AirDrop will be a killer business feature in iOS 7 -- with one big risk

International Security Assistance Forces airdrop in Zabul Province, Afghanistan. Credit: isafmedia via Flickr

One of the most interesting new features in iOS 7 is AirDrop, which will allow users to easily share photos, documents, files, and other content using a combination of Bluetooth and Wi-Fi.

AirDrop is very much Apple's answer to Android's Beam feature that lets users share content over NFC, though the technology has larger range than NFC and doesn't require users to touch devices to initiate a connection. Although new to iOS, Apple pioneered AirDrop on Macs two years ago with OS X Lion as a way for Mac users to easily transfer files directly without the need for a file server, cloud service, or turning on file sharing.

AirDrop in iOS 7 has the potential to be a killer feature for business since it allows colleagues to quickly share content without having to provide appropriate permissions of a cloud storage service or resort to sending files as email attachments. Apple appears to be making AirDrop available in any sharing dialog throughout iOS 7 as well as through the new Control Center feature that can be invoked at any time -- even while an iPhone or iPad is locked.

That level of ubiquity will definitely appeal to business users that need to collaborate on the go as well as to consumers who want to quickly and easily share photos, videos, web pages, and pretty much anything else with friends and family. The lead that iOS has over Android in the enterprise space means that many mobile professionals will be able to rely on AirDrop a fair amount of the time.

All of this means that AirDrop will be one of iOS 7's great business features, particularly when you consider that Apple has built AirDrop to function in a pretty secure manner.

In order to share a file, both the sender and recipient need to have AirDrop enabled and they must both have AirDrop configured such that their devices are discoverable to each other. When enabled, AirDrop allows two discoverability options for users -- an unrestricted Everyone option that lets any iOS 7 device in range detect their device and initiate a connection, or a Contacts Only mode that will display their device to devices owned/used by people in their contacts. When the sender of a document initiates contact, the recipient must acknowledge and authorize the transfer.

Although AirDrop uses Wi-Fi, it doesn't rely on a Wi-Fi network. This offers convenience because it can work where there is no network or where users might be connected to different networks. It also offers a degree of security. Since the connection doesn't go across a Wi-Fi network, anyone lurking on an open network hoping to eavesdrop isn't a threat. Even so, the connection is still encrypted to prevent someone scanning for any kind of Wi-Fi transmissions.

Apple hasn't said whether or not IT policies can disable or restrict AirDrop. However, it seems likely that Apple will either offer a way to disable it entirely or use the recently announced Managed open in feature to let IT prevent AirDrop from being an available option from within managed applications.

All of this should make AirDrop one of the most secure ways to transfer content between two devices or two individuals.

The ever-present risk: Social engineering

There is, however, one real area of concern, and it isn't a technical one. It's the idea of social engineering leading to a clever spear phishing attack.

Imagine a malicious user pretending to be someone that a mobile professional (or their device) would trust -- like a boss, coworker, family member, or business contact. Given the range that AirDrop will presumably offer, that malicious user could easily hide from view -- say at a crowded event, a training room, a busy restaurant or coffee shop, or even an empty cubicle. If someone's device is discoverable to everyone, then it could be just a matter of using a profile picture that's plausible, even if it's a generic-looking avatar or cartoon character, and knowing a few facts about the target to coax them into sharing sensitive data.

It's unclear what information Apple will use for the Contacts Only feature, but it could be information that's easy to obtain and spoof. Ironically, Android's NFC-based sharing is more secure simply because of NFC's very short range.

Attacks like this are far less common than the run-of-the-mill snooping on the network at Starbucks or brute force attacks against a network or endpoint. On the other hand, perpetrators often have a very clear understanding of their target and a clear idea of the type of information that they want to obtain. By getting someone to trust them, these attackers are more likely to succeed than a random anonymous attacker and more likely to get important sensitive information.

As with other forms of spear phishing attacks, including those perpetrated by email and social networks, as well as social engineering attempts to gain information, the best defense is educating mobile professionals and executives about the possibilities and teaching them to be on their guard when it comes to using AirDrop.

Banning or restricting AirDrop could be an option as well, but the sheer usefulness for mobile professionals and the fact that it's likely to be a ubiquitous component of iOS 7 make user education a much better option than an all-out ban -- after all, we don't ban email, which has been a vector for phishing attacks for years. That said, it may be worth restricting AirDrop in apps that handle confidential or extremely sensitive data. 

Free Insider Download: CITE presentations now available
Join the discussion
Be the first to comment on this article. Our Commenting Policies