‘Apple has its head in the sand’
By A. Asohan August 1, 2012
- ‘We can’t release an antivirus product for the iPad; Apple won’t allow us to do so’
- ‘Android has more security issues, but at least Google is trying to fix the problem’
THE continuing adoption of iPads in the enterprise space has created a new weak link in security which Apple Inc continues to downplay, making organizations increasingly at risk.
“Here’s a hypothesis for you: When it comes to security, Apple has its head in the sand,” says Dr James Lyne (pic), director of technology strategy at UK-based security software company Sophos.
“One of the scariest things in security at the moment is how little people recognize the actual threat on mobile devices. There’s so much hype and certainty about it that is at odds with what is really happening out there.
“I’ve spoken to many businesses, and they say, ‘but the iPad’s secure’,” he adds.
There is still a prevailing perception that nobody writes viruses attacking Apple’s platforms, though that has slowly disappeared when it comes to the MacOS [on Macintosh] thanks to the Mac Defender malware, which while primitive by Windows malware standards, still infected tens of thousands Macs more than a year ago. More recently, the Flashback malware is estimated to have infected 650,000 Macs – or 2% of all Macintosh systems in the world.
Lyne’s ire at Apple is matched by Sophos’ rivals in the security space. Russian-based Kaspersky Labs has described the lack of awareness on security on the part of Macintosh users and smartphone users in general as alarming, Trend Micro too has been sounding alarm bells over the rise of mobile malware.
“We can’t release an antivirus product for the iPad; Apple won’t allow us to do so,” says Lyne, speaking to Malaysian technology media in Kuala Lumpur recently.
“Apple restricts the kinds of applications that can be run on the iPad. The only way we can provide some sort of protection is to offer it on jailbreak devices, but that’s ridiculous because that would be violating Apple policy and making the platform less secure,” he says.
Apple's ambivalence towards security is also obvious for its Macintosh,
“I still walk into AppleStores and ask, ‘Do I need antivirus for my Mac,’ and am told, ‘No, you don’t’,” says Lyne.
“Fake geniuses,” he adds, referring to the supposedly tech-savvy “Apple Genius” staff at such outlets.
Google fixing it
Most of the malware on the tablet front is aimed at Google’s Android platform, with Trend Micro saying that it had identified 25,000 mobile malware apps as of the second quarter of 2012, a 417% increase from the first quarter, yet only one in five mobile devices have security apps installed.
“Android has more security issues, but at least Google is trying to fix the problem. It is providing APIs (application programming interfaces), it is working with vendors, it has been cooperating with the security community,” says Lyne.
“However, there have been three occasions where malware was distributed via the AppStore, which shows Apple is not looking as closely at the apps as it says it is. We’re trusting Apple even though it has been proven irresponsible.
“I wonder if within the next 12-18 months, if Google’s attitude to fixing the problem means that Android becomes more secure while Apple gets constantly embarrassed. Right now, iOS is more secure, but there are chinks in the armor,” he adds.
His company recently announced Sophos Mobile Security, a free lightweight anti-virus app that protects Android devices against malware, privacy issues and hardware loss (see accompanying story).
Apple insists that the iOS has been built from the ground up to be more secure. In a document detailing its security features, the company says, “Low-level hardware and firmware features protect against malware and viruses, while high-level OS features allow secure access to personal information and corporate data, prevent unauthorized use, and help thwart attacks.”
The iOS Security document can be downloaded in PDF form here.
Once more unto the BYOD breach
The security weakness of iOS becomes more critical as more organizations allow the use of iPads and iPhones to keep up with the Bring Your Own Device or BYOD trend.
“BYOD is a complex of policy, social and technology problems. For example, many companies now – in formulating their BYOD strategy -- are very keen on building these huge sandboxes that separate personal and enterprise data,” says Lyne.
“However, that approach always makes the user experience so poor that it’s like why bother having an iPad in the first place. Very few organizations that have tried that approach have stuck with it, the only exception being defense organizations.
“Most are now looking into managing the baseline of these devices – passwords, strong encryption, VPN (virtual private network) clients, managing certificates and maybe restricting certain features such as location.
“Then they handle the rest with policy awareness – which is a pretty scary step for most organizations used to filtering everything,” he adds.
Most are finding a middle ground, says Lyne.
“They’re saying, ‘yes, you can use your own iPad, but we’re going to manage the basic security settings.’ It won’t stop you from playing Angry Birds or doing anything else, but basically, it’s good for the end-user as well,” he says.
Still, there is the mindset problem on the iOS front.
“What we’ve learned from the MacOS security experience over the years is that when people have an idea about security, they hold on to that for a really long time … long past when it is no longer true,” says Lyne.
“Used to be, there were very few viruses on the Mac, but that is no longer true. For MacOS X, it is happening very fast, and think about hard it will be for IT service professionals to get users [in their organizations] to change their mindset.
“We’re already too far down the curve, and we can’t afford to let this go further,” he adds.
[Note: This article was corrected on two points after clarifications from Dr James Lyne.]
Slew of stuff from Sophos, from freebies to Twitter malware alert