What elements go into Apple iOS security?

iOS 10 Apple CSC Blogs

Apple users are now either happily picking up or awaiting delivery of their new iPhone 7s. That makes now an ideal time to review the many security elements in iPhone hardware and software design.

Many assume because mobile phones are small and easy to use that they are simple devices and simple to secure. That’s a huge misconception. These are complex computing environments that have a great need for security capabilities, even more than most desktops would need. Those elements include kernel and system security, encryption architecture, app security, network security and communication services.

One of the things that users appreciate about the iPhone is the level of security it provides and that it doesn’t get in the way of a quality user experience. Below is a fairly impressive list (taken from the iOS Security guide, published by Apple in May) of the many moving parts that go into securing all of the hardware, apps, data, network and communications functions of the iPhone:

System Security

  • Secure boot chain
  • System Software Authorization
  • Secure Enclave
  • Touch ID

Hardware Security

  • File Data Protection
  • Passcodes
  • Data Protection classes
  • Keychain Data Protection
  • Access to Safari saved passwords
  • Keybags
  • Security Certifications and programs

App Security

  • App code signing
  • Runtime process security
  • Extensions
  • App Groups
  • Data Protection in apps
  • Accessories
  • HomeKit
  • HealthKit
  • Secure Notes
  • Apple Watch

Network Security

  • TLS
  • VPN
  • Wi-Fi
  • Bluetooth
  • Single Sign-on
  • AirDrop security

Apple Pay

  • Apple Pay components
  • How Apple Pay uses the Secure Element How Apple Pay uses the NFC controller Credit and debit card provisioning Payment authorization Transaction-specific dynamic security code Contactless payments with Apple Pay Paying with Apple Pay within apps Rewards cards
  • Suspending, removing, and erasing cards

Internet Services

  • Apple ID iMessage FaceTime iCloud
  • iCloud Keychain Siri
  • Continuity
  • Spotlight Suggestions

Device Controls

  • Passcode protection
  • iOS pairing model
  • Configuration enforcement
  • Mobile device management (MDM) Shared iPad
  • Apple School Manager
  • Device Enrollment
  • Apple Configurator 2
  • Supervision
  • Restrictions
  • Remote Wipe
  • Lost Mode
  • Activation Lock

Privacy Controls

  • Location Services
  • Access to personal data
  • Privacy policy

Apple says it redesigned the desktop security stack for a mobile environment.

“We thought about the security hazards of the desktop environment, and established a new approach to security in the design of iOS. We developed and incorporated innovative features that tighten mobile security and protect the entire system by default. As a result, iOS is a major leap forward in security for mobile devices.

Every iOS device combines software, hardware, and services designed to work together for maximum security and a transparent user experience. iOS protects not only the device and its data at rest, but the entire ecosystem, including everything users do locally, on networks, and with key Internet services,” according to the guide.

With iOS 10, Apple is upping its game when it comes to privacy.

As was announced at WWDC16 in mid-June, Apple is working on “differential privacy,” which should help improve the accuracy of user queries, while concurrently reducing the chance that users can be identified. Methods include throwing in noise in the transaction and hashing.

In an AppleInsider story, Inside iOS 10: Apple doubles down on security with cutting edge differential privacy, Aaron Roth, a privacy researcher at the University of Pennsylvania, called  Apple’s efforts here “groundbreaking.”

Let’s hope so, and let’s hope Apple and other mobile software makers keep breaking ground, as we know criminals and digital eavesdroppers will continue to innovate and push forward on their side of the security equation.

In my next post, I’ll detail steps users can take to set the security and privacy to appropriate levels on their new iPhones.

RELATED LINKS

6 ways your end-users sabotage mobile security

Apple unveils iOS 10, Siri upgrades 

Hospitals moving toward mobile, but not without concerns

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: