Wildly popular from the executive suite to the back office, Apple’s iPhone and iPad are the devices that launched a thousand bring-your-own-device (BYOD) programs. For IT, there’s a lot to love about the inherent security of the walled-garden iOS ecosystem. But don’t get complacent; iOS devices can still expose your business assets to risk. Here’s what you need to know about iOS security—and how to complement it with your own tools, mobility strategy and best practices.
The good news
The tightly controlled, proprietary iOS architecture greatly reduces vulnerabilities. Only Apple-issued iOS upgrades and vetted AppStore apps are allowed onto the device, allowing a level of end-to-end control unmatched on other mobile platforms. Third-party apps are sandboxed to thwart any malware that might slip through. Security is designed to be transparent to prevent users from disabling it, and many security features are enabled by default.
With the release of iOS 7, Apple continues to strengthen its devices with security features like TouchID to streamline device authentication, FIPS 140-2 cryptographic protection for sensitive data, Activation Lock to further protect lost and stolen devices, and various other enhancements.
So far, so good. But …
Even the strongest garden wall can be breached. In the case of iOS, the weak spot is jailbreaking. Ordinarily, there’s no way for a user to achieve root on an Apple device, but if the device is jailbroken all bets are off. The device can be modified and customized at will, and the user can sideload apps from unsanctioned third-party sources, undermining its security every step of the way. Apple has made it as difficult as possible to do this, but where there’s a curious and relentless kid (or adult), there’s always a way.
What can you do about this? One essential measure is to check every device before allowing it to access your network—not just iOS, but Android too—to make sure it hasn’t been jailbroken. Mobile application management (MAM) and secure access control tools can help you protect the apps and data people use on their iOS devices without undermining their mobile productivity.
There are also several device setup and configuration best practices you should follow. For example:
- Authentication – Set Require Passcode to Immediately and Erase Data to ON. Enable Auto-Lock and set to one minute. Use TouchID if available.
- Encryption – Set a passcode or passphrase to encrypt the device and encrypt backups in iTunes and iCloud.
- Cloud Services – Disable personal iCloud on business controlled-devices.
- Bluetooth and Sharing – Turn off Sync Contacts to prevent them being loaded to rental cars and others.
- Network and Wireless – Configure wireless to Ask to Join Networks to further control access to rogue networks.
- Email – Ensure that Use SSL is On for all supported accounts and use S/MIME, if configured.
- Diagnostics and Developer Features – Disable the sending of Diagnostics and Usage Data under Settings/General/About/Diagnostics and Usage.
The chart below highlights the security implications for a few of the latest iOS features.
You can learn much more about securing iOS and other mobile platforms in our new white paper put together by Kurt Roemer, our chief security strategist, and myself. The paper is titled “Delivering enterprise information securely on Android, Apple iOS and Microsoft Windows tablets and smartphones.”
Be sure to check out the security and compliance solutions page to learn more about how Citrix enables our customers to embrace mobility and adopt Android—or any device—while protecting what matters most. Follow @CitrixSecurity on Twitter.
About the author
Stacy Bruzek Banerjee is the director of solutions marketing for Citrix and is responsible for global security, business continuity and BYOD solutions. Prior to Citrix, Stacy worked to build Guidewire to explosive growth and a successful IPO. She has held marketing leadership roles at Oracle, Symantec and VISA, where she focused on data management, security and collaboration. She holds a bachelor’s degree from the University of Minnesota. Feel free to read more of Stacy’s blogs.