iOS is designed with advanced security technologies that offer enterprise-grade protection for corporate data while maintaining a great user experience. This comprehensive approach to security allows for end‑to‑end control of devices, data, and apps and keeps users focused on being productive.
iOS delivers a secure architecture throughout, covering everything from the startup process to third-party apps. It includes a “sandboxed” approach to application runtime protection and requires application signing to prevent tampering.
Secure Boot Chain
Every step in the startup process — from the bootloaders, to the kernels, to the baseband firmware — is signed by Apple to ensure integrity. Each step in the process is verified completely before moving to the next.
App Code Signing
To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed. Built-in apps like Mail are signed by Apple. Third-party apps must be signed using a certificate from the iOS Developer Program.
Entitlements are used to perform specific operations that would otherwise require the process to run with administrative privileges. This greatly reduces the potential for a compromised app to access parts of the system it shouldn’t.
If the Boot ROM of an iOS device is unable to load or verify the lowest levels of the firmware, it enters Device Firmware Upgrade (DFU) mode. Restoring a device after entering DFU mode returns it to a known good state with the certainty that only unmodified Apple-signed code is present.
iOS uses System Software Personalization to prevent the installation of unauthorized system software and to ensure software updates are exactly as they were provided by Apple.
Address Space Layout Randomization
In iOS, ASLR is used to ensure all system apps and libraries are stored in random locations in memory to make the successful exploitation of a software bug much more difficult.
App Store Review Process
All apps in the App Store have been reviewed to make sure they follow developer guidelines, work as advertised, and don't contain malicious code.
All third-party apps are “sandboxed,” so they are restricted from accessing files stored by other apps or from making changes to the device. This prevents apps from gathering or modifying information that they should not have access to.
Enterprise App Distribution
In order to distribute custom in-house apps to employees, an enterprise must join the iOS Developer Enterprise Program and create an Enterprise Provisioning Profile that permits the app to run on the devices it authorizes.
If one step of the secure boot process is unable to load or verify the next, boot-up is stopped and the device displays the ”Connect to iTunes” screen. Once in this Recovery Mode, the device must be restored to factory defaults via iTunes.
A provisioning profile is a file that must be used in order to install and run a custom in-house app. It authorizes enterprise apps to run on iOS devices, and can be created via the iOS Developer Enterprise Program.
iOS devices provide hardware encryption for all data stored on the device, data in transmission, and additional encryption of email and application data with enhanced data protection.
Every iOS device has a dedicated AES 256-bit crypto engine built in that is used to encrypt all data on the device at all times.
All third-party apps have data protection enabled automatically. Information stored in apps is encrypted with a unique key that's generated based on the user’s passcode working in concert with the hardware encryption, which protects the data until the user first unlocks their device after each reboot.
To securely erase saved keys, iOS devices include a feature called Effaceable Storage that accesses the underlying storage technology to directly address and erase a small number of blocks at a very low level.
In addition to unlocking the device, the passcode strengthens the encryption keys. This means an attacker in possession of a device can’t get access to data in certain protection classes without the passcode.
Common Crypto APIs
Application developers have access to encryption APIs that they can use to further protect their data. It can be symmetrically encrypted using proven methods such as AES, RC4, or 3DES.
FIPS 140-2 Certification
The iOS Cryptographic Modules have been granted FIPS 140-2 compliance by the U.S. Federal Government on devices running iOS 7.
File Data Protection
In addition to the hardware encryption features built into iOS devices, Apple uses a technology called Data Protection to further protect data stored in flash memory on the device.
Keychain Data Protection
In addition to File Data Protection, iOS features Keychain Data Protection to securely store passwords and other short but sensitive bits of data, such as keys and login tokens.
When a passcode is created on an iOS device, it is “tangled” or turned into a cryptographic key and strengthened with the device’s unique hardware ID. This means brute-force attempts to access information must be performed on the device.
iOS provides seamless access to corporate information networks, and also provides features to ensure users are authorized and data is protected in transmission.
Safari, Calendar, Mail, and other Internet applications automatically use SSL/TLS to enable an encrypted communication channel between the device and network services.
With support for 802.1X, iOS devices can be integrated into a broad range of RADIUS authentication environments.
iOS leverages certificates for authenticated and encrypted email and supports S/MIME, allowing users to send and receive encrypted email messages.
For enterprise environments in which a two-factor token is a requirement, iOS integrates with RSA SecurID and CRYPTOCard.
WPA2 Enterprise Wi-Fi
iOS supports industry-standard Wi-Fi protocols, including WPA2 Enterprise, to provide authenticated access to wireless corporate networks. WPA2 Enterprise uses AES encryption to ensure data remains protected over a Wi-Fi network connection.
iOS supports network proxy configuration so that traffic to public or private network domains is relayed according to specific policies and resources.
iOS supports the Online Certificate Status Protocol (OCSP) to obtain the revocation status of certificates. If an app is using a certificate that has been revoked, iOS will prevent the app from running.
Bluetooth support in iOS has been designed to provide useful functionality without unnecessary increased access to private data.
Per App VPN
Apps can be configured to automatically connect to VPN when they are launched. Per app VPN ensures that data transmitted by managed apps travels through VPN — and that other data, like an employee’s personal web browsing activity, does not.
iOS enables access to SSL VPN servers through the use of third-party apps from the App Store.
iOS features a built-in VPN client to enable users to securely connect to Cisco IPSec, L2TP, and PPTP VPN servers right out of the box.
A unique ID is created for each user, ensuring each FaceTime session and iMessage conversation is encrypted, routed, and connected properly.
Establishing strong policies for access is critical to protecting corporate information. iOS provides a comprehensive approach to both configuration and enforcement.
Configuration profiles are XML files containing the settings for a device to connect with enterprise systems including account information, passcode policies, restrictions, and other device settings.
MDM enables IT to wirelessly enforce a comprehensive set of policies on an iOS device, while Exchange ActiveSync provides a subset of those that are commonly used.
In addition to enabling access to email, calendars, contacts, and tasks, Exchange ActiveSync gives an enterprise the ability to push passcode and IT policies over the air and remotely wipe a lost or stolen device.
Enterprise Single Sign On
Enterprise Single Sign On (SSO) means user credentials can be entered once and used across apps, including apps from the App Store. Each new app configured with SSO verifies user permissions for enterprise resources, and logs users in without requiring them to reenter passwords.
In the event an iOS device is lost or stolen, a command can be sent wirelessly by an MDM server via Exchange ActiveSync or iCloud to permanently delete all data and restore it to factory settings.
iOS supports passcode expiration and reuse policies to ensure users are refreshing their device passcode on a regular basis.
OTA Passcode Enforcement
Passcodes can be pushed down and enforced over the air. Using MDM or Exchange ActiveSync, IT can prompt the user to create a strong passcode before gaining access to services.
If a passcode is entered incorrectly too many times on an iOS device, it can be set to automatically wipe all data and return to factory defaults.
iOS suports digital certificates to enable secure, streamlined access to corporate services like Exchange ActiveSync, VPN, and Wi-Fi.
Using MDM, IT can enroll iOS devices in an enterprise environment, wirelessly configure and update settings, monitor compliance with corporate policies, and even remotely wipe or lock managed devices.
In addition to enabling access to corporate services like email and VPN, configuration profiles can be used to restrict features like the camera or the ability to take screenshots, if required for use in certain environments.
Progressive Device Protection
If a user repeatedly enters the wrong passcode, iOS will be disabled for increasingly longer intervals. After too many unsuccessful attempts, all data and settings on the device will be erased.
If a user loses their iOS device, the Find My iPhone Activation Lock feature requires their Apple ID and password before turning off Find My iPhone, erasing data, or re-activating a device after it’s been remotely erased.
Powerful technologies in the iOS 7 SDK and MDM frameworks enable robust app security,
a consistent set of tools for in-house and third-party iOS developers, and an integrated experience for users. With comprehensive security built into iOS, there’s no need to use third‑party SDKs or app wrappers to secure apps distributed within the enterprise.
- app sandboxing
- code signing
- app entitlements
- keychain services
- enterprise single sign on
- default data protection
- keychain data protection