Home > Uncategorized > iPad Security: Part 2

iPad Security: Part 2

Like the iPhone, the iPad runs Apple’s iOS operating system, a slightly scaled down version of Darwin OS, the operating system for the Macintosh. Darwin OS is a flavor of Berkeley Standard Distribution (BSD) Unix. Much of the iPad’s security is dependent on the security features of Apple’s iOS operating system. According to Apple (see images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf ), the iPad has quite a few security-related policies and settings which include:

• “Passcode policies,” which in essence mean “password policies,” including inactivity time-out thresholds, passcode strength, passcode strength, and password aging. Additional passcode settings for iPad synchronization with Windows Exchange servers are available.
• Device protection policies, settings very closely related to passcode policy settings, including passcode strength, password again, restrictions on password reuse, maximum number of failed logon attempts, and more.
• Data protection policies, which include data encryption using 256-bit AES, ability to locally and remotely wipe the iPad’s contents if it is lost or stolen, encryption of configuration profiles, encrypted backups for iTunes, and more.
• Network security settings, which including configuring VPN connections, SSL/TLS settings, WPA/WPA2 security settings for wireless access, and settings for interfacing with third-party authentication methods such as SecurID.
• Platform security settings, including runtime protection, which includes mandatory code signing, a secure authentication framework with keychain services for storing digital identities, user names, and passwords, and cryptographic application programming interfaces (APIs).

Most of these policies and settings are reasonably self-explanatory (even I am still trying to find some of them!). Some of the most important ones include “Passcode Lock” and “Auto Lock.” Passcode Lock means that to obtain access to your iPad, someone has to enter the correct password. To get to this setting, go Settings -> General -> Passcode Lock and enter an as difficult-to-guess passcode as you can. (Unfortunately, iPad passcodes are currently limited to four numbers until the iPad is upgraded to iOS 4). Then go Settings -> General -> Auto Lock and set a time threshold (e.g., 10 minutes) to determine when your iPad will lock during periods of inactivity.

When you access the Passcode Lock function, you will also have the option of enabling the “Erase Data” setting, one designed to protect the confidentiality of data stored on an iPad if it is lost or stolen. A message in small print below the Erase Data button reads: “Erase all data on this iPad after 10 failed password attempts. This message is downright misleading. The way this function actually works is as follows:

• If a password is entered incorrectly 10 times consecutively, there is a one- minute lockout period, after which the user is allowed to try logging in again.
• If a password is entered incorrectly 10 times consecutively, there is a five- minute lockout period, after which the user is allowed to try logging in again.
• One more failed login causes a 15-minute lockout, after which the user can try again.
• One more failed login causes a 30-minute lockout, after which the user can try again.
• One more failed login causes a one hour lockout, after which the user can try again.
• One more failed login causes a one hour lockout, after which the user can try again.
• One more failed login causes the iPad to revert to its out-of-the-box settings.
As you can see by now, the chain of events associated with the “Erase Data” is rather drawn out and bizarre. Information security professionals will in all likelihood debate the value of this function as the iPad becomes increasingly used in work settings.

The iPad is a relatively new device, and with its newness come many mysteries and incomplete answers. Stay tuned to part three of this series as we continue to try to unravel these mysteries and answer previously unanswered questions about iPad security.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.