Apple Reveals iOS Security

Monday, June 4, 2012 @ 01:06 PM gHale

A detailed security guide for Appleā€™s iOS operating system is now ready, a different move for a company known for not discussing the technical details of its products, let alone the security architecture.

The document lays out the system architecture, data protection capabilities and network security features in iOS. Apple never discussed these details before, however, most users were aware of what they were.

Untethered Jailbreak for iOS
Leopard OS Flashback Patch
Apple Shuts More OS X, Safari Flaws
Apple Programming Error

The iOS Security guide represents Apple’s first real public documentation of the security architecture and feature set in iOS, the operating system that runs on iPhones, iPads and iPod Touch devices.

Security researchers have been doing there best to reverse engineer the operating system for several years and much of what’s in the Apple guide has been has been the topic of discussion by researchers for years.

One of the more-discussed security elements in iOS is the implementation of ASLR (address space layout randomization), an exploit mitigation designed to prevent attackers from using memory corruption bugs. Researchers discovered the addition of ASLR to iOS, but Apple never really talked about it.

“Built-in apps use ASLR to ensure that all memory regions are randomized upon launch. Additionally, system shared library locations are randomized at each device startup. Xcode, the iOS development environment, automatically compiles third-party programs with ASLR support turned on,” the security guide said.

The document also talks about the way Apple’s code-signing process for iOS apps works. The process is key to the company’s ability to control which apps can run on iOS devices and also a central part of its security architecture. This code-signing system is one of the main features cited by security experts when they discuss the security capabilities of iOS relative to other mobile operating systems.

“To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed using an Apple-issued certificate. Apps provided with the device, like Mail and Safari, are signed by Apple. Third-party apps must also be validated and signed using an Apple-issued certificate. Mandatory code signing extends the concept of chain of trust from the OS to apps, and prevents third-party apps from loading unsigned code resources or using self modifying code,” Apple’s security guide said.

Leave a Reply

You must be logged in to post a comment.