The iPad is 20 years behind Microsoft Windows

A few weeks ago I had a discussion with a customer. They started a pilot for paperless meetings for the board members of CompanyX using Alfresco 4 (Share, actually) and iPad’s. The security department got worried.

CompanyX uses Alfresco+Share already as an internal repository. It stores confidential documents about all kind of business related stuff, and it is used as a collaboration environment. This instance is completely within the firewalls, and cannot be accessed from the outside. A new Alfresco+Share is installed  in the DMZ, accessible from the outside world. The Share access is fine, and can potentially be protected additionally using a 3rd party token authentication. The iPad’s are the toys the security department is worried about.

The scenario is that the secretaries prepare meeting documentation in a folder structure in a Share Site. The PDF version of this documentation is available for the meeting participants, and can be found using Alfresco’s iPad app. The participants can annotate the PDF’s using PDF Expert and can be saved back into Alfresco (using Alfresco Mobile the iPad tool). The secretaries can process the annotated PDF’s into some final version. The image above is a flip-over used for training purposes (I love it).

The board discusses serious and confidential subjects that can have social and financial impact, these need to be properly protected. The iPad tooling has the consumer qualities of Microsoft Windows in the early 90; nice and shiny wanna-have for consumers, lousy in businesses. The chain of tooling has ‘some issues’;

  • The Alfresco iPad app has no password protection
  • The Alfresco iPad app can save content to for example Evernote and other platforms confidential content should never accidentally end up
  • The Alfresco iPad app caches content locally, unencrypted (but the iOS is capable of doing so… [PDF])
  • The PDF app (PDF Expert is used, password protected) has a local copy of the document(s) again (unencrypted)
  • The PDF app can save the content to Evernote and other platforms confidential content should never accidentally end up

(If QuickOffice would be used the effects would of course be the same.)

Let’s face it, it can be expected that the children of the board members are users of the iPad too, and they are probably not most conscious about security issues and how to deal with these. It would be second-best if:

  • The Alfresco iPad app will be extended with a password protection and encrypted storage.
  • Applications should be configurable by the company to not-store or remove ‘intermediate’ files. There should be no trace of the documents after reading/processing.
  • Applications should be configurable to output content to selected apps/end-points only

But even better:

  • iPad’s should have facilities to create a password protected ‘inverse’ sandbox of (business) applications that will be locked if the user navigates away from any of these apps (or time out). Within this ‘inverse’ sandbox the navigation should be possible without ‘fences’.

Personal security discipline is a problem. To many fences is more secure, but unacceptable (e.g. a password per app, to be entered every time if you switch from one to the other). This must be improved.

In the beginning Microsoft Windows has its issues either. It was a nice tool for consumers, but rather insecure and not to centrally manageable. iPad’s (and tablets in general) also have security flaws and are not manageable at an enterprise-standard. The possible chain of apps is uncontrollable, and their individual behaviour even less. There is no standard controlled environment to allow decent business collaboration between apps, and provide encrypted storage only.

iPad’s and other tables are consumer tools, entering the enterprise. For now, the easy, ‘public’ business applications are acceptable. ‘Decent’ enterprise applications are work in progress. I am sure solutions will be found. Some other day.

10 Responses to “The iPad is 20 years behind Microsoft Windows”

  1. 1 mooncat22 May 2, 2012 at 23:10

    A great eye-opening post. The iPad, as much as I like it and how useful it is, is not ready for highly secure environments. Yes it can be used in business if security isn’t a major concern or you are using it for tasks that don’t require much security. It’s target was the consumer. I think it will eventually be a staple in business, but security needs to be tightened. I think people do see a great advantage to the device for business tasks, the software, apps, and platform need to catch up to the vision.

  2. 2 keesvanbemmel May 3, 2012 at 00:08

    I love your blogs, but this time I really think you’re blaming the wrong technology… iPad is in fact capable of securing enterprise content as per your request… The apps you describe, however, are not at the moment.

    Good read up on enterprise security on iPad:

  3. 3 keesvanbemmel May 3, 2012 at 00:10

    I love your insights, but this time I really think you’re blaming the wrong technology. iPad SDK delivers the enterprise security you describe. The apps you describe, however, do not… Good read up on enterprise security on the iPad:

    • 4 Tjarda Peelen May 3, 2012 at 07:42

      Well, I think this issue is bound to tablets/mobile in general, at this point in time. There happens to be an Alfresco iPad app, no Android or windows tablet yet. I think I made clear it is the way apps are glued together, and how content is stored are what causes part the issues. The platform (neither iPad, Android, Windows) not providing a business proof ‘sandbox’ is the other part.
      And Kees, you know a blog needs a catchy title in order to be read. Thanks for the link!

  4. 6 Andreas Steffan (@deas) May 4, 2012 at 09:56

    Hallo Tjarda,

    the issues you mention are are indeed valid security concerns (Alfresco) mobile introduced.

    Issues which (on iOS – which is tailored for the consumer market) have to be addressed by the app. This can be done and there are solutions in other security sensitive domains (i.e. online-banking). Have a look at (German, but the app I am using) for an example.

    IMHO, Alfresco mobile should implement similar features if it is seriously aiming at the enterprise.


    • 7 Tjarda Peelen May 4, 2012 at 11:14

      Hi Andreas,

      The specialized app structure is the biggest concern i think. (Provided that password protected (alfresco) app and encrypted storage are easy to implement.)

      I can imagine all sorts of reasons why the app as-is is too open for secure applications; backward hardware compatibility (iPad1), ease of use, specialization (it provides Alfresco access ‘only’, no viewing nor editing of documents), and generic applications.

      A solution would be to take pdf viewing and annotation on board of the mobile app, thereby preventing the need for helper apps like pdf expert. But then what to do with round trip editing? Take the office suite on board too?

      This would require kind of a business sandbox where apps could jointly work against documents in a safe manner…

      No quick answers (although encryption and password protect are no-brainers). I wonder what route will be taken in the future. Who knows the open source nature of the Alfresco mobile app brings pleasant surprises!


  5. 8 mikehatfield May 9, 2012 at 01:08

    I wanted to quickly(!) address your points about the Alfresco Mobile app. We’re about to release v1.2.2 which will support cloud sign-up, as well as fix a few bugs. But we’ve also been working hard on v1.3 which addresses some of the points you’ve brought up in your post.

    1 – No password protection.
    Right now, we don’t think adding password protection to the app itself is necessary, or particularly user-friendly. In mitigation, the iPad itself supports highly configurable & strong password locking. We will also be allowing Alfresco accounts to be saved with empty passwords, so that the user is prompted at the start of a session (configurable timeout).

    Ultimately, users must be responsible for controlling physical access to a device that may harbour company secrets; not just documents but also e-mails, VPN connections, calendar appointments, contacts, etc. I would argue that $399 of insurance by way of a separate family iPad pays for itself quickly in terms of lost time typing-in PINs & passwords, as well as resolving the “just one more Angry Birds level” problem!

    2 – Locally cached content.
    Alfresco Enterprise customers will be able to choose to have all downloaded content encrypted by iOS when the device locks. We see other apps starting to support this built-in feature, so it reduces problems caused purely by unauthorised physical access to the device.

    3 – External apps (“Open In…”)
    You wrote about two issues in this area: third party caching of sensitive content and limiting the available list of apps. Unfortunately, Alfresco has little to no control over this area, as iOS rigorously controls file handling across app sandboxes. Whilst it is possible to restrict the Open In list to a select set of partner apps, this requires tight integration between app vendors and so doesn’t scale particularly well.

    For third party apps in general, Apple allows iPads to be configured so as to disallow adhoc App Store installations. If Enterprises are truly concerned with unauthorised access to content, their IT department must learn to use Apple’s tools to securely manage their employees’ devices.

    It is perhaps also worth a reminder that the Alfresco Mobile source code is available to clone/fork & contribute to here:

    Many thanks,
    Lead iOS Developer, Alfresco

    P.S. I might be getting old, but I really don’t remember my Windows 3.1 machine supporting 256-bit AES hardware data encryption and remote wipe 😉

    • 9 Tjarda Peelen May 11, 2012 at 14:04

      Hi Mike,

      Thanks for your response.

      I totally agree with you that carrying your companies ‘secrets’ brings the responsibilities associated with that. However, I believe there is a difference between the theory (you are entirely right) and every day practice. The tool will be used by family members, and not all users are aware of the possible security issues. And an additional (optional?!) password protection would sole some of this inconvenience. Theoretical unnecessary, but a pragmatic fix for potential human error. (And introducing a password-party when switching from Alfresco app to external viewer/editor –> need for a password protected ‘sandbox’ spanning business apps!)

      For the External apps topic, I think this is a hard one for any (mobile) platform. Restricting the apps is a possibility, but I understand the restriction on the limited set of possible apps you end up ‘integrating’. I guess this issue as well as the storage of these external apps could be ultimately fixed by creating an all-in-one app based on the open source code. But this is something different than an all-purpose mobile tool.

      I learned a lot about possible enterprise uses of the iPad (related to ECM like Alfrecso), and see that enterprises should often look at themselves too. On the other end apps like the Alfresco Mobile app and some external apps, could implement minor enhancements like passwords and encryption to reduce the impact of risk.

      I am excited to see a fork of the code implementing a specific secure/targeted application based on the Alfresco Mobile code!

      PS: eehhmm… remote wipe @ win3.11 can’t remember that indeed!

  1. 1 Review: Alfresco Mobile for Android 1.0 « Open Source ECM Trackback on December 5, 2012 at 10:16
Comments are currently closed.