The iOS Security Model

Apple has incorporated four layers of security in iOS to protect the user and their data.

Device Security
Techniques to prevent an unauthorized individual from using the device

Data Security
Techniques to protect the data stored on the device, even if the device is stolen

Network Security
Tools to encrypt data while it is in transit across a network

Application Security
Mechanisms to secure the operating system and isolate applications while they are running.

Components of the iOS Security Model

Device security
Apple’s device security mechanisms help ensure that a user’s device can’t be used by an unauthorized party. The most common device security mechanism is the device’s PIN lock or passcode. Apple allows these locks to be forced on as part of an enterprise policy, or can be set manually by individual users. Enterprises can force a passcode to have a minimum length, alphanumeric composition, complex characters, and even set the maximum age and history policies for a passcode. Users can additionally set the device to automatically wipe itself if the wrong passcode is entered too many times.

In addition to passcode locks, Apple’s device security strategy also includes the use of signed configuration profiles, allowing large enterprises to centrally distribute VPN, WiFi, email, and other configurations to devices in a secure fashion. Central configurations can restrict the device from using certain insecure functionality, such as disabling YouTube or the device’s camera. Installation of third-party applications can also be restricted, further mitigating the risk from unsanctioned applications on the device.

Data security
Data security is a primary focus of secure applications, and therefore a primary focus of this article. Apple has incorporated a number of data security approaches to protect sensitive data on the device, with the goal of protecting data even if the device is stolen. These mechanisms include a remote wipe function, encryption, and data protection. Apple’s remote wipe feature allows the device to be wiped once it’s discovered stolen by the owner, or if too many passcode attempts fail. The device can also be locally wiped by the user within a very short amount of time (usually less than 30 seconds).

The encryption feature causes all data on the device to be encrypted, a feature requirement for many types of certifications. In addition to the data being encrypted, data backed up through iTunes can also be encrypted. A password is set through iTunes, and stored on the device. Whenever a backup is made, the password on the device is used to encrypt the data. Regardless of what desktop computer is performing the backup, the mobile device itself retains the original encryption key that was set when it was activated.

Apple’s data protection mechanisms are one of the most notable (and most targeted) security mechanisms on iOS devices. Data protection uses a hardware encryption accelerator shipped with all iPhone 3GS and newer devices to encrypt selected application data; this functionality is used by Apple itself as well as made available to developers. By combining certain encryption keys stored on the device with a passcode set by the user, the system can ensure that certain protected files on the filesystem can be decrypted only after the user enters her passcode. The concept behind the passcode is that a device can be trusted only until a user puts it down. Protecting certain files in this manner helps to ensure that the user of the device knows something an authorized user would know.

The effectiveness of Apple’s data protection encryption largely depends on the complexity of the passcode selected by the user. Simple four-digit PIN codes, as one might surmise, can be easily broken, as can passwords using dictionary words or other patterns attacked by password cracking tools. There are also a number of ways to hijack data without knowing the passcode at all.

Network security
Network security has been around as long as networking, and Apple has incorporated many of the same solutions used in secure networking into iOS. These include VPN,  SSL/TLS transport encryption, and WEP/WPA/WPA2 wireless encryption and au- thentication. We will touch on some of the techniques used to penetrate network security in this book, but a number of books exist solely on this topic, as they apply to nearly every device and operating system connected to the Internet.

Application security
On an application level, App Store applications are run in a sandbox. Sandboxing refers to an environment where code is deemed untrusted and is therefore isolated from other processes and resources available to the operating system. Apple’s sandbox limits the amount of memory and CPU cycles an application can use, and also restricts it from accessing files from outside of its dedicated home directory. Apple provides classes to interface with the camera, GPS, and other resources on the device, but prevents the application from accessing many components directly. Applications running in the sandbox cannot access other applications or their data, nor can they access system files and other resources.

In addition to restricting the resources an application can access on the device, Apple has incorporated application signing to police the binary code allowed to run on the device. In order for an application to be permitted to run under iOS, it must be signed by Apple or with a certificate issued by Apple. This was done to ensure that applications  have not been modified from their original binary. Apple also performs runtime checks to test the integrity of an application to ensure that unsigned code hasn’t been injected into it.

As part of application security, Apple has incorporated an encrypted keychain providing a central facility for storing and retrieving encrypted passwords, networking credentials, and other information. Apple’s Security framework provides low-level functionality for reading and writing data to and from the keychain and performing encryption and decryption. Data in the keychain is logically zoned so that an application cannot access encrypted data stored by a different application.

Apple’s Common Crypto architecture provides common cryptographic APIs for developers who want to add custom encryption to their applications. The Common Crypto architecture includes AES, 3DES, and RC4 encryption. Apple has also married this framework to the device’s hardware-accelerated encryption capabilities, providing accelerated AES encryption and SHA1 hashing, both of which are used by Apple internally as part of their underlying data security framework.