Three security tips for iOS in the enterprise

Apple's iOS is the most commonly used mobile OS in enterprises in mature markets, according to analyst firm Gartner. IT managers have a series of decisions to make about managing iOS devices, in order to minimise the risk of data leakage.

In a new report called 'iPhone and iPad Enterprise Security FAQ', Gartner analysts Dionisio Zumerle and John Girard share a few tips about how to manage iOS devices in the enterprise. Here's just a few:

1. Set a policy on AirDrop usage

In iOS 7, Apple introduced AirDrop, a service that lets users share files with other iOS and OS X devices and machines via Bluetooth or Wi-Fi. Gartner warns that employees may intentionally or accidentally transfer sensitive enterprise data to unauthorised devices.

"Currently, the only way to block AirDrop - other than supervising iOS devices - is to use containers for enterprise data and to block the use of AirDrop. However, it must be noted that exchange of files through AirDrop requires a series of steps to pair devices, which makes it a risk primarily in the case of deliberate, malicious internal action of an employee. In the absence of further measures, policies should state that using AirDrop to send files to privately owned devices is not allowed," the analysts wrote.

2. Be wary of Touch ID

Touch ID, first appearing in the iPhone 5s, is a fingerprint recognition feature that allows users to verify their identify with their fingerprint. Users can use their fingerprint to, for example, unlock their phone or make purchases on Apple digital media stores.

According to Gartner, the security of Touch ID is a mixed bag. Although it is susceptible to brute force attacks, those attacks require "a certain degree of technical know-how and time".

"The Touch ID will likely protect enterprises from accidental loss and theft, but not from attacks that are directed against a specific individual. From a security standpoint, the protection obtained from Touch ID could be considered stronger than a four-digit passcode, but weaker than a six-character alphanumeric passcode - though much more user-friendly. Gartner recommends using six-character alphanumeric passcodes on mobile devices. Such passcodes require an adequately long time to break (1.7 years, according to Apple) and should assuage fears of brute forcing attacks. Automated wipe should be used in combination with this measure."

Of particular interest is what Gartner describes as a grey area surrounding law enforcement officials.

"While individuals are not required to provide passwords under certain legislations, fingerprints may be subject to this. Organisations whose employees frequently travel internationally should consult their legal departments for guidance on a decision, which should then be reflected in the global travel or mobile policy," the analysts wrote. "One possible decision is to ask users to revert to using only passcodes when travelling."

3. Block Siri on shared devices

Siri is Apple's voice-activated personal assistant/device control feature that has been around for the last few years. It poses some significant problems for enterprises, according to Gartner.

"The contents of communications with Siri are stored in one of Apple's data centres in the United States. Although the storage itself creates no immediate enterprise concerns, there are grey areas around regulatory and security matters: for example, using Siri to send text messages to patients mentioning sensitive information related to their health conditions could prove to be in conflict with the Health Insurance Portability and Accountability Act (HIPAA) text encryption requirements," the analysts wrote.

"It is good practice to block Siri on shared devices, as well as in any context involving sensitive data, high-security environments or uncertainty concerning regulatory requirements. MDM products can block Siri when iOS devices are locked. This restriction should be enabled, as Siri could be leveraged to make unauthorised calls or to access contact and other private information."

Pictured: Gartner analyst Dionisio Zumerle.