Apple reveals iOS application security secrets
According to Apple, iOS devices are designed with multiple security layers. "Low-level hardware and firmware features protect against malware and viruses, while high-level OS features allow secure access to personal information and corporate data, prevent unauthorized use, and help thwart attacks," the guide states. "The iOS security model protects information while still enabling mobile use, third-party apps and syncing. Much of the system is based on industry-standard secure design principles--and in many cases, Apple has done additional design work to enhance security without compromising usability."
The iOS Security Guide continues in great detail about safeguards like a secure boot chain, system software personalization, app code signing, runtime process security and data encryption. "To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed using an Apple-issued certificate," Apple states. "Apps provided with the device, like Mail and Safari, are signed by Apple. Third-party apps must also be validated and signed using an Apple-issued certificate. Mandatory code signing extends the concept of chain of trust from the OS to apps and prevents third-party apps from loading unsigned code resources or using self-modifying code."
Apple notes that all third-party apps are "sandboxed"--i.e., restricted from accessing files stored by other apps or from making changes to the device, a measure that prevents apps from gathering or modifying information stored by other software. Each app has a unique, randomly-assigned home directory for its files. If a third-party app needs to access information other than its own, it does so only by using application programming interfaces and services provided by iOS.
Access by third-party apps to user information and features such as the iCloud storage platform is controlled using declared entitlements--key/value pairs that are signed in to an app and enable authentication beyond runtime factors like user ID. Apple notes that apps can only perform background processing through system-provided APIs, guaranteeing that app continue to function without degrading performance or draining battery life.
Apple also takes a shot at archrival Google's (NASDAQ:GOOG) Android: "Unlike other mobile platforms, iOS does not allow users to install potentially malicious unsigned apps from websites, or run untrusted code. At runtime, code signature checks of all executable memory pages are made as they are loaded to ensure that an app has not been modified since it was installed or last updated."
The iOS Security Guide represents an unusual step for Apple, a company notorious for closely guarding its corporate secrets. The document is clearly intended to assuage both consumer and enterprise fears over iOS data safety, and it encourages businesses to "review their IT and security policies to ensure they are taking full advantage of the layers of security technology and features offered by the iOS platform."
- read this CNet article
Facebook, Pinterest among 33 iOS developers targeted in app privacy probe
Facebook, Apple targeted in mobile app privacy class action suit
Fiksu: iPhone app downloads drop 5% in April
Apple CEO Cook: 'Stay tuned' for deeper Facebook integration in iOS
Apple's iOS crushes Android on Q1 enterprise device activations