What are the security issues with the iPad and how is it suited as a device for developing enterprise scale applications?
Those are the questions we posed to Ken Westin, the founder and CEO of ActiveTrak. Westin is a a security expert. His company develops a software and a service to track the location of a device if lost or stolen. In June, the company is introducing an enterprise version of its technology that will also go by the name ActiveTrak.
The iPad will become a device that we will undoubtedly see in the enterprise. It fits into the same space as a smartphone or social computing technology, applicable to personal and work life. Neville Hobson on the NextWeb cites a survey by Sybase about the interest in smart phones for the workplace and its correlation to the iPad.
But Westin says the iPad does have its own set of limitations that makes it an issue for development of enterprise security grade applications:
- The iPhone and iPad software has built-in PPTP, IPSec, Cisco VPN software. But more companies are moving to SSL VPN, which is not supported by the iPad. In time, though, a client should be developed for the product.
- The device may be able to access the domain, however it is different from being a domain member as an administrator cannot manage it, enforce group policies or push patches or apps to it.
Westin is supported by other security experts who cite Apple's lack of interest in security issues:
"The general consensus is that Apple continues to do only the absolute minimum to address enterprise security and supportability requirements," noted Andrew Storms, Director of Security Operations for nCircle. `We haven't seen any new enterprise iPhone security features from Apple since the summer of 2009 when they introduced their new hardware level encryption, which was almost immediately subverted. This is not the kind of behavior security professionals want to see in vendors.'
Recent events seem to illustrate that point. Security researches were able to compromise a fully-updated iPhone 3GS at the recent CanSecWest Pwn2Own competition. Storms warned me "If the iPad has the same OS as the iPhone then enterprises are going to be even more concerned about the data on this device.' "
Westin said it is the background processing in particular that makes the iPad less appealing for ActiveTrak. For instance, its application runs in the background on an Android device. An iPad, and for that matter an iPhone, does not provide that capability.
His company does provide a free application for the iPhone. It's free but it can only be activated if someone turns it on. To maneuver around the issue, Westin said they disguise the app button as a Safari icon, which activates the application. That's when the tracking starts by triangulation techniques using WiFi and GPS.
Westin is a fan of Apple. He uses a MacBook Pro. He says developer tools are better on the iPhone and it has a great community. But, Apple wants it all. It controls the hardware, the software and the content. That's a concern for the enterprise that wants to adopt the iPad. Such control over content is a problem as it gives Apple the power to wipe an application off a device without permission. That may seem unlikely in an enterprise setting but the possibility does lead to hesitation.
Further, Apple may make great high end products for consumers but it does not have the equivalent of a Blackberry server that can control the device and its content. Instead, the individual must have a MobileMe account. This can become a coordination nightmare for IT if the enterprise has 5,000 people who need an iPad.
Westin said ActiveTrak will wait until the iPad platfrom opens up more before developing.