Citibank announced today a major flaw in its iPhone/iPad banking app. The app leaves account information on the device. What is this bad? Well, iPhone/iPad/iOS does not support whole disc encryption.
At last month’s Gartner Security and Risk Conference in DC, I sat next to a Senior Executive with one of the larger anti-virus companies. According to this executive, the company wants to make and sell a whole disc crypto product, but Apple will not open its API (application program interface) to support whole disc encryption.
Today’s announcement by Citibank about a flaw in their app, comes as little surprise. While this particular flaw can be fixed with an update, the fact remains: The foundation is sitting on shifting sands. The iOS is first and foremost a consumer media platform. It has a great bright interface, and plays music and videos really well. It has a great eBook reader. But, these devices were not and are not built with security and privacy at their foundation.
When you mistype a word, iOS saves, it, unencrypted. When you use a map, iOS saves it, unencrypted. When info is “erased.” the platform saves it, unencrypted. As a forensic analysis, the iOS is a boon to uncovering information that the owner of the device would be shocked to learn can be discovered.
Some will say, “all devices are like this.” Well, that is just not so. The Blackberry platform was built with security in mind, rather than an after thought. That’s why the UAE government views the Blackberry as a security threat. Not the iPhone.
I am realistic. Many people are gaga for every device Apple makes. To borrow a phrase: “If Apple took a brick and called it an iPhone you would still want it.” For these people, buying a smartdevice is all about being trendy and the purchase is almost all based upon emotions. I doubt that anything they read about poor security on the iOS will change their behavior.
For others, I suggest “Think Different.” Resist the temptation to use an unprotected consumer device for business. Use your iPhone/iPad as a media device, and use Blackberries (with the Blackberry Enterprise Server), for business use. It looks like the industry will release business-oriented slate devices to compete with iPad. That may turn out to be smarter for business use.
Until Apple addresses the underlying security issues in the platform, it’s a safe prediction that we will hear other stories about security flaws hurting iOS users.