Apple details iOS security with new guide
Apple has quietly made public a May 2012 report highlighting security features in iOS that contains details on the extensive efforts the company has undertaken to secure its mobile operating system.
The 20-page report (PDF), titled simply "iOS Security," was picked up by MacNN after it was discovered on Apple's website.
"Apple designed the iOS platform with security at its core," the paper begins. It appears to have been written to help convince enterprise customers that iOS is secure enough for their needs.
According to the company, iOS devices include "low-level and firmware features" to protect against malicious software and "high-level OS features" that "allow secure access to personal information and corporate data, prevent unauthorized use, and help thwart attacks."
Subsections of the report include discussions of system architecture, encryption and data protection, network security and device access.
With respect to system architecture, Apple highlighted the secure boot chain that takes place on iOS devices. It also detailed the DFU (device firmware upgrade) recovery mode.
A visual overview of iOS security features
"When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code is laid down during chip fabrication, and is implicitly trusted," the paper said.
Other architecture-level security features include system software personalization, which prevents downgrading of iOS devices to older versions; app code signing, which prevents unsigned code from being run and runtime process security, which includes "sandboxing" and entitlements.
As for encryption and data protection, Apple touted the cryptographic hardware engines in iOS and the security features surrounding device Unique IDs and Group IDs. The company also described its "Data Protection" feature that keeps data locked while still allowing iOS devices to receive calls and notifications.
Apple's report details the various steps used to encrypt individual iOS files
Apple also pointed to several features in iOS meant to provide enhanced network security on its devices.
"iOS uses—and provides developer access to—standard networking protocols for authenticated, authorized, and encrypted communications," the report read. "iOS provides proven technologies and the latest standards to accomplish these security objectives for both Wi-Fi and cellular data network connections."
A final subsection on device access provides information for enterprise administrators on setting up configurations, mobile device management (MDM) and device restrictions.
Apple also revealed that it maintains a "dedicated security team to support all Apple products." That team performs "security auditing and testing" of in-development and released products, provides "security tools and training" and "actively monitors" for new threats.
"Each component of the iOS security platform, from hardware to encryption to device access, provides organizations with the resources they need to build enterprise-grade security solutions. The sum of these parts gives iOS its industry-leading security features, without making the device difficult or cumbersome to use," the report's conclusion noted.
Apple has made inroads into the enterprise with its iPhone and iPad, but it has also faced some CIO hesitation over security concerns. For instance, IBM recently banned the Siri voice assistant feature from its internal networks because Siri must contact an external network to provide answers to queries.
The 20-page report (PDF), titled simply "iOS Security," was picked up by MacNN after it was discovered on Apple's website.
"Apple designed the iOS platform with security at its core," the paper begins. It appears to have been written to help convince enterprise customers that iOS is secure enough for their needs.
According to the company, iOS devices include "low-level and firmware features" to protect against malicious software and "high-level OS features" that "allow secure access to personal information and corporate data, prevent unauthorized use, and help thwart attacks."
Subsections of the report include discussions of system architecture, encryption and data protection, network security and device access.
With respect to system architecture, Apple highlighted the secure boot chain that takes place on iOS devices. It also detailed the DFU (device firmware upgrade) recovery mode.
A visual overview of iOS security features
"When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code is laid down during chip fabrication, and is implicitly trusted," the paper said.
Other architecture-level security features include system software personalization, which prevents downgrading of iOS devices to older versions; app code signing, which prevents unsigned code from being run and runtime process security, which includes "sandboxing" and entitlements.
As for encryption and data protection, Apple touted the cryptographic hardware engines in iOS and the security features surrounding device Unique IDs and Group IDs. The company also described its "Data Protection" feature that keeps data locked while still allowing iOS devices to receive calls and notifications.
Apple's report details the various steps used to encrypt individual iOS files
Apple also pointed to several features in iOS meant to provide enhanced network security on its devices.
"iOS uses—and provides developer access to—standard networking protocols for authenticated, authorized, and encrypted communications," the report read. "iOS provides proven technologies and the latest standards to accomplish these security objectives for both Wi-Fi and cellular data network connections."
A final subsection on device access provides information for enterprise administrators on setting up configurations, mobile device management (MDM) and device restrictions.
Apple also revealed that it maintains a "dedicated security team to support all Apple products." That team performs "security auditing and testing" of in-development and released products, provides "security tools and training" and "actively monitors" for new threats.
"Each component of the iOS security platform, from hardware to encryption to device access, provides organizations with the resources they need to build enterprise-grade security solutions. The sum of these parts gives iOS its industry-leading security features, without making the device difficult or cumbersome to use," the report's conclusion noted.
Apple has made inroads into the enterprise with its iPhone and iPad, but it has also faced some CIO hesitation over security concerns. For instance, IBM recently banned the Siri voice assistant feature from its internal networks because Siri must contact an external network to provide answers to queries.
Comments
Head in the sand from Apple and, although I haven't read it, the report would be more credible if it explained the limits of Jailbreaking. Maybe they can't acknowledge it because it shatters their security model.
Head in the sand from Apple and, although I haven't read it, the report would be more credible if it explained the limits of Jailbreaking. Maybe they can't acknowledge it because it shatters their security model.
This is a great presentation for IT managers to make to their executives, but there is a little understanding that Apple is just helping them to blow a little wind up their skirts because they know the phones can still be jailbroken. No public system can ever be made foolproof.
Also, please correct me if I'm wrong, but there doesn't seem to be a reliable way for a company to detect a jailbroken phone on its own network—with one possible exception of an automated ssh probe using root/alpine (if it works, map the IP/MAC back to the registered user and send them a nasty email).
Apple's security is their draconian App Store which is either good or bad depending on how you look at it. The OS itself isn't particularly secure when stuff like JailbreakMe can exist to hack your iDevice and install third-party software via Safari. Apple users were lucky nobody crafted malicious webpages to brick the device. Apple's solution within the past year seems to have to been to hire the developers of the jailbreaking community.
This is to convince corporations and people that--if you [B]don't jailbreak[/B] your device--it will remain secure and virus free.
All bets are off if you jailbreak.
Quote:
Originally Posted by Shawn Richards
So where does Jailbreaking fit into this nifty diagram?
Head in the sand from Apple and, although I haven't read it, the report would be more credible if it explained the limits of Jailbreaking. Maybe they can't acknowledge it because it shatters their security model.
Quote:
Originally Posted by theirongiant
This is a great presentation for IT managers to make to their executives, but there is a little understanding that Apple is just helping them to blow a little wind up their skirts because they know the phones can still be jailbroken. No public system can ever be made foolproof.
Also, please correct me if I'm wrong, but there doesn't seem to be a reliable way for a company to detect a jailbroken phone on its own network—with one possible exception of an automated ssh probe using root/alpine (if it works, map the IP/MAC back to the registered user and send them a nasty email).
Quote:
Originally Posted by Negafox
SIN
Apple's security is their draconian App Store which is either good or bad depending on how you look at it. The OS itself isn't particularly secure when stuff like JailbreakMe can exist to hack your iDevice and install third-party software via Safari. Apple users were lucky nobody crafted malicious webpages to brick the device. Apple's solution within the past year seems to have to been to hire the developers of the jailbreaking community.
Since Apple does not support and recommends against jailbreaking your device, why should they waste any resources on jailbreaking? Basically any device can be jaIlbroken but you do so at your own peril. Why would or why should ANY company provide ANY support or assistance for rogue software?
Quote:
Originally Posted by theirongiant
This is a great presentation for IT managers to make to their executives, but there is a little understanding that Apple is just helping them to blow a little wind up their skirts because they know the phones can still be jailbroken. No public system can ever be made foolproof.
I think you are missing the point. The point is Apple gave you a secure platform if you run it as intended. Sure, you can jailbreak it - but then you are purposefully making your device insecure. But that's akin to posting the root password of your UNIX server on the Internet and then complaining that UNIX security is broken.
Quote:
Originally Posted by Gustav
I think you are missing the point. The point is Apple gave you a secure platform if you run it as intended. Sure, you can jailbreak it - but then you are purposefully making your device insecure. But that's akin to posting the root password of your UNIX server on the Internet and then complaining that UNIX security is broken.
Apple doesn't even give the user the root password or anyplace to type it in and it still can be broken into. Apple doesn't like being hacked so it is not a matter of them ignoring jail breaking, it is more like they are not able to stop it. Having physical possession of a device is much easier to break into than over the network even with UNIX.
There was a hack that could jailbreak an iPhone by visiting a web page last year. Apple also just patched another jailbreak last week. Believe me they care plenty about jail breaking.
Quote:
Originally Posted by Realistic
Since Apple does not support and recommends against jailbreaking your device, why should they waste any resources on jailbreaking? Basically any device can be jaIlbroken but you do so at your own peril. Why would or why should ANY company provide ANY support or assistance for rogue software?
I am not sure how your comments pertain to mine exactly. If somebody goes out of their way to jailbreak their iDevice, that is their own risk.
In case you were not familiar, JailbreakMe jailbreaks your phone and installs Cydia by merely visiting a webpage in Safari. My point was that somebody could have used a similar exploit pre-5.0 to craft a special webpage to brick any unsuspecting person's iDevice that visited it. For example, forums that allow HTML.
Quote:
Originally Posted by bikertwin
This isn't about jail breaking, is it?
This is to convince corporations and people that--if you don't jailbreak your device--it will remain secure and virus free.
All bets are off if you jailbreak.
The problem with that argument is: the very fact that it's possible to jailbreak the device in the first place is evidence that some attack vectors exist which can be used to cause the iOS device to behave in ways that Apple didn't intend.
Granted, those attack vectors are generally used to deliberately jailbreak the device -- but the same vectors could also be used for malicious purposes, and their existence is evidence that the system is not as secure as Apple would have that target audience believe. As long as it remains demonstrably possible to deliberately jailbreak, then it's also conceptually possible for a non-jailbroken device to accidentally pick up an unintended security breach.
That one wasn't liked by many people who upgraded their 3G to iOS4, making the Calendar app amongst others dog-slow.