The Cold War ain't over.
The U.S. Air Force Special Operations Command has cancelled a planned deployment of nearly 3,000 iPad2 tablets after a magazine raised questions about its planned use of a popular Russian PDF reader software. That appears to put at risk another broader deployment of up to 18,000 iPads by the Air Force that would've relied on the same software.
Widely considered the best mobile PDF reader around, GoodReader - not to be confused with the mobile device management software made by Good Technology - is popular with consumers as well as businesses, schools and others doing large-scale iPad deployments. This includes airlines such as Alaska Airlines and Delta Airlines that plan to use GoodReader+iPad as "electronic flight bags" to replace bulky, non-searchable paper charts and manuals.
GoodReader has one feature widely desired by those with security needs: the ability to read files that are protected by encryption. It's one reason why the Pentagon is using GoodReader for its iPad test deployments.
The hangup, of course, is that GoodReader is made by a Moscow-based firm, Good.iware and its Russian chief developer, Yuri Selukoff.
Past and present military officials interviewed by NextGov "question why AFSOC, which operates a fleet of specialized gunships and surveillance aircraft, would allow its pilots to rely on software developed in Russia. They also questioned the command's vetting process for Good.iWare, which one active-duty official pointed out has a website that lacks basic contact information."
"I would not use encryption software developed in Russia ," said Michael McCarthy, director of the U.S. Army's smartphone project, Connecting Soldiers to Digital Applications. "I don't want to put users at risk." McCarthy said he was concerned about the integrity of the supply chain with GoodReader.
"Ha, someone's still living in 1970, aren't they?" GoodReader's Selukoff replied to an e-mail from NextGov when asked about security concerns. When asked potential for malicious code in GoodReader, Selukoff replied, "What is this offensive and insulting assumption based on? Are there any actual facts or complaints that such thing has ever happened?"
"I am not affiliated with any government institution, neither Russian, nor any other," he added. "GoodReader doesn't have any malicious code built into it. Having said that, I am open to any security/penetration tests that anyone would be willing to perform on the app."
Don't touch my Source Code, Bro
While there's no word yet, I have to believe that the separate Air Force iPad deployment, which would've used GoodReader as a document reader for cargo plane pilots for up to 18,000 iPads, is also in big danger of outright cancellation, too.
Here's what I think: I actually agree that GoodReader, as it would've been deployed, would've created a potential security risk. But I think that is true of every mobile app that the Air Force would've deployed. Supply chains are global. Development is outsourced or done by a rotating cast of young guns. Popular Web stores are attacked or probed hundreds of times a day by hackers. The net net is that an app can be compromised any of a hundred ways these days.
But I don't think the Air Force needs to do as retired Air Force brigadier general Bernie Skoch suggested to NextGov, which is to scan every line of source code of every mission-critical app to make sure there is nothing malicious. That's laborious, especially if you want to scan every update.
So what are the solutions? Well, if this is mainly a political/appearance issue, then the Air Force could go with one of the many excellent non-Russian-made choices such as PDFexpert or PDF Reader Pro.
If it wants to stick with an encryption-capable reader, choose instead Adobe Reader, which was released for iOS last fall. Adobe Reader not only supports 256-bit AES encryption but, unlike the $4.99 GoodReader, is free.
And if the Air Force is really serious about security, it could also install strong anti-malware software and Mobile Device Management (MDM) software like Afaria on its iPads. The latest MDM software can remotely lock and wipe lost tablets, encrypt data in motion and at rest, force the use and renewal of strong passwords, oversee software updates and patches, and other features. These would all create an extra layer of protection at a deep, hooked-into-the-iOS level.
Bottom line: Let's not throw the baby out with the bath water. There are many better steps that the Air Force can explore rather than bowing to paranoia and political pressure and squashing these iPad deployments altogether.