In late May, Apple quietly published a document entitled, simply, iOS Security. This short whitepaper describes several aspects of security within their iPad, iPhone, and iPod touch ecosystem, providing a high-level introduction to certain features and some fairly deep technical information for others. The stated goal is to help security-minded customers to better understand the core security features present in iOS. It’s definitely worth a read, but for now, let’s talk about some of the more interesting highlights.
It starts off describing the overall system architecture, from the boot ROM (including a public key used to validate system software) though the Low Level Bootloader and into the kernel and application layers. Executable code at all layers, including OS, Apple, and third-party applications, is signed, and the signatures are validated before the code is run. These checks help to keep malicious code from affecting the system.
Also described are some of the runtime security features. The core feature here is application sandboxing, where each application is limited in where it can write data, and prevented from accessing other application’s data or code. To share information with other applications, developers need to communicate through iOS APIs or services. Another noteworthy mention is that the core operating system partition is mounted read-only, further limiting the ability of a malicious program to attack the device.
Probably the most interesting section of this document details the Encryption and Data Protection features of iOS. Much of this is not new, having been detailed at WWDC conferences and in other devleoper documentation (not to mention several talks by prominent security researchers), but having it in a single, easily-accessible format is a welcome improvement.
The use of hardware-level AES-256 cryptography to provide full-disk encryption and a fast remote wipe capability is already well known, as is the use of a unique UID key embedded in each device’s hardware. What came as a surprise was the statement that this UID is not recorded by Apple or its suppliers, which means that keys (and data) protected using that UID cannot be decrypted by anyone not in possession of the target device (or, presumably, NSA-level supercomputers). Potential issues related to securely erasing stored keys from flash memory are also addressed with the Effecable Storage, where memory blocks are directly erased at a very low level.
Next up is a high-level description of file-based data protection attributes, which, when combined with a device passcode, provide application-level controls over data accessibility. The various protection classes are described, both for files and keychain entries, and it even provides a handy reference chart for system-level keychain entries like Wi-Fi passwords, email accounts, and private keys.
The data protection section finishes with a clear description of the four types of keybags in use on iOS: System, Backup, Escrow, and iCloud Backup keybags. In addition to the plain-English explantion of each keybag’s purpose (and location), the high-level structure of the keybag itself, along with protections for each key, is also given.
Two short sections, one describing Network Security features, and the other providing information on Configuration Profiles, device Restrictions, and MDM control, finish up the document, along with a short glossary.
Unfortunately, the whitepaper doesn’t have enough detail to serve as a reference for programmers or reverse engineers testing specific features. However, it is a great introduction to the complex collection of security features core to iOS. This should be required reading for enterprise-level security engineers and managers, whether contemplating future iOS support or hoping to better understand what they already have.