Apple Inc. has been reluctant in the past to share information about the internal workings of its popular mobile iOS operating system. This lack of transparency has held back the iPhone's ability to penetrate the all-important enterprise market, as it has made it difficult for security pros to assess the true level of risk it poses to corporate networks and data.
While the iOS 6 operating system was granted FIPS 140-2 level 1 certification, this only allows government agencies to use the devices in situations requiring the lowest level of security clearance and only goes so far in validating security assurance of the devices. Smartphone and tablet security is a big product differentiator at the enterprise level, and it must have been painful for Apple to hear President Obama say, "I'm not allowed for security reasons to have an iPhone."
Given that many enterprises are concerned about surveillance programs compromising online data, the iCloud feature could be a game changer.
However, as of late, Apple is taking a different approach and recently revealed never-before-seen information about iOS security in its white paper iOS Security February 2014.
In this tip, I'll discuss key revelations of Apple's report, what they mean for enterprises with high security requirements, and whether knowledge and understanding of these new defenses creates a more compelling case for the use of Apple's mobile endpoints in the enterprise.
Details of the iOS Security February 2014 report
An analysis of the unprecedented iOS security report shows Apple's impressive ground-up approach to building security into the iPhone, starting with the processor and carrying right through to its communications with Apple's iCloud. The whitepaper describes the security and privacy features introduced by Apple in the past two years, particularly in iOS 7. It also provides in-depth explanations of the internal workings of the Touch ID fingerprint sensor, how single sign-on integrates with enterprise applications and services, Wi-Fi and Bluetooth security, and how the iCloud Keychain can be used to create and manage strong passwords.
But do these capabilities finally make iOS enterprise-worthy? Let's take a further look at a few of the notable features.
IOS and the UID
Apple's 64-bit A7 processor, which was introduced in the iPhone 5S, includes the Secure Enclave coprocessor which has a unique device-specific ID (UID) that is created during fabrication and is not accessible to other parts of the system nor known to Apple. The UID has separate software updates and provides all the cryptographic operations for data protection key management.
In addition, when an iOS device is turned on, a secure boot process ensures that the lowest levels of software are not tampered with. Also, a temporary key is created and "tangled" with the UID to encrypt the Secure Enclave's portion of the device's memory space to thwart potential attacks against device memory. The UID also cryptographically ties data to a particular device as files on the device are encrypted with a per-file key, which is ultimately protected by the hardware UID. Effaceable storage is used to securely erase encryption keys held on flash storage, ensuring deleted files are unreadable.
IOS and encryption
More info on iOS security
Android security vs. iOS security: Features, policies and controls
Learn more about enterprise iOS management
Does Touch ID boost iOS security?
Gain further insight with the iOS Security Guide
Speaking of encryption, throughout the iOS security architecture there is a strong focus on segmenting data and protecting it with layers of encryption to prevent an attacker from being able to access all the information on a device. For example, the digital map of the user's fingerprint is encrypted and stored locally, without any identity data. It never leaves the iPhone, is never backed up to iCloud, and only the onboard Secure Enclave can read it. The Enclave is designed to protect both the data it uses and its own operations; by not exposing that data, trying to access it presents a formidable challenge to a would-be attacker.
Apple and iCloud
Apple has even provided a way to make it impossible for agencies like the NSA to obtain a user's iCloud Keychain passwords.
When a user's keychain database (which stores sensitive authentication data) is backed up to iCloud, it remains protected by a UID-tangled key so it can only be restored to the same device from which it originated. However, due to the fact that Apple's services are proprietary, there has been plenty of debate about the company's ability to read users' private data or its ability to give access to law enforcement agencies by modifying the processes or compromising the hardware security modules used to protect and access users' keychains. To ensure nobody -- including Apple or government agencies -- can do this, users have the option to generate a random iCloud Security Code. This is then used to encrypt the original random key protecting the keychain. This code is never sent to Apple and therefore can't be intercepted. Given many enterprises' justified concerns over the confidentiality of data stored in the cloud, this safeguard is not only a welcome addition, but could be a game-changer for many enterprises
Is the enterprise ready to accept iOS?
So does iOS make the grade? Despite these extensive security controls and the recent revelations about how they work, proof-of-concept attacks and vulnerability disclosures show that the iPhone and iPad -- like any device -- aren't 100% secure.
While some claims in the Apple report can't be fully verified, it can be seen as a genuine attempt by the company to show that it takes security and the protection of users' data very seriously. But is it enough to change an enterprise's mind about iPhones and iPads? It is hard to say, as organizations have different business needs and security requirements. However, there is certainly enough detail in this report for an enterprise to understand how allowing iOS devices on to its networks will affect overall security.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).