Apple has quietly published a detailed security guide for its iOS operating system, suggesting that the company, known more for keeping technical details secret, is embracing a more transparent approach to security.
Apparently released late last week, Apple's iOS Security Guide (PDF) outlines the security architecture, encryption, and data protection features of the operating system that powers iPhones, iPads, and iPod Touch devices.
"For organizations considering the security of iOS devices, it is helpful to understand how the built-in security features work together to provide a secure mobile computing platform," the guide says in its introduction. It goes on to encourage business "to review their IT and security policies to ensure they are taking full advantage of the layers of security technology and features offered by the iOS platform."
Coupled with the App Store submission process, the guide boasts that code signing, sandboxing, and entitlements "provides solid protection" against viruses and malware. Indeed, the guide discusses in detail the process of code signing, which controls which user processes and apps are allowed to run on the OS:
To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed using an Apple-issued certificate. Apps provided with the device, like Mail and Safari, are signed by Apple. Third-party apps must also be validated and signed using an Apple-issued certificate. Mandatory code signing extends the concept of chain of trust from the OS to apps, and prevents third-party apps from loading unsigned code resources or using self modifying code.
The document also discusses how address space layout randomization (ASLR) can prevent memory corruption bugs:
Built-in apps use ASLR to ensure that all memory regions are randomized upon launch. Additionally, system shared library locations are randomized at each device startup. Xcode, the iOS development environment, automatically compiles third-party programs with ASLR support turned on.
The guide's publication is important because it seems to be the first time Apple has publicly discussed the aforementioned features. It also seeks to dispel the theory that Apple creates devices for consumers rather than the corporate market.
"Apple is committed to incorporating proven encryption methods and creating modern mobile-centric privacy and security technologies, to ensure that iOS devices can be used with confidence in any personal or corporate environment," the guide concludes.