A layered approach to security.

The iOS platform provides stringent security technology and features without compromising the user experience. iOS devices are designed to make security as transparent as possible. Many security features are enabled by default, so users don’t need security expertise to keep their information protected.

System architecture.

iOS is designed with security at its core. It includes a sandboxed approach to application runtime protection and requires application signing to ensure that applications cannot be tampered with.

Secure Boot Chain

Every step in the startup process — from the bootloaders, to the kernels, to the baseband firmware — is signed by Apple to ensure integrity. Only after verifying one step does the device move to the next step.

Execute Never

iOS uses ARM’s Execute Never (XN) feature, which marks parts of memory as non-executable. This makes it hard for attackers to gain a foothold on the system, and exceptions — such as Safari’s JavaScript JIT — are tightly controlled.

DFU Mode

If the Boot ROM of an iOS device is unable to load or verify the lowest levels of the firmware, it enters Device Firmware Upgrade mode. Restoring a device after entering DFU mode returns it to a known good state with the certainty that only unmodified Apple-signed code is present.

App Entitlements

Entitlements are used to allow specific operations that would otherwise require the process to run with administrative privileges. This greatly reduces the potential for a compromised app to access parts of the system it shouldn’t.

App Code Signing

To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed. Built-in apps like Mail, are signed by Apple. Third-party apps must be signed using a certificate from the iOS Developer Program.

System Software Personalization

iOS uses System Software Personalization to prevent the installation of unauthorized system software and to ensure software updates are exactly as they were provided by Apple.

Address Space Layout Randomization

In iOS, ASLR is used to ensure that all the system apps and libraries stored in random locations in memory to make the successful exploitation of a software bug much more difficult.

App Store Review
Process

All apps in the App Store have been reviewed to make sure they follow developer guidelines, work as advertised, and don’t contain bugs or malicious code.

App Sandboxing

All third-party apps are “sandboxed,” so they are restricted from accessing files stored by other apps or from making changes to the device. This prevents apps from gathering or modifying information the way a virus or malware would try to do.

Enterprise App Distribution

In order to distribute custom in-house apps to employees, an enterprise must join the iOS Developer Enterprise Program and create an Enterprise Provisioning Profile that permits the app to run on the devices it authorizes.

Recovery Mode

If one step of the secure boot process is unable to load or verify the next, boot-up is stopped and the device displays the “Connect to iTunes” screen. Once in this Recovery Mode, the device must be restored to factory defaults via iTunes.

Provisioning Profiles

A provisioning profile is a file that must be used in order to install and run a custom in-house app. It authorizes enterprise apps to run on iOS devices, and can be created via the iOS Developer Enterprise Program.

Encryption and data protection.

In addition to encrypting data in transmission, iPad provides hardware encryption for all data stored on the device, and additional encryption of email and application data with enhanced data protection.

Hardware Encryption

Every iOS device has a dedicated AES 256-bit crypto engine built in that is used to encrypt data on the device efficiently and securely.

Effaceable Storage

To securely erase saved keys, iOS devices include a feature called Effaceable Storage that accesses the underlying storage technology to directly address and erase a small number of blocks at a very low level.

Data Protection Classes

When a new file is created on an iOS device, it’s assigned a Data Protection class by the app that creates it. The iOS SDK offers APIs that make it easy for developers to adopt Data Protection and ensure the highest level of protection in their apps.

Passcodes

In addition to protecting the user interface, the passcode is used to generate an encryption key. This means an attacker in possession of a device can’t get access to data in certain protection classes without the passcode.

CommonCrypto APIs

Application developers have access to encryption APIs that they can use to further protect their data. It can be symmetrically encrypted using proven methods such as AES.

Encrypted
iTunes Backup

When an iOS device is backed up to iTunes, it can be encrypted to prevent access to information stored in the backup. Encrypted iTunes backups can be enforced via configuration policy that are installed using MDM.

File Data Protection

In addition to the hardware encryption features built into iOS devices, Apple uses a technology called Data Protection to further protect data stored in flash memory on the device.

Keychain Data Protection

In addition to File Data Protection, iOS features Keychain Data Protection to securely store passwords and other short but sensitive bits of data, such as keys and login tokens.

Tangling

When a passcode is created on an iOS device, it is “tangled” or turned into a cryptographic key and strengthened with the device’s unique hardware ID. This means brute-force attempts to access information must be performed on the device.

Network security.

iPad provides seamless access to corporate information networks,
and also provides features to ensure users are authorized
and data is protected in transmission.

SSL/TLS

Safari, Calendar, Mail, and other Internet applications automatically use SSL/TLS to enable an encrypted communication channel between the device and network services.

802.1X

With support for 802.1X, iOS devices can be integrated into a broad range of RADIUS authentication environments.

S/MIME Email

iOS leverages certificates for authenticated and encrypted email and supports S/MIME, allowing users to send and receive encrypted email messages.

RSA SecurID

For enterprise environments in which a two-factor token is a requirement, iOS integrates with RSA SecurID and CRYPTOCard.

WPA2 Enterprise Wi-Fi

iOS supports industry-standard Wi-Fi protocols, including WPA2 Enterprise, to provide authenticated access to wireless corporate networks. WPA2 Enterprise uses AES encryption to ensure data remains protected over a Wi-Fi network connection.

VPN Proxy

iOS supports network proxy configuration so that traffic to public or private network domains is relayed according to specific enterprise policies and resources.

OCSP Support

iOS supports the Online Certificate Status Protocol to obtain the revocation status of certificates. If the code signing certificate of an app has been revoked, iOS will prevent the app from running.

SSL VPN

iOS enables access to SSL VPN servers through the use of third-party apps from the App Store.

Built-In VPN

iOS features a built-in VPN client to enable users to securely connect to Cisco IPSec, L2TP, and PPTP VPN servers right out of the box.

iMessage and FaceTime Encryption

A unique ID is created for each user, and each FaceTime session and iMessage conversation is encrypted, routed, and connected securely.

Bluetooth

Bluetooth support in iOS has been designed to provide useful functionality without unnecessary increased access to private data.

Device access.

Establishing strong policies for access to iPad is critical to protecting
corporate information. iPad provides a comprehensive
approach to both configuration and enforcement.

Configuration Profiles

Configuration Profiles are XML files containing settings that permit the device to work with your enterprise systems including account information, passcode policies, restrictions, and other device settings.

Configuration Enforcement

MDM enables IT to wirelessly enforce a comprehensive set of policies on an iOS device, while Exchange ActiveSync provides a subset of those that are commonly used.

Exchange ActiveSync

In addition to enabling access to email, calendars, contacts, and tasks, Exchange ActiveSync gives an enterprise the ability to push passcode and IT policies over the air and remotely wipe a lost or stolen device.

Digital Certificates

iOS supports digital certificates to enable secure, streamlined access to corporate services like Exchange ActiveSync, VPN, and Wi-Fi.

Remote Wipe

In the event an iOS device is lost or stolen, a command can be sent wirelessly by an MDM server, via Exchange ActiveSync, or iCloud to permanently delete all data and restore it to factory settings.

Passcode Expiration

iOS supports passcode expiration and reuse policies to make sure users are refreshing their device passcode on a regular basis.

OTA Passcode
Enforcement

Passcodes can be pushed down and enforced over-the-air. Using MDM and Enchange ActiveSync, IT can prompt the user to create a strong passcode before gaining access to services.

Local Wipe

If a passcode is entered incorrectly too many times on an iOS device, it can be set to automatically wipe all data and return to factory defaults.

Mobile Device Management

Using MDM, IT departments can enroll iOS devices in an enterprise environment, wirelessly configure and update settings, monitor compliance with corporate policies, and even remotely wipe or lock managed devices.

Restrictions

In addition to enabling access to corporate services like email and VPN, Configuration Profiles can be used to restrict features like the camera or the ability to take screenshots, if required for use in certain environments.

Progressive Device Protection

If a user repeatedly enters the wrong passcode, iOS will be disabled for increasingly longer intervals. After too many unsuccessful attempts, all data and settings on the device will be erased.

Get the Apple Store app to shop, make appointments, and more. Download now