*** UPDATED 11/14/2011: Apple has fixed this security flaw in iOS 5.0.1 (9A405) ***
The consumerization of IT is the single most influential technology trend of this decade. Companies are already well aware of it, as they wrestle with the growing influence of smartphones, tablets, Facebook, Twitter, Dropbox and on and on. While this growth does bring business value, too many companies make the mistake to trust consumer technology with corporate sensitive data without deploying appropriate enterprise-grade infrastructure to secure and manage it. Consumer technology is sexy, convenient and easy to use. When it comes to security and data protection however, consumer technology still has a long way to go. Security and data protection in fact remain top concerns among IT professionals -- see The Consumerization Report 2011 at http://bringyourownit.com/2011/09/26/...
One of the most evident aspects of the Consumerization of IT is represented by the influx of consumer mobile device in the enterprise. Two mobile platforms have quickly gained the majority of this market: the Apple iOS that powers iPhones and iPads and its close competitor Android. The ongoing debate among IT professionals these days is whether Apple iOS is more secure than Android and whether the strict control that Apple exercises on operating system and applications actually results in a more secure platform.
Well, as it turns out the Apple mobile operating system is not so secure after all, as shown by the recent discovery of a new security flaw affecting Apple's best selling device: the iPad 2. The password protection of the new iPads running iOS 5 can in fact be easily bypassed in less than 5 seconds with these simple 3 steps.
- Press the reset button until the power off screen is displayed. - Close and reopen the smartcover. - Press the cancel button .
Voila. At this point the password protection is removed and anyone can freely access the foreground application that was running at the time when the device was initially locked. This potentially exposes sensitive corporate data accessed through corporate email, stored in attachment or available through various enterprise applications.
Given that the access gained in this way is limited to the foreground application, the obvious workaround is to instruct the users to close any foreground application before locking the iPad.