Apple Releases IOS Security Guide

Trailrunner7 writes in with a story about a iOS security guide released by Apple. "Apple has released a detailed security guide for its iOS operating system, an unprecedented move for a company known for not discussing the technical details of its products, let alone the security architecture. The document lays out the system architecture, data protection capabilities and network security features in iOS, most of which had been known before but hadn't been publicly discussed by Apple. The iOS Security guide (PDF), released within the last week, represents Apple's first real public documentation of the security architecture and feature set in iOS, the operating system that runs on iPhones, iPads and iPod Touch devices. Security researchers have been doing their best to reverse engineer the operating system for several years and much of what's in the new Apple guide has been discussed in presentations and talks by researchers. 'Apple doesn't really talk about their security mechanisms in detail. When they introduced ASLR, they didn't tell anybody. They didn't ever explain how codesigning worked,' security researcher Charlie Miller said."

Comparisson to Android?

[w0mprat]

Would like to see a comparison to Androids security model. Anyone care to analyse?

Re:Comparisson to Android?

Android's what?

Oh, good one. You had me going there for a minute.

Re:Comparisson to Android?

[captainspudly]

Charlie Miller and Jon Oberheide will be speaking at http://summercon.org/ in NY June 8 on Android. I hope to hear some good comparisons.

Re:Comparisson to Android?

[IamTheRealMike]

Well, "security" is a huge topic and the mechanisms are constantly evolving. But there are some differences that are worth analyzing.

Both operating systems run apps in a sandbox, unlike desktop operating systems like Linux or Windows (OS X is starting to move in the mobile-ish direction). There are some tasks that the OS simply forbids apps to do entirely. In this regard they are similar, and in the absence of local root exploits it's much harder to write viruses that target such a system.

The main differences are as follows: the iOS sandbox is somewhat weaker than the Android sandbox. It restricts fewer things and in the past (not sure if it was fixed these days), key first-party apps such as the web browser were not sandboxed at all, which is how several generations of jailbreak worked. Android was designed from the ground up with the mentality that there should ideally not be an "us vs them" divide - Android treats all apps more or less the same, security-wise, meaning that the browser is just a regular app that runs in a permission-controlled sandbox like any other. This open design is one reason why the permissions UI on Android is more complex than for iOS - apps can do more things and the OS has to communicate that to you.

With a weaker sandbox and permissions system, Apple relies much more heavily on manual review and the ability to control what software you can run. Android, by default, will not install software from outside the Google Play market (which does have various forms of review by the way), but if you tick a box and acknowledge a warning box it will let you do so. This is another reason the sandbox is stronger - Android phones can and do run code controlled by nobody but the author. iOS requires Apple signatures in all cases. The impact of the weaker sandbox is also mitigated by the fact that iOS users upgrade at a faster rate than Android users do (though it's still nothing compared to systems like ChromeOS), so when sandbox escapes are found they can be fixed faster. Android is more vulnerable, which is why there's more of a rigorous approach to privilege minimization.

With the virus angle largely taken care of, "malware" on these platforms is being redefined to mean "software that does something the users probably won't like" rather than "software that does that, and also takes over your machine / hides from you / both". For instance if you install an off-market app on Android and the OS tells you "Services that cost you money: send SMS messages" when you install it, and then you install it and it sends premium SMS in the background, that's typically being classified as malware by various AV companies .... which is kind of fair, but the remedy is just to uninstall the app. These apps can't resist uninstallation or hide from you as desktop viruses can. And beyond obviously bad stuff like running up a phone bill, they're also starting to classify apps that have poor privacy practices or which are too aggressive with their advertising as "malware" which is rather questionable.

With regards to other features, like drive encryption, as of the latest releases I believe both operating systems are largely comparable. The biggest remaining difference of interest (at least to me) is the approach to secure boot. Apple uses a form of online authorization to personalize OS reimaging to the device, this is to avoid downgrade attacks where users jailbreak the device by reflashing to an older, vulnerable version of the OS. Android secure boot is largely up to the OEMs and their approaches differ .... some like the Google Nexus devices allow you to reflash to any OS image you like, including ones you compiled yourself. No authorization from anyone is required, however, the phone will do a data wipe before performing the reflash to stop people who stole your phone from stealing your data too. Other phones will only boot firmwares signed by the manufacturer and use eFuses to stop downgrades rather than a server.

The important link

[OzPeter]

The most important link missing from TFS is iOS_Security_May12.pdf

Re:The important link

[OzPeter]

Some other links I just stole from a comment in TFA from an anonymous poster
 
  NSA recommendations for Apple products (also has recommendations for Linux, Windows and Solaris)
 
  iOS Hardening Configuration Guide from the Australian Department of Defense

Re:The important link

[Kergan]

TFA also forgets an equally important links to prior security material released by Apple, which discusses the technical details and architecture contrary to what TFA suggests.

Bad Grammar

[sethmeisterg]

Not "there best" -- "their best". Editors??

Unprecedented Disclosure?

Yes, Apple is so sneaky and secretive we never would have learned about the iOS security model without this unprecedented revelation. I feel so fortunate to live in the age of apple security enlightenment. If only there was some way to divine such special knowledge before this document was disclosed.

Security Starting Point for iOS
iOS Security Overivew
iOS Secure Coding Guide
iOS Security Reference

The list goes on ...

Sigh, stupidity in the FIRST sentence

[antifoidulus]

unprecedented move for a company known for not discussing the technical details of its products, let alone the security architecture.

Um...no...not by a long shot. While obviously nowhere NEAR as open as Android, iOS is based on Darwin, which is open source(though I am sure they have modified parts of it but not released them, and of course 99.9% of userland is closed). This is the base from where most of the "security architecture" of iOS is derived, and briefing though the guide, most of what it talks about is based on these open source OS level features(and the parts that arent are basically references to APIs that Apple has documented for years). Yeah, author needs to get a clue

Re:Sigh, stupidity in the FIRST sentence

[6Yankee]

99.9% of userland is closed

When I hear "userland", I like to imagine a safari (lowercase S) theme park where we get to shoot them. ;)

Insecure content

[grouchomarxist]

It is curious that TFA is from the "Kaspersky Lab Security News Service" and yet Chrome is warning me that "This page has insecure content."

Re:I can dream...

[Jeremi]

Hopefully it says "security through obscurity does not work" in big block letters on the first page.

Of course, in the cases where it did work, you'd never hear about it.