AT&T’s iPad security fumble is just the tip of the iceberg

The iPad is everybody’s “it” device: new, bright, sexy, and — as with everything Apple produces — oh so stylish and fun to use. It’s a transformative item worthy of all the press it has garnered. The iPad breaks the decades-old laptop/desktop paradigm and takes us partway over that bridge to a future of lightweight, multifunction mobile implements and powerful, cloud-based applications and services. But like any piece of hardware, the iPad is only as good as its weakest feature. In the case of the iPad and iPhone, everyone knows that the weakest feature is the unholy and exclusive relationship with bumbling carrier AT&T.

When news broke Wednesday about a security breach by a French hacking group that yielded the email accounts and device IDs of more than 100,000 VIP iPad users, it was little surprise that the source of the breach wasn’t Apple, which has wrapped some decent security features around its new device [PDF]. Instead, it was AT&T. As with any breach, there are lessons to be learned here, as organizations everywhere venture into the brave new world of mobile devices and the hosted or hybrid applications that empower them.

The first is, obviously, know what you have running in your environment. Consumer-led adoption of next-generation devices like the iPad outstrips the ability of IT organizations to properly manage and secure them — a phenomenon that Gartner famously termed “the consumerization of IT” way back in 2005, when the big mobile news was the hack of Paris Hilton’s Sidekick account. Enterprises need better tools for mobile device discovery, tracking, and lifecycle management. Alas, many of the vendors they’d turn to for help are just figuring out that Windows Mobile isn’t the heir apparent to Windows and are only now getting around to supporting platforms like the iPhone and BlackBerry.

The second lesson is about the importance of investing in application testing and security — not just of your own platform, but also those of your business partners and any other firm or individual that wants to swim in your pond. Any employer worried about the security of its networks, data, and intellectual property needs to be very concerned not just about the security of the devices their employees are bringing into the office, but about the entire application and services infrastructure that supports those devices. This AT&T incident is just the latest example of that.

The vulnerability of AT&T’s servers suggests that five years after Paris Hilton gave T-Mobile a black eye for a loosely spec’d Web-based account recovery feature, carriers are still playing fast and loose with their public-facing applications. Back in 2005, when voicemail and contacts were all that were at risk, maybe that was OK (actually, it wasn’t). In 2010, many of us use our phones and mobile devices for more sensitive transactions. They hold personally identifiable and financial information, and may well be used to access corporate assets such as email, critical applications, and files.

In short: The security of those public-facing applications matters a lot more in 2010. Plenty of security Cassandras have been talking about this problem for a long time. Their pleas have gotten more urgent as agile development methods and the gold rush on SaaS and hosted applications have driven coding standards even lower. The 451 Group’s research director, Josh Corman, has been part of a group leading a charge for more “rugged” software development of the kind that would have ferreted out the gaping hole in AT&T’s application code, while folks like Jeremiah Grossman at WhiteHat Security have been talking about the systemic problems caused by weak application security for, well, years.

Has much changed? Yes and no. On the one hand, hacks like this AT&T incident suggest that many firms are radically underinvesting in security. AT&T, just as an example, can thank the iPhone for the lion’s share of its new subscribers — as much as 73 percent as of the first quarter of 2009, at least according to one report. That translates into as much as $60 million a month in new revenue for the carrier.

Peeling off an extra 1 or 2 percent of that new revenue to really vet the application code (public-facing and otherwise) used to manage the accounts would buy the firm a lot of security smarts. A slew of firms that can help companies vet the security of applications — Web-based and otherwise — have sprung up in recent years, including Armorize, Cenzic, Veracode, and White Hat.

But most organizations don’t use these services or other techniques that would prevent the kind of simple hacks that AT&T had this week. One reason is that there are still few incentives for enterprises or software vendors to prioritize secure code over timely code. Perhaps, if nothing else, the AT&T hack may provide some impetus for change.

Paul F. Roberts is a senior analyst covering enterprise security at The 451 Group.

This article, “AT&T’s iPad security fumble is just the tip of the iceberg,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.