Secure by design.

iOS is designed with advanced security technologies that offer enterprise-grade protection for corporate data while maintaining a great user experience on all iOS devices. This comprehensive approach to security allows for end-to-end control of your devices, data, and apps and keeps users focused on being productive.

System architecture.

iOS delivers a secure architecture throughout, covering everything from the startup process to third-party apps. It includes a “sandboxed” approach to application runtime protection and requires application signing to prevent tampering.

Secure Boot Chain

Every step in the startup process — from the bootloaders, to the kernels, to the baseband firmware — is signed by Apple to ensure integrity. Each step in the process is verified completely before moving to the next.

Execute Never

iOS uses ARM’s Execute Never (XN) feature, which marks parts of the flash memory as non-executable. This ensures only authorized code can execute on the device. Safari uses this functionality for its JavaScript JIT compiler.

App Code Signing

To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed. Built-in apps like Mail are signed by Apple. Third-party apps must be signed using a certificate from the iOS Developer Program.

App Entitlements

Entitlements are used to perform specific operations that would otherwise require the process to run with administrative privileges. This greatly reduces the potential for a compromised app to access parts of the system it shouldn’t.

DFU Mode

If the Boot ROM of an iOS device is unable to load or verify the lowest levels of the firmware, it enters Device Firmware Upgrade (DFU) mode. Restoring a device after entering DFU mode returns it to a known good state with the certainty that only unmodified Apple-signed code is present.

System Software
Personalization

iOS uses System Software Personalization to prevent the installation of unauthorized system software and to ensure software updates are exactly as they were provided by Apple.

Address Space Layout Randomization

In iOS, ASLR is used to ensure all system apps and libraries are stored in random locations in memory to make the successful exploitation of a software bug much more difficult.

App Store Review Process

All apps in the App Store have been reviewed to make sure they follow developer guidelines, work as advertised, and don't contain malicious code.

App Sandboxing

All third-party apps are “sandboxed,” so they are restricted from accessing files stored by other apps or from making changes to the device. This prevents apps from gathering or modifying information that they should not have access to.

Enterprise App Distribution

In order to distribute custom in-house apps to employees, an enterprise must join the iOS Developer Enterprise Program and create an Enterprise Provisioning Profile that permits the app to run on the devices it authorizes.

Recovery Mode

If one step of the secure boot process is unable to load or verify the next, boot-up is stopped and the device displays the ”Connect to iTunes” screen. Once in this Recovery Mode, the device must be restored to factory defaults via iTunes.

Provisioning Profiles

A provisioning profile is a file that must be used in order to install and run a custom in-house app. It authorizes enterprise apps to run on iOS devices, and can be created via the iOS Developer Enterprise Program.

Encryption and data protection.

iOS devices provide hardware encryption for all data stored on the device, data in transmission, and additional encryption of email and application data with enhanced data protection.

Hardware Encryption

Every iOS device has a dedicated AES 256-bit crypto engine built in that is used to encrypt all data on the device at all times.

Third-Party App
Data Protection

All third-party apps have data protection enabled automatically. Information stored in App Store apps is encrypted with a unique key that's generated based on the user's passcode working in concert with the hardware encryption, which protects the data until the user first unlocks their device after each reboot.

Effaceable Storage

To securely erase saved keys, iOS devices include a feature called Effaceable Storage that accesses the underlying storage technology to directly address and erase a small number of blocks at a very low level.

Passcodes

In addition to unlocking the device, the passcode strengthens the encryption keys. This means an attacker in possession of a device can’t get access to data in certain protection classes without the passcode.

Common Crypto APIs

Application developers have access to encryption APIs that they can use to further protect their data. It can be symmetrically encrypted using proven methods such as AES, RC4, or 3DES.

FIPS 140-2 Certification

The iOS Cryptographic Modules have been granted FIPS 140-2 compliance by the U.S. Federal Government on devices running iOS 7.
Learn more

File Data Protection

In addition to the hardware encryption features built into iOS devices, Apple uses a technology called Data Protection to further protect data stored in flash memory on the device.

Keychain Data Protection

In addition to File Data Protection, iOS features Keychain Data Protection to securely store passwords and other short but sensitive bits of data, such as keys and login tokens.

Tangling

When a passcode is created on an iOS device, it is ”tangled” or turned into a cryptographic key and strengthened with the device’s unique hardware ID. This means brute-force attempts to access information must be performed on the device.

Network security.

iOS provides seamless access to corporate information networks, and also provides features to ensure users are authorized and data is protected in transmission.

SSL/TLS

Safari, Calendar, Mail, and other Internet applications automatically use SSL/TLS to enable an encrypted communication channel between the device and network services.

802.1X

With support for 802.1X, iOS devices can be integrated into a broad range of RADIUS authentication environments.

S/MIME Email

iOS leverages certificates for authenticated and encrypted email and supports S/MIME, allowing users to send and recieve encrypted email messages.

RSA SecurID

For enterprise environments in which a two-factor token is a requirement, iOS integrates with RSA SecurID and CRYPTOCard.

WPA2 Enterprise Wi-Fi

iOS supports industry-standard Wi-Fi protocols, including WPA2 Enterprise, to provide authenticated access to wireless corporate networks. WPA2 Enterprise uses AES encryption to ensure data remains protected over a Wi-Fi network connection.

VPN Proxy

iOS supports network proxy configuration so that traffic to public or private network domains is relayed according to specific policies, and resources.

OCSP Support

iOS supports the Online Certificate Status Protocol (OCSP) to obtain the revocation status of certificates. If an app is using a certificate that has been revoked, iOS will prevent the app from running.

Bluetooth

Bluetooth support in iOS has been designed to provide useful functionality without unnecessary increased access to private data.

Per App VPN

Apps can be configured to automatically connect to VPN when they are launched. Per app VPN ensures that data transmitted by managed apps travels through VPN — and that other data, like an employee’s personal web browsing activity, does not.

SSL VPN

iOS enables access to SSL VPN servers through the use of third-party apps from the App Store.

Built-In VPN

iOS features a built-in VPN client to enable users to securely connect to Cisco IPSec, L2TP, and PPTP VPN servers right out of the box.

iMessage and
FaceTime Encryption

A unique ID is created for each user, ensuring each FaceTime session and iMessage conversation is encrypted, routed, and connected properly.

Device access.

Establishing strong policies for access is critical to protecting corporate information. iOS provides a comprehensive approach to both configuration and enforcement.

Configuration Profiles

Configuration profiles are XML files containing the settings for a device to connect with your enterprise systems including account information, passcode policies, restrictions, and other device settings.

Configuration Enforcement

MDM enables IT to wirelessly enforce a comprehensive set of policies on an iOS device, while Exchange ActiveSync provides a subset of those that are commonly used.

Exchange ActiveSync

In addition to enabling access to email, calendars, contacts, and tasks, Exchange ActiveSync gives an enterprise the ability to push passcode and IT policies over the air and remotely wipe a lost or stolen device.

Enterprise Single Sign On

Enterprise Single Sign On (SSO) means user credentials can be entered once and used across apps, including apps from the App Store. Each new app configured with SSO verifies user permissions for enterprise resources, and logs users in without requiring them to reenter passwords.

Remote Wipe

In the event an iOS device is lost or stolen, a command can be sent wirelessly by an MDM server, via Exchange ActiveSync or iCloud to permanently delete all data and restore it to factory settings.

Passcode Expiration

iOS supports passcode expiration and reuse policies to ensure users are refreshing their device passcode on a regular basis.

OTA Passcode Enforcement

Passcodes can be pushed down and enforced over the air. Using MDM or Exchange ActiveSync, IT can prompt the user to create a strong passcode before gaining access to services.

Local Wipe

If a passcode is entered incorrectly too many times on an iOS device, it can be set to automatically wipe all data and return to factory defaults.

Digital Certificates

iOS suports digital certificates to enable secure, streamlined access to corporate services like Exchange ActiveSync, VPN, and Wi-Fi.

Mobile Device
Management

Using MDM, IT departments can enroll iOS devices in an enterprise environment, wirelessly configure and update settings, monitor compliance with corporate policies, and even remotely wipe or lock managed devices.

Restrictions

In addition to enabling access to corporate services like email and VPN, configuration profiles can be used to restrict features like the camera or the ability to take screenshots, if required for use in certain environments.

Progressive Device Protection

If a user repeatedly enters the wrong passcode, iOS will be disabled for increasingly longer intervals. After too many unsuccessful attempts, all data and settings on the device will be erased.

Activation Lock

If a user loses their iOS device, the Find My iPhone Activation Lock feature requires their Apple ID and password before turning off Find My iPhone, erasing data, or re-activating a device after it’s been remotely erased.

App security.

Powerful technologies in the iOS 7 SDK and MDM frameworks enable robust app security,
a consistent set of tools for in-house and third-party iOS developers, and an integrated experience for users. With comprehensive security built into iOS, there‘s no need to use third‑party SDKs or app wrappers to secure apps distributed within your enterprise.

Platform Security

  • app sandboxing
  • code signing
  • app entitlements

Authentication

  • keychain services
  • enterprise single sign on

Data Protection

  • default data protection
  • keychain data protection

Networking

  • SSL VPN
  • SSL/TLS

Data Management

  • managed open in
  • per app VPN

Encryption

  • AES 256-bit hardware encryption
  • FIPS 140-2