The iOS platform provides innovative security technology and features without compromising the user experience. iOS devices are designed to make security as transparent as possible. Many security features are enabled by default, so users don’t need security expertise to keep their information protected.
iOS is designed with security at its core. It includes a sandboxed approach to application runtime protection and requires application signing to ensure that applications cannot be tampered with.
Secure Boot Chain
Every step in the startup process — from the bootloaders, to the kernels, to the baseband firmware — is signed by Apple to ensure integrity. Only after verifying one step does the device move to the next step.
Execute Never
iOS uses ARM’s Execute Never (XN) feature, which marks parts of the flash memory as non-executable. This ensures only authorized code can execute processes on the device. Safari uses this functionality for its JavaScript JIT compiler.
DFU Mode
If the Boot ROM of an iOS device is unable to load or verify the lowest levels of the firmware, it enters Device Firmware Upgrade mode. Restoring a device after entering DFU mode returns it to a known good state with the certainty that only unmodified Apple-signed code is present.
App Entitlements
Entitlements are used to perform specific operations that would otherwise require the process to run with administrative privileges. This greatly reduces the potential for a compromised app to access parts of the system it shouldn’t.
App Code Signing
To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed. Built-in apps like Mail, are signed by Apple. Third-party apps must be signed using a certificate from the iOS Developer Program.
System Software
Personalization
iOS uses System Software Personalization to prevent the installation of unauthorized system software and to ensure software updates are exactly as they were provided by Apple.
Address Space Layout
Randomization
In iOS, ASLR is used to ensure that all the system apps and libraries stored in random locations in memory to make the successful exploitation of a software bug much more difficult.
App Store Review Process
All apps in the App Store have been reviewed to make sure they follow developer guidelines, work as advertised, and don’t contain bugs or malicious code.
App Sandboxing
All third-party apps are sandboxed, so they are restricted from accessing files stored by other apps or from making changes to the device. This prevents apps from gathering or modifying information the way a virus or malware would try to do.
Enterprise App Distribution
In order to distribute custom in-house apps to employees, an enterprise must join the iOS Developer Enterprise Program and create an Enterprise Provisioning Profile that permits the app to run on the devices it authorizes.
Recovery Mode
If one step of the secure boot process is unable to load or verify the next, boot-up is stopped and the device displays the “Connect to iTunes” screen. Once in this Recovery Mode, the device must be restored to factory defaults via iTunes.
Provisioning Profiles
A provisioning profile is a file that must be used in order to install and run a custom in-house app. It authorizes enterprise apps to run on iOS devices, and can be created via the iOS Developer Enterprise Program.
In addition to encrypting data in transmission, iPhone provides hardware encryption for all data stored on the device, and additional encryption of email and application data with enhanced data protection.
Hardware Encryption
Every iOS device has a dedicated AES 256-bit crypto engine built in that is used to encrypt all data on the device at all times.
Effaceable Storage
To securely erase saved keys, iOS devices include a feature called Effaceable Storage that accesses the underlying storage technology to directly address and erase a small number of blocks at a very low level.
Data Protection Classes
When a new file is created on an iOS device, it’s assigned a Data Protection class by the app that creates it. The iOS SDK offers APIs that make it easy for developers to adopt Data Protection and ensure the highest level of protection in their apps.
Passcodes
In addition to unlocking the device, the passcode strengthens the encryption keys. This means an attacker in possession of a device can’t get access to data in certain protection classes without the passcode.
CommonCrypto APIs
Application developers have access to encryption APIs that they can use to further protect their data. It can be symmetrically encrypted using proven methods such as AES, RC4, or 3DES.
Encrypted iTunes
Backup
When an iOS device is backed up to iTunes, it can be encrypted to prevent access to information stored in the backup. Encrypted iTunes backups can be enforced via configuration policy that are installed using MDM.
File Data Protection
In addition to the hardware encryption features built into iOS devices, Apple uses a technology called Data Protection to further protect data stored in flash memory on the device.
Keychain Data Protection
In addition to File Data Protection, iOS features Keychain Data Protection to securely store passwords and other short but sensitive bits of data, such as keys and login tokens.
Tangling
When a passcode is created on an iOS device, it is “tangled” or turned into a cryptographic key and strengthened with the device’s unique hardware ID. This means brute-force attempts to access information must be performed on the device.
Execs Talk iPhone: NBC Universal
Brandon Edling, Director of Desktop Technologies at NBC Universal, explains the company's view on device security, and the policies and requirements that iPhone and iPad support to help protect NBC Universal content and information.
iPhone provides seamless access to corporate information networks,
and also provides features to ensure users are authorized
and data is protected in transmission.
SSL/TLS
Safari, Calendar, Mail, and other Internet applications automatically use SSL/TLS to enable an encrypted communication channel between the device and network services.
802.1X
With support for 802.1X, iOS
devices can be integrated into a
broad range of RADIUS authentication environments.
S/MIME Email
iOS leverages certificates for authenticated and encrypted email and supports S/MIME, allowing users to send and recieve encrypted email messages.
RSA SecurID
For enterprise environments in which a two-factor token is a requirement, iOS integrates with RSA SecurID and CRYPTOCard.
WPA2 Enterprise Wi-Fi
iOS supports industry-standard Wi-Fi protocols, including WPA2 Enterprise, to provide authenticated access to wireless corporate networks. WPA2 Enterprise uses AES encryption to ensure data remains protected over a Wi-Fi network connection.
VPN Proxy
iOS supports network proxy configuration so that traffic to public or private network domains is relayed according to specific enterprise policies and resources.
OCSP Support
iOS supports the Online Certificate Status Protocol to obtain the revocation status of certificates. If an app is using a certificate that has been revoked, iOS will prevent the app from running.
SSL VPN
iOS enables access to SSL VPN servers through the use of third-party apps from the App Store.
Built-In VPN
iOS features a built-in VPN client to enable users to securely connect to Cisco IPSec, L2TP, and PPTP VPN servers right out of the box.
iMessage and FaceTime Encryption
A unique ID is created for each user, ensuring each FaceTime session and iMessage conversation is encrypted, routed, and connected properly.
Bluetooth
Bluetooth support in iOS has been designed to provide useful functionality without unnecessary increased access to private data.
Establishing strong policies for access to iPhone is critical to protecting
corporate information. iPhone provides a comprehensive
approach to both configuration and enforcement.
Configuration Profiles
Configuration Profiles are XML files containing settings that permit the device to work with your enterprise systems including account information, passcode policies, restrictions, and other device settings.
Configuration Enforcement
MDM enables IT to wirelessly enforce a comprehensive set of policies on an iOS device, while Exchange ActiveSync provides a subset of those that are commonly used.
Exchange ActiveSync
In addition to enabling access to email, calendars, contacts, and tasks, Exchange ActiveSync gives an enterprise the ability to push passcode and IT policies over the air and remotely wipe a lost or stolen device.
Digital Certificates
iOS suports digital certificates to enable secure, streamlined access to corporate services like Exchange ActiveSync, VPN, and Wi-Fi.
Remote Wipe
In the event an iOS device is lost or stolen, a command can be sent wirelessly by an MDM server, via Exchange ActiveSync, or iCloud to permanently delete all data and restore it to factory settings.
Passcode Expiration
iOS supports passcode expiration and reuse policies to make sure users are refreshing their device passcode on a regular basis.
OTA Passcode Enforcement
Passcodes can be pushed down and enforced over-the-air. Using MDM and Enchange ActiveSync, IT can prompt the user to create a strong passcode before gaining access to services.
Local Wipe
If a passcode is entered incorrectly too many times on an iOS device, it can be set to automatically wipe all data and return to factory defaults.
Mobile Device
Management
Using MDM, IT departments can enroll iOS devices in an enterprise environment, wirelessly configure and update settings, monitor compliance with corporate policies, and even remotely wipe or lock managed devices.
Restrictions
In addition to enabling access to corporate services like email and VPN, Configuration Profiles can be used to restrict features like the camera or the ability to take screenshots, if required for use in certain environments.
Progressive Device Protection
If a user repeatedly enters the wrong passcode, iOS will be disabled for increasingly longer intervals. After too many unsuccessful attempts, all data and settings on the device will be erased.
iPhone for your enterprise.
The phone that changed everything is available on AT&T, Verizon Wireless and Sprint. Get all the great features of iPhone 5 including FaceTime video, multitasking, enhanced security, and device management capabilities.
- AT&T Enterprise Data Plans for
iPhone 5. Learn more - Or call an AT&T Business Representative at 1-877-5ATT-B2B.
- Verizon Wireless Business Data Plans for iPhone 5. Learn more
- Or call a Verizon Business Sales Representative at 1-800-VZW-4BIZ.
- Sprint Business Data Plans for
iPhone 5. Learn more - Or call a Sprint Business Sales Representative at 1-866-634-3843.