Locking down iOS 8: How Apple is keeping your iPhone and iPad safe!

Apple has posted a new version of their terrific white paper on iOS security, this one updated for iOS 8 an dated September, 2014. I haven't had time to read through it yet, but if last year's version is any indication, encryption enthusiasts should be in for a treat. The timing, immediately following iOS 8's release, and Tim Cook's letter on privacy, probably isn't a coincidence. Apple is making privacy and security both a differentiator and they want this information out there.

A quick look at the differences between this year's and last year's security white papers turn up the following:

  • Additional info on Secure Enclave: "The Secure Enclave's microkernel is based on the L4 family, with modifications by Apple."
  • Updates to Touch ID and third-party access in iOS 8: "Third-party apps can use system-provided APIs to ask the user to authenticate using Touch ID or passcode. The app is only notified as to whether the authentication was successful; it cannot access Touch ID or the data associated with the enrolled fingerprint. Keychain items can also be protected with Touch ID, to be released by the Secure Enclave only by a fingerprint match or the device passcode. App developers also have APIs to verify that a passcode has been set by the user and therefore able to authenticate or unlock keychain items using Touch ID."
  • iOS Data Protection: Messages, Calendar, Contacts, and Photos all join Mail in the list of system iOS apps that employ Data Protection.
  • Updates about shared keychain items for apps: "Keychain items can only be shared between apps from the same developer. This is managed by requiring third-party apps to use access groups with a prefix allocated to them through the iOS Developer Program, or in iOS 8, via application groups. The prefix requirement and application group uniqueness are enforced through code signing, Provisioning Profiles, and the iOS Developer Program."
  • New: Information on the new keychain data protection class kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly - "The class kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly is available only when the device is configured with a passcode. Items in this class exist only in the system keybag; they do not sync to iCloud Keychain, are not backed up, and are not included in escrow keybags. If the passcode is removed or reset, the items are rendered useless by discarding the class keys."
  • New: Keychain Access Control Lists - "Keychains can use access control lists (ACLs) to set policies for accessibility and authentication requirements. Items can establish conditions that require user presence by specifying that they can't be accessed unless authenticated using Touch ID or by entering the device's passcode. ACLs are evaluated inside the Secure Enclave and are released to the kernel only if their specified constraints are met."
  • New: iOS allows apps to provide functionality to other apps by providing extensions. Extensions are special-purpose signed executable binaries, packaged within an app. The system automatically detects extensions at install time and makes them available to other apps using a matching system.
  • New: Access to Safari saved passwords - "Access will be granted only if both the app developer and website administrator have given their approval, and the user has given consent. App developers express their intent to access Safari saved passwords by including an entitlement in their app. The entitlement lists the fully qualified domain names of associated websites. The websites must place a CMS signed file on their server listing the unique app identifiers of apps they've approved. When an app with the com.apple.developer.associated-domains entitlement is installed, iOS 8 makes a TLS request to each listed website, requesting the file /apple-app-site-association. If the signature is from an identity valid for the domain and trusted by iOS, and the file lists the app identifier of the app being installed, then iOS marks the website and app as having a trusted relationship. Only with a trusted relationship will calls to these two APIs result in a prompt to the user, who must agree before any passwords are released to the app, or are updated or deleted."
  • New: "A system area that supports extensions is called an extension point. Each extension point provides APIs and enforces policies for that area. The system determines which extensions are available based on extension point–specific matching rules. The system automatically launches extension processes as needed and manages their lifetime. Entitlements can be used to restrict extension availability to particular system applications. For example, a Today view widget appears only in the Notification Center, and a sharing extension is available only from the Sharing panel. The extension points are Today widgets, Share, Custom actions, Photo Editing, Document Provider, and Custom Keyboard."
  • New: "Extensions run in their own address space. Communication between the extension and the app from which it was activated uses interprocess communications mediated by the system framework. They do not have access to each other's files or memory spaces. Extensions are designed to be isolated from each other, from their containing apps, and from the apps that use them. They are sandboxed like any other third-party app and have a container separate from the containing app's container. However, they share the same access to privacy controls as the container app. So if a user grants Contacts access to an app, this grant will be extended to the extensions that are embedded within the app, but not to the extensions activated by the app."
  • New: "Custom keyboards are a special type of extensions since they are enabled by the user for the entire system. Once enabled, the extension will be used for any text field except the passcode input and any secure text view. For privacy reasons, custom keyboards run by default in a very restrictive sandbox that blocks access to the network, to services that perform network operations on behalf a process, and to APIs that would allow the extension to exfiltrate typing data. Developers of custom keyboards can request that their extension have Open Access, which will let the system run the extension in the default sandbox after getting consent from the user."
  • New: "For devices enrolled in mobile device management, document and keyboard extensions obey Managed Open In rules. For example, the MDM server can prevent a user from exporting a document from a managed app to an unmanaged Document Provider, or using an unmanaged keyboard with a managed app. Additionally, app developers can prevent the use of third-party keyboard extensions within their app."
  • New: "iOS 8 introduces Always-on VPN, which can be configured for devices managed via MDM and supervised using Apple Configurator or the Device Enrollment Program. This eliminates the need for users to turn on VPN to enable protection when connecting to Wi-Fi networks. Always-on VPN gives an organization full control over device traffic by tunneling all IP traffic back to the organization. The default tunneling protocol, IKEv2, secures traffic transmission with data encryption. The organization can now monitor and filter traffic to and from its devices, secure data within its network, and restrict device access to the Internet."
  • New: "When iOS 8 is not associated with a Wi-Fi network and a device's processor is asleep, iOS 8 uses a randomized Media Access Control (MAC) address when conducting PNO scans. When iOS 8 is not associated with a Wi-Fi network or a device's processor is asleep, iOS 8 uses a randomized MAC address when conducting ePNO scans. Because a device's MAC address now changes when it's not connected to a network, it can't be used to persistently track a device by passive observers of Wi-Fi traffic."
  • New: "Apple also offers two-step verification for Apple ID, which provides a second layer of security for the user's account. With two-step verification enabled, the user's identity must be verified via a temporary code sent to one of their trusted devices before they can make changes to their Apple ID account information, sign in to iCloud, or make an iTunes, iBooks, or App Store purchase from a new device. This can prevent anyone from accessing a user's account, even if they know the password. Users are also provided with a 14-character Recovery Key to be stored in a safe place in case they ever forget their password or lose access to their trusted devices."
  • New: "iCloud Drive adds account-based keys to protect documents stored in iCloud. As with existing iCloud services, it chunks and encrypts file contents and stores the encrypted chunks using third-party services. However, the file content keys are wrapped by record keys stored with the iCloud Drive metadata. These record keys are in turn protected by the user's iCloud Drive service key, which is then stored with the user's iCloud account. Users get access to their iCloud documents metadata by having authenticated with iCloud, but must also possess the iCloud Drive service key to expose protected parts of iCloud Drive storage."
  • New: "Safari can automatically generate cryptographically strong random strings for website passwords, which are stored in Keychain and synced to your other devices. Keychain items are transferred from device to device, traveling through Apple servers, but are encrypted in such a way that Apple and other devices cannot read their contents."
  • New: In a larger section on Spotlight Suggestions - "Unlike most search engines, however, Apple's search service does not use a persistent personal identifier across a user's search history to tie queries to a user or device; instead, Apple devices use a temporary anonymous session ID for at most a 15-minute period before discarding that ID."

In addition to the changes outlined above are sections detailing stash keybags for OTA updates, iPhone Cellular Call Relays (for answering phone calls from devices other than your phone), Handoff, Instant Hotspot, Spotlight Suggestions, the iOS pairing model, Device Enrollment Program (MDM for organizations buying device directly from Apple), and Location Services among other items. If you have the chance, give the white paper a read and then let me know what you think about the changes and additions.

Source: Apple.com

Nick Arnott