-on always-alert antivirus that runs on desktop and laptop computers simply cannot work on handheld devices because battery life would be measured in minutes, not hours. This is why -- right now at least -- nobody is proposing it.

iOS, by the sheer numbers of iPhone and iPad users clamoring for access to enterprise data, is triggering what increasingly looks like a paradigm shift in mobile security.  Eyes are moving off the device and onto network activity and  in an iOS world, that just may be the solution.

At least until the malware writers figure out how to crack iOS and put malware on the devices.

As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation's leading publications -- from Reader's Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain's New York, and Fortune Magazine.