Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Apple iOS security secrets revealed: Is iOS truly enterprise-ready?

Apple has provided little transparency of its iOS -- until now. Are Apple devices truly secure enough for enterprise use? Michael Cobb explains.

Apple Inc. has been reluctant in the past to share information about the internal workings of its popular mobile iOS operating system. This lack of transparency has held back the iPhone's ability to penetrate the all-important enterprise market, as it has made it difficult for security pros to assess the true level of risk it poses to corporate networks and data.

While the iOS 6 operating system was granted FIPS 140-2 level 1 certification, this only allows government agencies to use the devices in situations requiring the lowest level of security clearance and only goes so far in validating security assurance of the devices. Smartphone and tablet security is a big product differentiator at the enterprise level, and it must have been painful for Apple to hear President Obama say, "I'm not allowed for security reasons to have an iPhone."

Given that many enterprises are concerned about surveillance programs compromising online data, the iCloud feature could be a game changer.

However, as of late, Apple is taking a different approach and recently revealed never-before-seen information about iOS security in its white paper iOS Security February 2014.

In this tip, I'll discuss key revelations of Apple's report, what they mean for enterprises with high security requirements, and whether knowledge and understanding of these new defenses creates a more compelling case for the use of Apple's mobile endpoints in the enterprise.

Details of the iOS Security February 2014 report

An analysis of the unprecedented iOS security report shows Apple's impressive ground-up approach to building security into the iPhone, starting with the processor and carrying right through to its communications with Apple's iCloud. The whitepaper describes the security and privacy features introduced by Apple in the past two years, particularly in iOS 7. It also provides in-depth explanations of the internal workings of the Touch ID fingerprint sensor, how single sign-on integrates with enterprise applications and services, Wi-Fi and Bluetooth security, and how the iCloud Keychain can be used to create and manage strong passwords.

But do these capabilities finally make iOS enterprise-worthy? Let's take a further look at a few of the notable features.

IOS and the UID

Apple's 64-bit A7 processor, which was introduced in the iPhone 5S, includes the Secure Enclave coprocessor which has a unique device-specific ID (UID) that is created during fabrication and is not accessible to other parts of the system nor known to Apple. The UID has separate software updates and provides all the cryptographic operations for data protection key management.

In addition, when an iOS device is turned on, a secure boot process ensures that the lowest levels of software are not tampered with. Also, a temporary key is created and "tangled" with the UID to encrypt the Secure Enclave's portion of the device's memory space to thwart potential attacks against device memory. The UID also cryptographically ties data to a particular device as files on the device are encrypted with a per-file key, which is ultimately protected by the hardware UID. Effaceable storage is used to securely erase encryption keys held on flash storage, ensuring deleted files are unreadable.

IOS and encryption

More info on iOS security

Android security vs. iOS security: Features, policies and controls

Learn more about enterprise iOS management

Does Touch ID boost iOS security?

Gain further insight with the iOS Security Guide

Speaking of encryption, throughout the iOS security architecture there is a strong focus on segmenting data and protecting it with layers of encryption to prevent an attacker from being able to access all the information on a device. For example, the digital map of the user's fingerprint is encrypted and stored locally, without any identity data. It never leaves the iPhone, is never backed up to iCloud, and only the onboard Secure Enclave can read it. The Enclave is designed to protect both the data it uses and its own operations; by not exposing that data, trying to access it presents a formidable challenge to a would-be attacker.

Apple and iCloud

Apple has even provided a way to make it impossible for agencies like the NSA to obtain a user's iCloud Keychain passwords.

When a user's keychain database (which stores sensitive authentication data) is backed up to iCloud, it remains protected by a UID-tangled key so it can only be restored to the same device from which it originated. However, due to the fact that Apple's services are proprietary, there has been plenty of debate about the company's ability to read users' private data or its ability to give access to law enforcement agencies by modifying the processes or compromising the hardware security modules used to protect and access users' keychains. To ensure nobody -- including Apple or government agencies -- can do this, users have the option to generate a random iCloud Security Code. This is then used to encrypt the original random key protecting the keychain. This code is never sent to Apple and therefore can't be intercepted. Given many enterprises' justified concerns over the confidentiality of data stored in the cloud, this safeguard is not only a welcome addition, but could be a game-changer for many enterprises

Is the enterprise ready to accept iOS?

So does iOS make the grade? Despite these extensive security controls and the recent revelations about how they work, proof-of-concept attacks and vulnerability disclosures show that the iPhone and iPad -- like any device -- aren't 100% secure.

While some claims in the Apple report can't be fully verified, it can be seen as a genuine attempt by the company to show that it takes security and the protection of users' data very seriously. But is it enough to change an enterprise's mind about iPhones and iPads? It is hard to say, as organizations have different business needs and security requirements. However, there is certainly enough detail in this report for an enterprise to understand how allowing iOS devices on to its networks will affect overall security.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).

This was last published in June 2014

Dig Deeper on BYOD and mobile device security best practices

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Why does your organization permit or prohibit iOS use in the enterprise?
Because it's stupid or not skilled enough to integrate these devices into existing systems. Or because it's just plain lazy. 'Nuf said.