An updated Apple whitepaper on iOS security delves into an unprecedented amount of detail about the security architecture and features of the company's mobile OS for devices such as the iPhone and iPad. Security professionals and IT consultants are praising both the company's transparency and its approach to protecting iOS devices, Internet security and users' data.
The 33-page "iOS Security" whitepaper is dated February 2014, and is available online. The previous edition was released in the fall of 2012, about the time Apple began taking a somewhat more open posture around iOS security. The new paper goes into detail about new security features introduced by Apple in the past two years, especially with iOS 7: the Touch ID fingerprint sensor; single sign-on integrating with enterprise applications and services; security for Airdrop peer-to-peer connections with other iOS devices via Wi-Fi and Bluetooth; iCloud Keychain for creating and managing strong passwords; and Secure Enclave, which is a coprocessor integrated with Apple's 64-bit A7 processor, introduced in the iPhone 5S.
Security and IT professionals are immersing themselves in the wealth of detail.
"I'm deep into it right now," says Benjamin Levy, principal of Solutions Consulting of Los Angeles, which specializes in Apple deployments for business customers. "For me the paper makes clear the philosophy and attention to detail involved in the security on the devices. It's not an afterthought. It's literally part of every single aspect of how it's built and how it runs, from the processors through the OS."
He points to the Touch ID fingerprint sensor, built into the iPhone 5S home button, as an example. "I particularly like the parts where it talked about the fingerprint sensor and how it functions," he says. "But more important was realizing that the underlying purpose of the fingerprint sensor was to enable and encourage the use of significantly longer and more complex passcodes."
A massive update
The whitepaper is a "massive update," writes security consultant and author Rich Mogull, in a blog post about the document, where he focused on how Apple handles iCloud password encryption. "It contains more information on iOS security than Apple has ever shared publicly before... I will likely be digesting it for months." His blog post is titled "How to Protect your iCloud Keychain from the NSA."
"In some ways, Apple is like Microsoft 10 years ago on security," says Corey Nachreiner, director of security strategy for WatchGuard Technologies, a vendor of advanced firewalls and other network security appliances. "Historically, they share as little information as possible.
"But when I read this document, their [security] practices are quite sound," he says. Examples are creating data classes, to which can be applied different degrees of protection; segmenting security functions; using different kinds of encryptions for different purposes, tying encryption into device-specific unique identifiers, and creating layers of encryption.
Sign up for Computerworld eNewsletters.