…though not exactly with a fanfare of trumpets.
The sparsely entitled iOS Security is a brief summary of the internals of iOS security, including:
- System Architecture (summarizing Secure Boot Chain, System Software Personalization, App Code Signing, and Runtime Process Security)
- Encryption and Data Protection (Hardware Security, File Data Protection, Passcodes, Classes, Keychain Data Protection, Keybags
- Network Security (SSL, TLS, VPN, Wi-Fi, Bluetooth)
- Device Access (Passcode Protection, Configuration Enforcement, Mobile Device Management, Device Restrictions, Remote Wipe)
It’s not the most exhaustive document I’ve ever come across, and it’s rumoured that none of the material will come as a surprise to readers of Charlie Miller’s iOS Hacker’s Handbook, though I haven’t got around to reading that one yet. Miller himself told SC Magazine that Apple may be concerned about acceptance in the enterprise market. That makes sense: enterprises are less likely to assume that Apple security is as perfect as some of its fans would have us believe. For The Register, Simon Sharwood noted that the tone of the document is less boastful than usual, citing the statement that:
The combination of required code signing, sandboxing, and entitlements in apps provides solid protection against viruses, malware, and other exploits that compromise the security of other platforms. The App Store submission process works to further protect users from these risks by reviewing every app before it’s made available for sale.
This won’t satisfy those in the anti-malware community who believe that Apple should allow them to build more-or-less conventional anti-malware apps for iOS, but even a slight lifting of the Apple security veil is worth noting.
David Harley CITP FBCS CISSP