Apple released a detailed technical document that for the first time reveals some of the security techniques built into iOS and the App Store. What's your take on the document? Does it suggest that Apple devices pose a limited threat to enterprise BYOD policies, or that the maker of the iPhone and iPad still has a long way to go to address iOS security issues?
Ask a Question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
The iOS Security Guide is Apple's first real public explanation of the security architecture behind iOS. For those not familiar with Apple products, iOS is the operating system that runs on iPhones, iPads and iPods. The document covers the iOS system architecture, encryption, data and network security, and device access. Although much of this information had never been officially disclosed, security analysts had already deciphered most of the features mentioned in the document. However, the implementation of address space layout randomization (ASLR) was news to many, and the detailed explanation of how Apple's code-signing process for iOS apps works has helped clarify what was a bit of a mystical procedure.
ASLR is designed to prevent attackers from using memory-corruption bugs and has been trumpeted by Microsoft since its launch of Windows Vista. It's certainly good to know that Xcode, the iOS development environment, automatically compiles third-party programs with ASLR support turned on. The code-signing process requires that all executable code be signed using an Apple-issued certificate, which enables Apple to control which apps are allowed to run on iOS devices and plays a central role in its security architecture. Apple has reviewed all third-party apps in the App Store to ensure they operate as described and don't contain obvious bugs or other problems. Apple knows an identifiable person or organization has submitted an app because it's been signed during the review process.
Issues with iOS security pale in comparison to the Android environment, where malicious code is becoming a real problem. One drawback is that it's difficult to create a security configuration monitoring app that captures the state of an iOS system due to sandboxing, API restrictions and other Apple developer policies. The open nature of the Android OS means that an app can easily access the security state of an Android device. On the other hand, iOS devices can only really be externally monitored via the network to understand what the device is doing, who it's talking to and what data is being transmitted.
The first line of the iOS Security Guide states that Apple designed the iOS platform with security at its core, and iOS certainly compares well to many other mobile operating systems in respect to security. The guide makes it easier for a security team to get a close look at the internal workings of Apple mobile devices and to conduct a more detailed risk assessment as a result. Any mobile device introduces risks, and my view is that the user creates most of them, not the device. The NSA Security Configuration Recommendations for Apple iOS can be used to harden devices connecting to an enterprise network, but ensuring users know how to use mobile devices securely is just as important.
This was first published in November 2012