Apple users are now either happily picking up or awaiting delivery of their new iPhone 7s. That makes now an ideal time to review the many security elements in iPhone hardware and software design.
Many assume because mobile phones are small and easy to use that they are simple devices and simple to secure. That’s a huge misconception. These are complex computing environments that have a great need for security capabilities, even more than most desktops would need. Those elements include kernel and system security, encryption architecture, app security, network security and communication services.
One of the things that users appreciate about the iPhone is the level of security it provides and that it doesn’t get in the way of a quality user experience. Below is a fairly impressive list (taken from the iOS Security guide, published by Apple in May) of the many moving parts that go into securing all of the hardware, apps, data, network and communications functions of the iPhone:
- Secure boot chain
- System Software Authorization
- Secure Enclave
- Touch ID
- File Data Protection
- Data Protection classes
- Keychain Data Protection
- Access to Safari saved passwords
- Security Certifications and programs
- App code signing
- Runtime process security
- App Groups
- Data Protection in apps
- Secure Notes
- Apple Watch
- Single Sign-on
- AirDrop security
- Apple Pay components
- How Apple Pay uses the Secure Element How Apple Pay uses the NFC controller Credit and debit card provisioning Payment authorization Transaction-specific dynamic security code Contactless payments with Apple Pay Paying with Apple Pay within apps Rewards cards
- Suspending, removing, and erasing cards
- Apple ID iMessage FaceTime iCloud
- iCloud Keychain Siri
- Spotlight Suggestions
- Passcode protection
- iOS pairing model
- Configuration enforcement
- Mobile device management (MDM) Shared iPad
- Apple School Manager
- Device Enrollment
- Apple Configurator 2
- Remote Wipe
- Lost Mode
- Activation Lock
- Location Services
- Access to personal data
Apple says it redesigned the desktop security stack for a mobile environment.
“We thought about the security hazards of the desktop environment, and established a new approach to security in the design of iOS. We developed and incorporated innovative features that tighten mobile security and protect the entire system by default. As a result, iOS is a major leap forward in security for mobile devices.
Every iOS device combines software, hardware, and services designed to work together for maximum security and a transparent user experience. iOS protects not only the device and its data at rest, but the entire ecosystem, including everything users do locally, on networks, and with key Internet services,” according to the guide.
With iOS 10, Apple is upping its game when it comes to privacy.
As was announced at WWDC16 in mid-June, Apple is working on “differential privacy,” which should help improve the accuracy of user queries, while concurrently reducing the chance that users can be identified. Methods include throwing in noise in the transaction and hashing.
In an AppleInsider story, Inside iOS 10: Apple doubles down on security with cutting edge differential privacy, Aaron Roth, a privacy researcher at the University of Pennsylvania, called Apple’s efforts here “groundbreaking.”
Let’s hope so, and let’s hope Apple and other mobile software makers keep breaking ground, as we know criminals and digital eavesdroppers will continue to innovate and push forward on their side of the security equation.
In my next post, I’ll detail steps users can take to set the security and privacy to appropriate levels on their new iPhones.