persistent苹果越狱是什么

ApplePlatformSecuritySpring20202ContentsIntroductiontoAppleplatformsecurity5Acommitmenttosecurity6HardwareSecurityandBiometrics7Hardwaresecurityoverview7SecureEnclave8DedicatedAESengine10TouchIDandFaceID11HardwaremicrophonedisconnectinMacandiPad16ExpressCardswithpowerreserveiniPhone17SystemSecurity18Systemsecurityoverview18Randomnumbergeneration18Secureboot19Securesoftwareupdates28OSintegrityiniOSandiPadOS29OSintegrityinmacOS32SystemsecurityinwatchOS38EncryptionandDataProtection41EncryptionandDataProtectionoverview41HowAppleprotectsusers'personalinformation42RoleofAppleFileSystem42DataProtectioniniOSandiPadOS43EncryptioninmacOS50Passcodesandpasswords56Authenticationanddigitalsigning58Keybags603AppSecurity63Appsecurityoverview63AppsecurityiniOSandiPadOS64AppsecurityinmacOS69SecurefeaturesinNotesapp72SecurefeaturesinShortcutsapp73ServicesSecurity74Servicessecurityoverview74AppleIDandManagedAppleID74iCloud77Passcodeandpasswordmanagement80ApplePay87iMessage99BusinessChat102FaceTime102FindMy103Continuity106NetworkSecurity109Networksecurityoverview109TLSnetworksecurity109VirtualPrivateNetworks(VPNs)110Wi-FiSecurity111Bluetoothsecurity115UltraWidebandtechnology116Singlesign-on117AirDropsecurity118Wi-Fipasswordsharing119FirewallinmacOS119DeveloperKits120Developerkitsoverview120HomeKit120HealthKit126CloudKit128SiriKit128DriverKit129ReplayKit130CameraandARKit1314SecureDeviceManagement132Securedevicemanagementoverview132Pairingmodel132Passcodeandpasswordsettingsmanagement133Configurationenforcement134Mobiledevicemanagement(MDM)135AutomatedDeviceEnrollment136AppleConfigurator2137Devicesupervision138Devicerestrictions138ActivationLock138LostMode,remotewipe,andremotelock140SharediPad141ScreenTime143Applesecurityandprivacycertifications145Applesecurityandprivacycertificationsoverview145Applesecurityassurance146Glossary149DocumentRevisionHistory1545IntroductiontoAppleplatformsecurityAppledesignssecurityintothecoreofitsplatforms.
Buildingontheexperienceofcreatingtheworld'smostadvancedmobileoperatingsystem,Applehascreatedsecurityarchitecturesthataddresstheuniquerequirementsofmobile,watch,desktop,andhome.
EveryAppledevicecombineshardware,software,andservicesdesignedtoworktogetherformaximumsecurityandatransparentuserexperienceinserviceoftheultimategoalofkeepingpersonalinformationsafe.
Customsecurityhardwarepowerscriticalsecurityfeatures.
Softwareprotectionsworktokeeptheoperatingsystemandthird-partyappssafe.
Servicesprovideamechanismforsecureandtimelysoftwareupdates,powerasaferappecosystem,securecommunicationsandpayments,andprovideasaferexperienceontheInternet.
Appledevicesprotectnotonlythedeviceanditsdata,buttheentireecosystem,includingeverythingusersdolocally,onnetworks,andwithkeyInternetservices.
Justaswedesignourproductstobesimple,intuitive,andcapable,wedesignthemtobesecure.
Keysecurityfeatures,suchashardware-baseddeviceencryption,can'tbedisabledbymistake.
Otherfeatures,suchasTouchIDandFaceID,enhancetheuserexperiencebymakingitsimplerandmoreintuitivetosecurethedevice.
Andbecausemanyofthesefeaturesareenabledbydefault,usersorITdepartmentsdon'tneedtoperformextensiveconfigurations.
ThisdocumentationprovidesdetailsabouthowsecuritytechnologyandfeaturesareimplementedwithinAppleplatforms.
ItalsohelpsorganizationscombineAppleplatformsecuritytechnologyandfeatureswiththeirownpoliciesandprocedurestomeettheirspecificsecurityneeds.
Thecontentisorganizedintothefollowingtopicareas:HardwareSecurityandBiometrics:ThehardwarethatformsthefoundationforsecurityonAppledevices,includingtheSecureEnclave,adedicatedAEScryptoengine,TouchID,andFaceID.
SystemSecurity:Theintegratedhardwareandsoftwarefunctionsthatprovideforthesafeboot,update,andongoingoperationofAppleoperatingsystems.
EncryptionandDataProtection:Thearchitectureanddesignthatprotectsuserdataifthedeviceislostorstolen,orifanunauthorizedpersonorprocessattemptstouseormodifyit.
AppSecurity:Thesoftwareandservicesthatprovideasafeappecosystemandenableappstorunsecurelyandwithoutcompromisingplatformintegrity.
ServicesSecurity:Apple'sservicesforidentification,passwordmanagement,payments,communications,andfindinglostdevices.
6NetworkSecurity:Industry-standardnetworkingprotocolsthatprovidesecureauthenticationandencryptionofdataintransmission.
DeveloperKits:Frameworksforsecureandprivatemanagementofhomeandhealth,aswellasextensionofAppledeviceandservicecapabilitiestothird-partyapps.
SecureDeviceManagement:MethodsthatallowmanagementofAppledevices,preventunauthorizeduse,andenableremotewipeifadeviceislostorstolen.
SecurityandPrivacyCertifications:InformationonISOcertifications,Cryptographicvalidation,CommonCriteriaCertification,andtheCommercialSolutionsforClassified(CSfC)Program.
AcommitmenttosecurityAppleiscommittedtohelpingprotectcustomerswithleadingprivacyandsecuritytechnologies—designedtosafeguardpersonalinformation—andcomprehensivemethods—tohelpprotectcorporatedatainanenterpriseenvironment.
ApplerewardsresearchersfortheworktheydotouncovervulnerabilitiesbyofferingtheAppleSecurityBounty.
Detailsoftheprogramandbountycategoriesareavailableathttps://developer.
apple.
com/security-bounty/.
WemaintainadedicatedsecurityteamtosupportallAppleproducts.
Theteamprovidessecurityauditingandtestingforproducts,bothunderdevelopmentandreleased.
TheAppleteamalsoprovidessecuritytoolsandtraining,andactivelymonitorsforthreatsandreportsofnewsecurityissues.
AppleisamemberoftheForumofIncidentResponseandSecurityTeams(FIRST).
Applecontinuestopushtheboundariesofwhatispossibleinsecurityandprivacy.
Forexample,FindMyusesexistingcryptographicprimitivestoenablethegroundbreakingcapabilityofdistributedfindingofanofflineMac—withoutexposingtoanyone,includingApple,theidentityorlocationdataofanyoftheusersinvolved.
ToenhanceMacfirmwaresecurity,Applehasleveragedananalogtopagetablestoblockinappropriateaccessfromperipherals,butatapointsoearlyinthebootprocessthatRAMhasn'tyetbeenloaded.
Andasattackerscontinuetoincreasethesophisticationoftheirexploittechniques,AppleisdynamicallycontrollingmemoryexecutionprivilegesforiPhoneandiPadbyleveragingcustomCPUinstructions—unavailableonanyothermobiledevices—tothwartcompromise.
Justasimportantastheinnovationofnewsecuritycapabilities,newfeaturesarebuiltwithprivacyandsecurityattheircenteroftheirdesign.
Tomakethemostoftheextensivesecurityfeaturesbuiltintoourplatforms,organizationsareencouragedtoreviewtheirITandsecuritypoliciestoensurethattheyaretakingfulladvantageofthelayersofsecuritytechnologyofferedbytheseplatforms.
TolearnmoreaboutreportingissuestoAppleandsubscribingtosecuritynotifications,seeReportasecurityorprivacyvulnerability.
Applebelievesprivacyisafundamentalhumanrightandhasnumerousbuilt-incontrolsandoptionsthatallowuserstodecidehowandwhenappsusetheirinformation,aswellaswhatinformationisbeingused.
TolearnmoreaboutApple'sapproachtoprivacy,privacycontrolsonAppledevices,andtheAppleprivacypolicy,seehttps://www.
apple.
com/privacy.
Note:Unlessotherwisenoted,thisdocumentationcoversthefollowingoperatingsystemversions:iOS13.
4,iPadOS13.
4,macOS10.
15.
4,tvOS13.
4,andwatchOS6.
2.
7HardwareSecurityandBiometricsHardwaresecurityoverviewSecuresoftwarerequiresafoundationofsecuritybuiltintohardware.
That'swhyAppledevices—runningiOS,iPadOS,macOS,watchOS,ortvOS—havesecuritycapabilitiesdesignedintosilicon.
TheseincludecustomCPUcapabilitiesthatpowersystemsecurityfeaturesandsilicondedicatedtosecurityfunctions.
ThemostcriticalcomponentistheSecureEnclavecoprocessor,whichappearsonallmoderniOS,iPadOS,watchOS,andtvOSdevices,andallMaccomputerswiththeAppleT2SecurityChip.
TheSecureEnclaveprovidesthefoundationforencryptingdataatrest,securebootinmacOS,andbiometrics.
AllmoderniPhone,iPad,andMaccomputerswithaT2chipincludeadedicatedAEShardwareenginetopowerline-speedencryptionasfilesarewrittenorread.
ThisensuresthatDataProtectionandFileVaultprotectusers'fileswithoutexposinglong-livedencryptionkeystotheCPUoroperatingsystem.
FormoreinformationonwhichApplehardwarecontainstheSecureEnclave,seetheSecureEnclaveoverview.
SecurebootofAppledevicesensuresthatthelowestlevelsofsoftwarearen'ttamperedwithandthatonlytrustedoperatingsystemsoftwarefromAppleloadsatstartup.
IniOSandiPadOSdevices,securitybeginsinimmutablecodecalledtheBootROM,whichislaiddownduringchipfabricationandknownasthehardwarerootoftrust.
OnMaccomputerswithaT2chip,trustformacOSsecurebootbeginswiththeT2chipitself.
(BoththeT2andSecureEnclavealsoexecutetheirownsecurebootprocesses.
)TheSecureEnclaveenablesTouchIDandFaceIDinAppledevicestoprovidesecureauthenticationwhilekeepinguserbiometricdataprivateandsecure.
Thisenablesuserstoenjoythesecurityoflongerandmorecomplexpasscodesandpasswordswith,inmanysituations,theconvenienceofswiftauthentication.
ThesecurityfeaturesofAppledevicesaremadepossiblebythecombinationofsilicondesign,hardware,software,andservicesavailableonlyfromApple.
8SecureEnclaveSecureEnclaveoverviewTheSecureEnclaveisasecurecoprocessorthatincludesahardware-basedkeymanager,whichisisolatedfromthemainprocessortoprovideanextralayerofsecurity.
TheSecureEnclaveisahardwarefeatureofcertainversionsofiPhone,iPad,Mac,AppleTV,AppleWatch,andHomePod—namely:iPhone5s(orlater)iPadAir(orlater)MaccomputersthatcontaintheT1chiportheAppleT2SecurityChipAppleTV4thgeneration(orlater)AppleWatchSeries1(orlater)HomePodThekeydataisencryptedintheSecureEnclavesystemonchip(SoC),whichincludesarandomnumbergenerator.
TheSecureEnclavealsomaintainstheintegrityofitscryptographicoperationsevenifthedevicekernelhasbeencompromised.
CommunicationbetweentheSecureEnclaveandtheapplicationprocessoristightlycontrolledbyisolatingittoaninterrupt-drivenmailboxandsharedmemorydatabuffers.
TheSecureEnclaveprocessor.
9DedicatedBootROMandanti-replayservicesDedicatedBootROMTheSecureEnclaveincludesadedicatedSecureEnclaveBootROM.
SimilartotheapplicationprocessorBootROM,theSecureEnclaveBootROMisimmutablecodethatestablishesthehardwarerootoftrustfortheSecureEnclave.
ItalsorunsaSecureEnclaveOSbasedonacustomL4-familymicrokernel.
ThisSecureEnclaveOSissignedbyApple,verifiedbytheSecureEnclaveBootROM,andupdatedthroughapersonalizedsoftwareupdateprocess.
Whenthedevicestartsup,anephemeralmemoryprotectionkeyiscreatedbytheSecureEnclaveBootROM,entangledwiththedevice'suniqueID(UID),andusedtoencrypttheSecureEnclave'sportionofthedevice'smemoryspace.
ExceptontheAppleA7,theSecureEnclavememoryisalsoauthenticatedwiththememoryprotectionkey.
OnA11(andnewer)andS4SoCs,anintegritytreeisusedtopreventreplayofsecurity-criticalSecureEnclavememory,authenticatedbythememoryprotectionkeyandnoncesstoredinon-chipSRAM.
IniOSandiPadOS,filesareencryptedwithakeyentangledwiththeSecureEnclave'sUIDandananti-replaynonceastheyarewrittentothedatavolume.
OnA9(andnewer)SoCs,theanti-replaynonceusesentropygeneratedbythehardwarerandomnumbergenerator.
Theanti-replaynoncesupportisrootedinadedicatednonvolatilememoryintegratedcircuit(IC).
InMaccomputerswiththeAppleT2SecurityChip,theFileVaultkeyhierarchyissimilarlylinkedtotheUIDoftheSecureEnclave.
IndeviceswithA12(andnewer)andS4SoCs,theSecureEnclaveispairedwithasecurestorageICforanti-replaynoncestorage.
ThesecurestorageICisdesignedwithimmutableROMcode,ahardwarerandomnumbergenerator,cryptographyengines,andphysicaltamperdetection.
Toreadandupdatenonces,theSecureEnclaveandstorageICemployasecureprotocolthatensuresexclusiveaccesstothenonces.
Anti-replayservicesAnti-replayservicesontheSecureEnclaveareusedforrevocationofdataovereventsthatmarkanti-replayboundariesincluding,butnotlimitedto,thefollowing:PasscodechangeEnablingordisablingTouchIDorFaceIDAddingorremovingaTouchIDfingerprintorFaceIDfaceTouchIDorFaceIDresetAddingorremovinganApplePaycardEraseAllContentandSettings10DedicatedAESengineEveryAppledevicewithaSecureEnclavehasadedicatedAES-256cryptoenginebuiltintotheDMApathbetweentheflashstorageandmainsystemmemory,makingfileencryptionhighlyefficient.
OnA9orlaterA-seriesprocessors,theflashstoragesubsystemisonanisolatedbusthatisonlygrantedaccesstomemorycontaininguserdatathroughtheDMAcryptoengine.
TheSecureEnclavesecurelygeneratesitsownkeys—uniqueIDs(UIDs),devicegroupIDs(GIDs),andother—andsecurelyerasessavedkeyswhenneeded.
ThesekeysareAES-256-bitkeysfused(theUID)orcompiled(theGID)intotheSecureEnclaveduringmanufacturing.
Nosoftwareorfirmwarecanreadthemdirectly;theycanseeonlytheresultsofencryptionordecryptionoperationsperformedbydedicatedAESenginesimplementedinsiliconusingthoseUIDsorGIDsasakey.
TheapplicationprocessorandSecureEnclaveeachhavetheirownUIDandGID,andtheSecureEnclaveUIDandGIDcanbeusedonlybytheAESenginededicatedtotheSecureEnclave.
TheUIDsandGIDsaren'tavailablethroughJointTestActionGroup(JTAG)orotherdebugginginterfaces.
TheAESCryptographicenginesupportsline-speedencryptionontheDMApathonMaccomputerswiththeAppleT2SecurityChip.
GeneratingcryptographickeysEachSecureEnclavegeneratesitsownUID(UniqueID)duringthemanufacturingprocess.
BecausetheUIDisuniquetoeachdeviceandbecauseit'sgeneratedwhollywithintheSecureEnclaveinsteadofinamanufacturingsystemoutsideofthedevice,theUIDisn'tavailableforaccessorstoragebyAppleoranyofitssuppliers.
ThisappliestoallSoCsaftertheAppleA8processor.
SoftwarerunningontheSecureEnclavetakesadvantageoftheUIDtoprotectdevice-specificsecrets.
TheUIDallowsdatatobecryptographicallytiedtoaparticulardevice.
Forexample,thekeyhierarchyprotectingthefilesystemincludestheUID,soiftheinternalSSDstorageisphysicallymovedfromonedevicetoanother,thefilesareinaccessible.
TheUIDisn'trelatedtoanyotheridentifieronthedevice.
Otherprotecteddevice-specificsecretsincludeTouchIDorFaceIDdata.
StorageondevicesnotconnectedtotheAppleT2SecurityChipdon'treceivethislevelofencryption.
Forexample,neitherexternalstoragedevicesconnectedoverUSBnorPCIe-basedstorageaddedtothe2019MacProareencryptedbytheT2chip.
11AtthedevicelevelisthedevicegroupID(GID),whichiscommontoallprocessorsinaclassofdevices(forexample,alldevicesusingtheAppleA8processor).
ApartfromtheUIDandGID,allothercryptographickeysiniOSandiPadOSdevicesarecreatedbythesystem'srandomnumbergenerator(RNG)usinganalgorithmbasedonCTR_DRBG.
Systementropyisgeneratedfromtimingvariationsduringboot,andadditionallyfrominterrupttimingafterthedevicehasbooted.
KeysgeneratedinsidetheSecureEnclaveuseitstruehardwarerandomnumbergeneratorbasedonmultipleringoscillatorspostprocessedwithCTR_DRBG.
SecuredataerasureSecurelyerasingsavedkeysisjustasimportantasgeneratingthem.
It'sespeciallychallengingtodosoonflashstorage,forexample,wherewear-levelingmightmeanthatmultiplecopiesofdataneedtobeerased.
Toaddressthisissue,deviceswithaSecureEnclaveincludeafeaturededicatedtosecuredataerasurecalledEffaceableStorage.
Thisfeatureaccessestheunderlyingstoragetechnology(forexample,NAND)todirectlyaddressanderaseasmallnumberofblocksataverylowlevel.
TouchIDandFaceIDTouchIDandFaceIDoverviewPasscodesandpasswordarecriticaltothesecurityofAppledevices,butusersneedtobeabletoquicklyaccesstheirdevices—evenupwardsofahundredtimesaday.
Biometricauthenticationprovidesanopportunitytoretainthesecurityofastrongpasscode—oreventostrengthenthepasscodeorpasswordsinceitwon'toftenneedtobeenteredmanually—whileprovidingtheconvenienceofswiftlyunlockingwithafingerpressorglance.
TouchIDandFaceIDdon'treplacethepasswordorpasscode,buttheydomakeaccessfasterandeasierinmostsituations.
TouchIDsecurityTouchIDisthefingerprintsensingsystemthatmakessecureaccesstosupportedAppledevicesfasterandeasier.
Thistechnologyreadsfingerprintdatafromanyangleandlearnsmoreaboutauser'sfingerprintovertime,withthesensorcontinuingtoexpandthefingerprintmapasadditionaloverlappingnodesareidentifiedwitheachuse.
AppledeviceswithaTouchIDsensorcanbeunlockedusingafingerprint.
TouchIDdoesn'treplacetheneedforadevicepasscodeoruserpassword,whichisstillrequiredafterdevicestartup,restart,orlogout(onaMac).
Insomeapps,TouchIDcanalsobeusedinplaceofdevicepasscodeoruserpassword—forexample,tounlockpasswordprotectednotesintheNotesapp,tounlockkeychain-protectedwebsites,andtounlocksupportedapppasswords.
However,adevicepasscodeoruserpasswordisalwaysrequiredinsomescenarios.
Forexampletochangeanexistingdevicepasscodeoruserpasswordortoremoveexistingfingerprintenrollmentsorcreatenewones.
12Whenthefingerprintsensordetectsthetouchofafinger,ittriggerstheadvancedimagingarraytoscanthefingerandsendsthescantotheSecureEnclave.
CommunicationbetweentheprocessorandtheTouchIDsensortakesplaceoveraserialperipheralinterfacebus.
TheprocessorforwardsthedatatotheSecureEnclavebutcan'treadit.
It'sencryptedandauthenticatedwithasessionkeythatisnegotiatedusingasharedkeyprovisionedforeachTouchIDsensoranditscorrespondingSecureEnclaveatthefactory.
Thesharedkeyisstrong,random,anddifferentforeveryTouchIDsensor.
ThesessionkeyexchangeusesAESkeywrapping,withbothsidesprovidingarandomkeythatestablishesthesessionkeyandusesAES-CCMtransportencryption.
Whilebeingvectorizedforanalysis,therasterscanistemporarilystoredinencryptedmemorywithintheSecureEnclaveandthenitisdiscarded.
Theanalysisutilizessubdermalridgeflowanglemapping,whichisalossyprocessthatdiscardsminutiaedatathatwouldberequiredtoreconstructtheuser'sactualfingerprint.
TheresultingmapofnodesisstoredwithoutanyidentityinformationinanencryptedformatthatcanonlybereadbytheSecureEnclave.
Thisdataneverleavesthedevice.
It'snotsenttoApple,norisitincludedindevicebackups.
FaceIDsecurityWithasimpleglance,FaceIDsecurelyunlockssupportedAppledevices.
ItprovidesintuitiveandsecureauthenticationenabledbytheTrueDepthcamerasystem,whichusesadvancedtechnologiestoaccuratelymapthegeometryofauser'sface.
FaceIDusesneuralnetworksfordeterminingattention,matching,andanti-spoofing,soausercanunlocktheirphonewithaglance.
FaceIDautomaticallyadaptstochangesinappearance,andcarefullysafeguardstheprivacyandsecurityofauser'sbiometricdata.
FaceIDisdesignedtoconfirmuserattention,providerobustauthenticationwithalowfalse-matchrate,andmitigatebothdigitalandphysicalspoofing.
TheTrueDepthcameraautomaticallylooksfortheuser'sfacewhentheywakeAppledevicesthatfeatureFaceID(byraisingitortappingthescreen),aswellaswhenthosedevicesattempttoauthenticatetheuserinordertodisplayanincomingnotificationorwhenasupportedapprequestsFaceIDauthentication.
Whenafaceisdetected,FaceIDconfirmsattentionandintenttounlockbydetectingthattheuser'seyesareopenandtheirattentionisdirectedattheirdevice;foraccessibility,thisisdisabledwhenVoiceOverisactivatedand,ifrequired,canbedisabledseparately.
Afteritconfirmsthepresenceofanattentiveface,theTrueDepthcameraprojectsandreadsover30,000infrareddotstoformadepthmapoftheface,alongwitha2Dinfraredimage.
Thisdataisusedtocreateasequenceof2Dimagesanddepthmaps,whicharedigitallysignedandsenttotheSecureEnclave.
Tocounterbothdigitalandphysicalspoofs,theTrueDepthcamerarandomizesthesequenceof2Dimagesanddepthmapcaptures,andprojectsadevice-specificrandompattern.
AportionoftheSoCsneuralengine—protectedwithintheSecureEnclave—transformsthisdataintoamathematicalrepresentationandcomparesthatrepresentationtotheenrolledfacialdata.
Thisenrolledfacialdataisitselfamathematicalrepresentationoftheuser'sfacecapturedacrossavarietyofposes.
13TouchID,FaceID,passcodes,andpasswordsTouseTouchIDorFaceID,theusermustsetuptheirdevicesothatapasscodeorpasswordisrequiredtounlockit.
WhenTouchIDorFaceIDdetectsasuccessfulmatch,theuser'sdeviceunlockswithoutaskingforthedevicepasscodeorpassword.
Thismakesusingalonger,morecomplexpasscodeorpasswordfarmorepracticalbecausetheuserdoesn'tneedtoenteritasfrequently.
TouchIDandFaceIDdon'treplacetheuser'spasscodeorpassword,butprovideeasyaccesstothedevicewithinthoughtfulboundariesandtimeconstraints.
Thisisimportantbecauseastrongpasscodeorpasswordformsthefoundationforhowtheuser'siOS,iPadOS,macOS,orwatchOSdevicecryptographicallyprotectstheirdata.
WhenadevicepasscodeorpasswordisrequiredUserscanusetheirpasscodeorpasswordanytimeinsteadofTouchIDorFaceID,buttherearesomesituationswherebiometricsaren'tpermitted.
Thefollowingsecurity-sensitiveoperationsalwaysrequireentryofapasscodeorpassword:UpdatingthesoftwareErasingthedeviceViewingorchangingpasscodesettingsInstallingconfigurationprofilesUnlockingtheSecurity&PrivacypreferencespaneinSystemPreferencesonMacUnlockingtheUsers&GroupspreferencespaneinSystemPreferencesonMac(ifFileVaultisturnedon)Apasscodeorpasswordisalsorequiredifthedeviceisinthefollowingstates:ThedevicehasjustbeenturnedonorrestartedTheuserhasloggedoutoftheirMacaccount(orhasnotyetloggedin)Theuserhasnotunlockedtheirdeviceformorethan48hoursTheuserhasn'tusedtheirpasscodeorpasswordtounlocktheirdevicefor156hours(sixandahalfdays)andtheuserhasn'tusedabiometrictounlocktheirdevicein4hoursThedevicehasreceivedaremotelockcommandAfterexitingpoweroff/EmergencySOSbypressingandholdingeithervolumebuttonandthesleep/wakesimultaneouslyfor2secondsandthenpressingCancelAfterfiveunsuccessfulbiometricmatchattempts(thoughforusability,thedevicemightofferenteringapasscodeorpasswordinsteadofusingbiometricsafterasmallernumberoffailures)WhenTouchIDorFaceIDisenabledonaniPhoneoriPad,thedeviceimmediatelylockswhenthesleep/wakeispressed,andthedevicelockseverytimeitgoestosleep.
TouchIDandFaceIDrequireasuccessfulmatch—oroptionallythepasscode—ateverywake.
14Theprobabilitythatarandompersoninthepopulationcouldunlockauser'siPhone,iPad,orMacis1in50,000withTouchIDor1in1,000,000withFaceID.
Thisprobabilityincreaseswithmultipleenrolledfingerprints(upto1in10,000withfivefingerprints)orappearances(upto1in500,000withtwoappearances).
Foradditionalprotection,bothTouchIDandFaceIDallowonlyfiveunsuccessfulmatchattemptsbeforeapasscodeorpasswordisrequiredtoobtainaccesstotheuser'sdeviceoraccount.
WithFaceID,theprobabilityofafalsematchisdifferentfortwinsandsiblingswholookliketheuserandforchildrenundertheageof13(becausetheirdistinctfacialfeaturesmaynothavefullydeveloped).
Iftheuserisconcernedaboutthis,Applerecommendsusingapasscodetoauthenticate.
FacialmatchingFacialmatchingisperformedwithintheSecureEnclaveusingneuralnetworkstrainedspecificallyforthatpurpose.
Appledevelopedthefacialmatchingneuralnetworksusingoverabillionimages,includingIRanddepthimagescollectedinstudiesconductedwiththeparticipants'informedconsent.
Applethenworkedwithparticipantsfromaroundtheworldtoincludearepresentativegroupofpeopleaccountingforgender,age,ethnicity,andotherfactors.
Thestudieswereaugmentedasneededtoprovideahighdegreeofaccuracyforadiverserangeofusers.
FaceIDisdesignedtoworkwithhats,scarves,eyeglasses,contactlenses,andmanysunglasses.
Furthermore,it'sdesignedtoworkindoors,outdoors,andevenintotaldarkness.
Anadditionalneuralnetworkthat'strainedtospotandresistspoofingdefendsagainstattemptstounlockthedevicewithphotosormasks.
FaceIDdata,includingmathematicalrepresentationsofauser'sface,isencryptedandavailableonlytotheSecureEnclave.
Thisdataneverleavesthedevice.
It'snotsenttoApple,norisitincludedindevicebackups.
ThefollowingFaceIDdataissaved,encryptedonlyforusebytheSecureEnclave,duringnormaloperation:Themathematicalrepresentationsofauser'sfacecalculatedduringenrollmentThemathematicalrepresentationsofauser'sfacecalculatedduringsomeunlockattemptsifFaceIDdeemsthemusefultoaugmentfuturematchingFaceimagescapturedduringnormaloperationaren'tsaved,butareinsteadimmediatelydiscardedafterthemathematicalrepresentationiscalculatedforeitherenrollmentorcomparisontotheenrolledFaceIDdata.
ImprovingFaceIDmatchesToimprovematchperformanceandkeeppacewiththenaturalchangesofafaceandlook,FaceIDaugmentsitsstoredmathematicalrepresentationovertime.
Uponsuccessfulmatch,FaceIDmayusethenewlycalculatedmathematicalrepresentation—ifitsqualityissufficient—forafinitenumberofadditionalmatchesbeforethatdataisdiscarded.
Conversely,ifFaceIDfailstorecognizeaface,butthematchqualityishigherthanacertainthresholdandauserimmediatelyfollowsthefailurebyenteringtheirpasscode,FaceIDtakesanothercaptureandaugmentsitsenrolledFaceIDdatawiththenewlycalculatedmathematicalrepresentation.
ThisnewFaceIDdataisdiscardediftheuserstopsmatchingagainstitandafterafinitenumberofmatches.
TheseaugmentationprocessesallowFaceIDtokeepupwithdramaticchangesinauser'sfacialhairormakeupuse,whileminimizingfalseacceptance.
15UnlockingadeviceoruseraccountWithTouchIDorFaceIDdisabled,whenadeviceoraccountlocks,thekeysforthehighestclassofDataProtection—whichareheldintheSecureEnclave—arediscarded.
ThefilesandKeychainitemsinthatclassareinaccessibleuntiltheuserunlocksthedeviceoraccountbyenteringtheirpasscodeorpassword.
WithTouchIDorFaceIDenabled,thekeysaren'tdiscardedwhenthedeviceoraccountlocks;instead,they'rewrappedwithakeythat'sgiventotheTouchIDorFaceIDsubsysteminsidetheSecureEnclave.
Whenauserattemptstounlockthedeviceoraccount,ifthedevicedetectsasuccessfulmatch,itprovidesthekeyforunwrappingtheDataProtectionkeys,andthedeviceoraccountisunlocked.
ThisprocessprovidesadditionalprotectionbyrequiringcooperationbetweentheDataProtectionandTouchIDorFaceIDsubsystemstounlockthedevice.
Whenthedevicerestarts,thekeysrequiredforTouchIDorFaceIDtounlockthedeviceoraccountarelost;they'rediscardedbytheSecureEnclaveafteranyconditionismetthatrequirespasscodeorpasswordentry.
SecuringpurchaseswithApplePayTheusercanalsouseTouchIDandFaceIDwithApplePaytomakeeasyandsecurepurchasesinstores,apps,andontheweb.
Toauthorizeanin-storepaymentwithFaceID,theusermustfirstconfirmintenttopaybydouble-clickingthesidebutton.
Thisdouble-clickcapturesuserintentusingaphysicalgesturedirectlylinkedtotheSecureEnclaveandisresistanttoforgerybyamaliciousprocess.
TheuserthenauthenticatesusingFaceIDbeforeplacingthedevicenearthecontactlesspaymentreader.
AdifferentApplePaypaymentmethodcanbeselectedafterFaceIDauthenticationwhichrequiresreauthentication,buttheuserwon'thavetodouble-clickthesidebuttonagain.
Tomakeapaymentwithinappsandontheweb,theuserconfirmstheirintenttopaybydouble-clickingthesidebutton,thenauthenticatesusingFaceIDtoauthorizethepayment.
IftheApplePaytransactionisn'tcompletedwithin60secondsofdouble-clickingthesidebutton,theusermustreconfirmintenttopaybydouble-clickingagain.
InthecaseofTouchID,theintenttopayisconfirmedusingthegestureofactivatingtheTouchIDsensorcombinedwithsuccessfullymatchingtheuser'sfingerprint.
OtherusesforTouchIDandFaceIDThird-partyappscanusesystem-providedAPIstoasktheusertoauthenticateusingTouchIDorFaceIDorapasscodeorpassword,andappsthatsupportTouchIDautomaticallysupportFaceIDwithoutanychanges.
WhenusingTouchIDorFaceID,theappisnotifiedonlyastowhethertheauthenticationwassuccessful;itcan'taccessTouchID,FaceID,orthedataassociatedwiththeenrolleduser.
16ProtectingKeychainitemsKeychainitemscanalsobeprotectedwithTouchIDorFaceID,tobereleasedbytheSecureEnclaveonlybyasuccessfulmatchorthedevicepasscodeoraccountpassword.
AppdevelopershaveAPIstoverifythatapasscodeorpasswordhasbeensetbytheuser,beforerequiringTouchIDorFaceIDorapasscodeorpasswordtounlockKeychainitems.
Appdeveloperscandothefollowing:RequirethatauthenticationAPIoperationsdoesnotfallbacktoanapppasswordorthedevicepasscode.
Theycanquerywhetherauserisenrolled,allowingTouchIDorFaceIDtobeusedasasecondfactorinsecurity-sensitiveapps.
GenerateanduseECCkeysinsideSecureEnclavethatcanbeprotectedbyTouchIDorFaceID.
OperationswiththesekeysarealwaysperformedinsidetheSecureEnclaveafteritauthorizestheiruse.
MakingandapprovingpurchasesUserscanalsoconfigureTouchIDorFaceIDtoapprovepurchasesfromtheiTunesStore,theAppStore,AppleBooks,andmore,sousersdon'thavetoentertheirAppleIDpassword.
WithiOS11orlaterormacOS10.
12.
5orlater,TouchID–andFaceID–protectedSecureEnclaveECCkeysareusedtoauthorizeapurchasebysigningthestorerequest.
HardwaremicrophonedisconnectinMacandiPadAllMacportableswiththeAppleT2SecurityChipfeatureahardwaredisconnectthatensuresthemicrophoneisdisabledwheneverthelidisclosed.
Onthe13-inchMacBookProandMacBookAircomputerswiththeT2chip,andonthe15-inchMacBookProportablesfrom2019orlater,thisdisconnectisimplementedinhardwarealone.
Thedisconnectpreventsanysoftware—evenwithrootorkernelprivilegesinmacOS,andeventhesoftwareontheT2chip—fromengagingthemicrophonewhenthelidisclosed.
(Thecameraisnotdisconnectedinhardware,becauseitsfieldofviewiscompletelyobstructedwiththelidclosed.
)iPadmodelsbeginningin2020alsofeaturethehardwaremicrophonedisconnect.
WhenanMFIcompliantcase(includingthosesoldbyApple)isattachedtotheiPadandclosed,themicrophoneisdisconnectedinhardware,preventingmicrophoneaudiodatabeingmadeavailabletoanysoftware—evenwithrootorkernelprivilegesiniPadOSorincasethefirmwareiscompromised.
17ExpressCardswithpowerreserveiniPhoneIfiOSisn'trunningbecauseiPhoneneedstobecharged,theremaystillbeenoughpowerinthebatterytosupportExpressCardtransactions.
SupportediPhonedevicesautomaticallysupportthisfeaturewith:AtransitcarddesignatedastheExpressTransitcardStudentIDcardswithExpressModeturnedonPressingthesidebuttondisplaysthelowbatteryiconaswellastextindicatingExpressCardsareavailabletouse.
TheNFCcontrollerperformsExpressCardtransactionsunderthesameconditionsaswheniOSisrunning,exceptthattransactionsareindicatedwithonlyhapticnotification.
Novisiblenotificationisshown.
Thisfeatureisn'tavailablewhenastandarduserinitiatedshutdownisperformed.
18SystemSecuritySystemsecurityoverviewBuildingontheuniquecapabilitiesofApplehardware,systemsecurityisdesignedtomaximizethesecurityoftheoperatingsystemsonAppledeviceswithoutcompromisingusability.
Systemsecurityencompassestheboot-upprocess,softwareupdates,andtheongoingoperationoftheOS.
Securebootbeginsinhardwareandbuildsachainoftrustthroughsoftware,whereeachstepensuresthatthenextisfunctioningproperlybeforehandingovercontrol.
ThissecuritymodelsupportsnotonlythedefaultbootofAppledevicesbutalsothevariousmodesforrecoveryandupdatingoniOS,iPadOS,andmacOSdevices.
ThemostrecentversionsofiOS,iPadOS,ormacOSarethemostsecure.
ThesoftwareupdatemechanismnotonlyprovidestimelyupdatestoAppledevices—italsodeliversonlyknowngoodsoftwarefromApple.
Theupdatesystemcanevenpreventdowngradeattacks,sodevicescan'tberolledbacktoanolderversionoftheoperatingsystem(whichanattackerknowshowtocompromise)asamethodofstealinguserdata.
Finally,Appledevicesincludebootandruntimeprotectionssothattheymaintaintheirintegrityduringongoingoperation.
TheseprotectionsvarysignificantlybetweeniOS,iPadOS,andmacOSdevicesbasedontheverydifferentsetsofcapabilitiestheysupportandtheattackstheymustthereforethwart.
RandomnumbergenerationCryptographicpseudorandomnumbergenerators(CPRNGs)areanimportantbuildingblockforsecuresoftware.
Tothisend,AppleprovidesatrustedsoftwareCPRNGrunningintheiOS,iPadOS,macOS,tvOS,andwatchOSkernels.
It'sresponsibleforaggregatingrawentropyfromthesystemandprovidingsecurerandomnumberstoconsumersinboththekernelanduserspace.
19EntropysourcesThekernelCPRNGisseededfrommultipleentropysourcesduringbootandoverthelifetimeofthedevice.
Theseinclude(contingentonavailability):TheSecureEnclave'shardwareRNGTiming-basedjittercollectedduringbootEntropycollectedfromhardwareinterruptsAseedfileusedtopersistentropyacrossbootsIntelrandominstructions,i.
e.
RDSEEDandRDRAND(macOS-only)TheKernelCPRNGThekernelCPRNGisaFortuna-deriveddesigntargetinga256-bitsecuritylevel.
Itprovideshigh-qualityrandomnumberstouser-spaceconsumersusingthefollowingAPIs:Thegetentropy(2)systemcallTherandomdevice,i.
e.
/dev/randomThekernelCPRNGacceptsuser-suppliedentropythroughwritestotherandomdevice.
SecurebootiOSandiPadOSsecurebootchainEachstepofthestartupprocesscontainscomponentsthatarecryptographicallysignedbyAppletoensureintegrityandthatproceedonlyafterverifyingthechainoftrust.
Thisincludesthebootloaders,thekernel,kernelextensions,andbasebandfirmware.
Thissecurebootchainhelpsensurethatthelowestlevelsofsoftwarearen'ttamperedwith.
WhenaniOSoriPadOSdeviceisturnedon,itsapplicationprocessorimmediatelyexecutescodefromread-onlymemoryreferredtoasBootROM.
Thisimmutablecode,knownasthehardwarerootoftrust,islaiddownduringchipfabricationandisimplicitlytrusted.
TheBootROMcodecontainstheAppleRootCApublickey—usedtoverifythattheiBootbootloaderissignedbyApplebeforeallowingittoload.
Thisisthefirststepinthechainoftrust,inwhicheachstepensuresthatthenextissignedbyApple.
WhentheiBootfinishesitstasks,itverifiesandrunstheiOSoriPadOSkernel.
FordeviceswithanA9orearlierA-seriesprocessor,anadditionalLow-LevelBootloader(LLB)stageisloadedandverifiedbytheBootROMandinturnloadsandverifiesiBoot.
Afailuretoloadorverifyfollowingstagesishandleddifferentlydependingonthehardware:BootROMcan'tloadLLB(olderdevices):DeviceFirmwareUpgrade(DFU)modeLLBoriBoot:RecoverymodeIneithercase,thedevicemustbeconnectedtoiTunes(inmacOS10.
14orearlier)ortheFinder(macOS10.
15orlater)throughUSBandrestoredtofactorydefaultsettings.
20TheBootProgressRegister(BPR)isusedbytheSecureEnclavetolimitaccesstouserdataindifferentmodesandisupdatedbeforeenteringthefollowingmodes:DFUmode:SetbyBootROMondeviceswithanAppleA12ornewerSoCsRecoverymode:SetbyiBootondeviceswithAppleA10,S2,ornewerSoCsOndeviceswithcellularaccess,thebasebandsubsystemalsoutilizesitsownsimilarprocessofsecurebootingwithsignedsoftwareandkeysverifiedbythebasebandprocessor.
TheSecureEnclavecoprocessoralsoutilizesasecurebootprocessthatensuresitsseparatesoftwareisverifiedandsignedbyApple.
macOSbootmodesBootprocessofMaccomputersWhenaMaccomputerwiththeAppleT2SecurityChipchipisturnedon,thechipexecutescodefromread-onlymemoryknownasBootROM.
Thisimmutablecode,referredtoasthehardwarerootoftrust,islaiddownduringchipfabricationandisauditedforvulnerabilitiesandimplicitlytrusted.
TheBootROMcodecontainstheAppleRootCApublickey,whichisusedtoverifythattheiBootbootloaderissignedbyApple'sprivatekeybeforeallowingittoload.
Thisisthefirststepinthechainoftrust.
iBootverifiesthekernelandkernelextensioncodeontheT2chip,whichsubsequentlyverifiestheIntelUEFIfirmware.
TheUEFIfirmwareandtheassociatedsignatureareinitiallyavailableonlytotheT2chip.
macOSsecurebootchain.
21Afterverification,theUEFIfirmwareimageismappedintoaportionoftheT2chipmemory.
ThismemoryismadeavailabletotheIntelCPUthroughtheenhancedSerialPeripheralInterface(eSPI).
WhentheIntelCPUfirstboots,itfetchestheUEFIfirmwarethrougheSPIfromtheintegrity-checked,memory-mappedcopyofthefirmwarelocatedontheT2chip.
TheevaluationofthechainoftrustcontinuesontheIntelCPU,withtheUEFIfirmwareevaluatingthesignatureforboot.
efi,whichisthemacOSbootloader.
TheIntel-residentmacOSsecurebootsignaturesarestoredinthesameImage4formatusedforiOS,iPadOS,andT2chipsecureboot,andthecodethatparsestheImage4filesisthesamehardenedcodefromthecurrentiOSandiPadOSsecurebootimplementation.
Boot.
efiinturnverifiesthesignatureofanewfile,calledimmutablekernel.
Whensecurebootisenabled,theimmutablekernelfilerepresentsthecompletesetofApplekernelextensionsrequiredtobootmacOS.
Thesecurebootpolicyterminatesatthehandofftotheimmutablekernel,andafterthat,macOSsecuritypolicies(suchasSystemIntegrityProtectionandsignedkernelextensions)takeeffect.
Ifthereareanyerrorsorfailuresinthisprocess,theMacentersmacOSRecoverymode,AppleT2SecurityChipRecoverymode,orAppleT2SecurityChipDFUmode.
BootmodesoverviewofMaccomputersMaccomputershaveavarietyofbootmodesthatcanbeenteredatboottimebypressingkeycombinations,whicharerecognizedbytheUEFIfirmwareorbooter.
Somebootmodes,suchasSingleUserMode,won'tworkunlessthesecuritypolicyischangedtoNoSecurityinStartupSecurityUtility.
ModeKeycomboDescriptionmacOSbootNoneTheUEFIfirmwarehandsofftothemacOSbooter(aUEFIapplication)whichhandsofftothemacOSkernel.
OnstandardbootingofaMacwithFileVaultenabled,themacOSbooteristhecodepresentingtheLoginWindowinterfaceinordertotakethepasswordtodecryptthestorage.
StartupManagerOption()TheUEFIfirmwarelaunchesthebuilt-inUEFIapplicationwhichpresentstheuserwithabootdeviceselectioninterface.
TargetDiskMode(TDM)TTheUEFIfirmwarelaunchesthebuilt-inUEFIapplicationwhichexposestheinternalstoragedeviceasaraw,block-basedstoragedeviceoverFireWire,Thunderbolt,USB,oranycombinationofthethree(dependingonthemodeloftheMac).
SingleUserModeCommand()-SThemacOSkernelpassesthe-sflaginlaunchd'sargumentvector,thenlaunchdcreatesthesingle-usershellintheConsoleapp'stty.
Note:Iftheuserexitstheshell,macOScontinuesboottotheLoginwindow.
22ModeKeycomboDescriptionRecoveryOSCommand()-RTheUEFIfirmwareloadsaminimalmacOSfromasigneddiskimage(.
dmg)fileontheinternalstoragedevice.
InternetRecoveryOSOption()-Command()-RThesigneddiskimageisdownloadedfromtheInternetusingHTTP.
DiagnosticsDTheUEFIfirmwareloadsaminimalUEFIdiagnosticenvironmentfromasigneddiskimagefileontheinternalstoragedevice.
InternetDiagnosticsOption()-DThesigneddiskimageisdownloadedfromtheInternetusingHTTP.
Netboot(ForMaccomputerswithoutanAppleT2SecurityChip)NTheUEFIfirmwaredownloadsthemacOSbooterfromalocalTFTPserver,thebooterdownloadsthemacOSkernelfromthesameTFTPserver,andthemacOSkernelmountsafilesystemfromanNFSorHTTPnetworkshare.
WindowsbootNoneIfWindowshasbeeninstalledusingBootCamp,theUEFIfirmwarehandsofftotheWindowsbooter,whichhandsofftotheWindowskernel.
recoveryOSanddiagnosticsenvironmentsinMaccomputersTherecoveryOSiscompletelyseparatefromthemainmacOS,andtheentirecontentsarestoredinadiskimagefilenamedBaseSystem.
dmg.
ThereisalsoanassociatedBaseSystem.
chunklistwhichisusedtoverifytheintegrityoftheBaseSystem.
dmg.
Thechunklistisaseriesofhashesfor10MBchunksoftheBaseSystem.
dmg.
TheUEFIfirmwareevaluatesthesignatureofthechunklistfile,andthenevaluatesthehashforonechunkatatimefromtheBaseSystem.
dmg,toensurethatitmatchesthesignedcontentpresentinthechunklist.
Ifanyofthesehashesdoesnotmatch,bootingfromthelocalrecoveryOSisaborted,andtheUEFIfirmwareattemptstobootfromInternetRecoveryinstead.
Iftheverificationcompletessuccessfully,theUEFIfirmwaremountstheBaseSystem.
dmgasaramdiskandlaunchestheboot.
eficontainedtherein.
ThereisnoneedfortheUEFIfirmwaretodoaspecificcheckoftheboot.
efi,norfortheboot.
efitodoacheckofthekernel,becausethecompletedcontentsoftheOS(ofwhichtheseelementsareonlyasubset)havealreadybeenintegritychecked.
TheprocedureforbootingthelocaldiagnosticenvironmentismostlythesameaslaunchingtherecoveryOS.
SeparateAppleDiagnostics.
dmgandAppleDiagnostics.
chunklistareused,buttheyareverifiedthesamewayastheBaseSystemfiles.
Insteadoflaunchingboot.
efi,theUEFIfirmwarelaunchesafileinsidethedmgnameddiags.
efi,whichisinturnresponsibleforinvokingavarietyofotherUEFIdriversthatcaninterfacewithandcheckforerrorsinthehardware.
23InternetrecoveryOSanddiagnosticsenvironmentsinMaccomputersIfanerrorhasoccurredinthelaunchingofthelocalrecoveryordiagnosticenvironments,theUEFIfirmwareattemptstodownloadtheimagesfromtheInternetinstead.
Additionally,ausercanrequestthattheimagesbefetchedfromtheInternetusingspecialkeysequencesheldatboot.
TheintegrityvalidationofthediskimagesandchunklistsdownloadedfromtheOSRecoveryServerisperformedthesamewayaswithimagesretrievedfromastoragedevice.
WhiletheconnectiontotheOSRecoveryServerisdoneusingHTTP,thecompletedownloadedcontentsarestillintegritycheckedaspreviouslydescribed,andassucharenotvulnerabletomanipulationbyanattackerwithcontrolofthenetwork.
Intheeventthatanindividualchunkfailsintegrityverification,it'srequestedagainfromtheOSRecoveryServer11times,beforegivingupanddisplayinganerror.
MicrosoftWindowsbootinMaccomputersBydefault,MaccomputersthatsupportsecureboottrustonlycontentsignedbyApple.
However,toimprovethesecurityofBootCampinstallations,ApplealsosupportssecurebootingforWindows.
TheUEFIfirmwareincludesacopyoftheMicrosoftWindowsProductionCA2011certificateusedtoauthenticateMicrosoftbootloaders.
Note:ThereiscurrentlynotrustprovidedfortheMicrosoftCorporationUEFICA2011,whichwouldallowverificationofcodesignedbyMicrosoftpartners.
ThisUEFICAiscommonlyusedtoverifytheauthenticityofbootloadersforotheroperatingsystems,suchasLinuxvariants.
SupportforsecurebootofWindowsisn'tenabledbydefault;instead,it'senabledusingBootCampAssistant(BCA).
WhenauserrunsBCA,macOSisreconfiguredtotrustMicrosoftfirst-partysignedcodeduringboot.
AfterBCAcompletes,ifmacOSfailstopasstheApplefirst-partytrustevaluationduringsecureboot,theUEFIfirmwareattemptstoevaluatethetrustoftheobjectaccordingtoUEFISecureBootformatting.
Ifthetrustevaluationsucceeds,theMacproceedsandbootsWindows.
Ifnot,theMacentersmacOSRecoveryandinformstheuserofthetrustevaluationfailure.
BootprocessofMaccomputerswithoutanAppleT2SecurityChipMaccomputerswithoutanAppleT2SecurityChipdon'tsupportsecureboot.
ThereforetheUEFIfirmwareloadsthemacOSbooter(boot.
efi)fromthefilesystemwithoutverification,andthebooterloadsthekernel(prelinkedkernel)fromthefilesystemwithoutverification.
Toprotecttheintegrityofthebootchain,usersshouldenableallofthefollowingsecuritymechanisms:SystemIntegrityProtection:Enabledbydefault,thisprotectsthebooterandkernelagainstmaliciouswritesfromwithinarunningmacOS.
FileVault:Thiscanbeenabledintwoways:bytheuserorbyamobiledevicemanagement(MDM)administrator.
ThisprotectsagainstaphysicallypresentattackerusingTargetDiskModetooverwritethebooter.
24FirmwarePassword:Thiscanbeenabledintwoways:bytheuserorbyamobiledevicemanagement(MDM)administrator.
ThisprotectsaphysicallypresentattackerfromlaunchingalternatebootmodessuchasrecoveryOS,SingleUserMode,orTargetDiskModefromwhichthebootercanbeoverwritten.
Thisalsopreventsbootingfromalternatemedia,bywhichanattackercouldruncodetooverwritethebooter.
UnlockingprocessofMaccomputerswithoutanAppleT2SecurityChip.
StartupSecurityUtilityStartupSecurityUtilityoverviewStartupSecurityUtilityisareplacementtothepreviousFirmwarePasswordUtility.
OnMaccomputerswithanAppleT2SecurityChip,ithandlesalargersetofsecuritypolicysettings.
MaccomputerswithoutaT2chipcontinuetouseFirmwarePasswordUtility.
TheutilityisaccessiblebybootingintorecoveryOSandselectingStartupSecurityUtilityfromtheUtilitiesmenu.
Theadvantageofputtingcriticalsystemsecuritypolicycontrols(suchassecurebootorSIP)intherecoveryOSisthattheentireOSisintegritychecked.
ThisensuresthatanyattackercodethathasbrokenintotheMaccan'ttriviallyimpersonatetheuserforpurposesoffurtherdisablingsecuritypolicies.
StartupSecurityUtility.
25Criticalpolicychangesnowrequireauthentication,eveninRecoverymode.
ThisfeatureisavailableonlyonMaccomputerscontainingtheT2chip.
WhenStartupSecurityUtilityisfirstopened,itpromptstheusertoenteranadministratorpasswordfromtheprimarymacOSinstallationassociatedwiththecurrentlybootedmacOSRecovery.
Ifnoadministratorexists,onemustbecreatedbeforethepolicycanbechanged.
TheT2chiprequiresthattheMaccomputeriscurrentlybootedintomacOSRecoveryandthatanauthenticationwithaSecureEnclave–backedcredentialhasoccurredbeforesuchapolicychangecanbemade.
Securitypolicychangeshavetwoimplicitrequirements.
macOSRecoverymust:BebootedfromastoragedevicedirectlyconnectedtotheT2chip,becausepartitionsonotherdevicesdon'thaveSecureEnclave–backedcredentialsboundtotheinternalstoragedevice.
ResideonanAPFS-basedvolume,becausethereissupportonlyforstoringtheAuthenticationinRecoverycredentialssenttotheSecureEnclaveonthe"Preboot"APFSvolumeofadrive.
HFSplus-formattedvolumescan'tusesecureboot.
ThispolicyisonlyshowninStartupSecurityUtilityonMaccomputerswithanAppleT2SecurityChip.
Althoughthemajorityofusecasesshouldn'trequirechangestothesecurebootpolicy,usersareultimatelyincontroloftheirdevice'ssettings,andmaychoose,dependingontheirneeds,todisableordowngradethesecurebootfunctionalityontheirMac.
SecurebootpolicychangesmadefromwithinthisappapplyonlytotheevaluationofthechainoftrustbeingverifiedontheIntelprocessor.
Theoption"SecureboottheT2chip"isalwaysineffect.
Securebootpolicycanbeconfiguredtooneofthreesettings:FullSecurity,MediumSecurity,andNoSecurity.
NoSecuritycompletelydisablessecurebootevaluationontheIntelprocessorandallowstheusertobootwhatevertheywant.
FullSecuritybootpolicyFullSecurityisthedefault,anditbehaveslikeiOSandiPadOS.
Atthetimethatsoftwareisdownloadedandpreparedtoinstall,ratherthanusingtheglobalsignaturewhichcomeswiththesoftware,macOStalkstothesameApplesigningserverusedforiOSandiPadOSandrequestsafresh,"personalized"signature.
AsignatureissaidtobepersonalizedwhenitincludestheECID—auniqueIDspecifictotheT2chipinthiscase—aspartofthesigningrequest.
ThesignaturewhichisgivenbackbythesigningserveristhenuniqueandusableonlybythatparticularT2chip.
WhentheFullSecuritypolicyisineffect,theUEFIfirmwareensuresthatagivensignatureisn'tjustsignedbyApple,butissignedforthisspecificMac,essentiallytyingthatversionofmacOStothatMac.
Usinganonlinesigningserveralsoprovidesbetterprotectionagainstrollbackattacksthantypicalglobalsignatureapproaches.
Inaglobalsigningsystem,thesecurityepochcouldhaverolledmanytimes,butasystemthathasneverseenthelatestfirmwarewon'tknowthis.
Forexample,acomputerthatcurrentlybelievesitisinsecurityepoch1acceptssoftwarefromsecurityepoch2,evenifthecurrentactualsecurityepochis5.
WithaniOSandiPadOStypeofonlinesigningsystem,thesigningservercanrejectcreatingsignaturesforsoftwarewhichisinanythingexceptthelatestsecurityepoch.
26Additionally,ifanattackerdiscoversavulnerabilityafterasecurityepochchange,theycan'tsimplypickupthevulnerablesoftwarefromapreviousepochoffSystemAandapplyittoSystemBinordertoattackit.
ThefactthatthevulnerablesoftwarefromanolderepochwaspersonalizedtoSystemApreventsitfrombeingtransferableandthusbeingusedtoattackaSystemB.
Allthesemechanismsworktogethertoprovidemuchstrongerguaranteesthatattackerscan'tpurposelyplacevulnerablesoftwareonacomputerinordertocircumventtheprotectionsprovidedbythelatestsoftware.
ButauserwhoisinpossessionofanadministratorusernameandpasswordfortheMaccanstillalwayschoosethesecuritypolicythatworksbestfortheirusecases.
MediumSecuritybootpolicyMediumSecurityissomewhatlikeatraditionalUEFIsecurebootsituation,whereavendor(here,Apple)generatesadigitalsignatureforthecodetoassertitcamefromthevendor.
Inthiswayattackersarepreventedfrominsertingunsignedcode.
Werefertothissignatureasa"global"signature,becauseitcanbeusedonanyMac,foranyamountoftime,forthoseMaccomputersthatcurrentlyhaveaMediumSecuritypolicyset.
NeitheriOS,iPadOS,northeT2chipsupportglobalsignatures.
Alimitationofglobalsignatureschemeshastodowiththepreventionof"rollbackattacks.
"Inarollbackattack,anattackerplacesold,butlegitimateandcorrectlysigned,softwarewithknownvulnerabilitiesontoasystemandthenexploitsthosevulnerabilitiestotakecontrolofthesystem.
Manyglobalsignaturesystemsdon'tattempttopreventrollbackattacksatall.
Thosethatdooftendothisthroughtheuseofa"securityversion"or"securityepoch.
"Thisisanumberthatistypicallycoveredbythesignature,andevaluatedafterthesignaturehasbeenverified.
Thecomputerneedssecurepersistentstoragetokeeptrackofthelargestepochvalueithaseverseeninsignedcode,andtodisallowanycode—evenifitisproperlysigned—thathasanepochlessthanthis.
Avendorwantingtorolltheepochsignssoftwarewithanewepoch,onethatisgreaterthananypreviouslyissuedsoftwarecontained.
Firmwaredetectinganepochvaluegreaterthanthelatestobservedoneinitssecurestorageupdatesthevalueoftheepochinthestorage.
Itthensubsequentlyrejectsallprevioussignedcodewithepochslessthanthelateststoredvalue.
Ifthesystemdoesn'thavesecurestorage,anattackercansimplyrollbacktheepochvalueitselfandcanthenrollbackandexploitthesoftware.
Thisiswhymanysystemsthatdoimplementepochsstoretheepochnumberinaone-time-programmablefusearray.
Whenthefusesareburnedout,thevaluescan'tbechanged.
However,thisalsohasthelimitationthatanattackercansimplyburnallthefusesinordertorenderallsignaturesinvalid,therebypermanentlypreventingtheoperatingsystemtoboot.
TheAppleglobalsignatureschemedoesn'tincludeasecurityepoch,becausethosesystemsareinflexibleandfrequentlycausesignificantusabilityissues.
ProtectionagainstrollbackattacksisbetterachievedbyFullSecuritymode,whichisthedefault,andverysimilarinbehaviortoiOSandiPadOS.
Userswhowanttotakeadvantageofanti-rollbackprotectionshouldretainthedefaultFullSecuritypolicy.
However,theMediumSecuritymodeismadeavailableforthoseuserswhomaynotbeabletotakeadvantageofFullSecuritymode.
27MediabootpolicyMediabootpolicyisonlyshownonMaccomputerswithanAppleT2SecurityChipandiscompletelyindependentfromthesecurebootpolicy.
Evenifauserdisablessecureboot,thisdoesn'tchangethedefaultbehaviorofdisallowingbootfromanythingotherthanthestoragedevicedirectlyconnectedtotheT2chip.
Historically,Maccomputershavebeenabletobootfromanexternaldevicebydefault.
Thisapproachwouldallowanattackerwithphysicalpossessionofthedevicetorunarbitrarycodefromthebootedvolume.
ThecombinationofprotectionslikeFileVaultandSecureBootmakeitsothattherearenoknownarchitecturalweaknessesthroughwhichanattackerrunningfromanexternalvolumecanaccesstheuser'sdatawithoutknowledgeofthatuser'spassword.
However,havingeventemporaryarbitrarycodeexecutioncanallowanattackertomanipulatetheMacinwaysthatcanstageattacker-controlleddatatoexploitvulnerabilitiesthatareunknowntoApple.
Arbitrarycodecreationcanthuspossiblyleadtoauserbootbeingcompromisedandtosubsequentuserdatacompromise.
Applechangedthepolicyforexternalboottodefault-deny,andtooptoutonMaccomputerswithaT2chip.
OnMaccomputerswithoutaT2chip,userscouldalwayssetafirmwarepasswordtooptintothisdefault-denybehavior.
However,firmwarepasswordswerenotwellknownandreceivedverylittleadoption.
Withthispolicychange,AppleischangingthebehavioroftheMactogivethebestprotectionpossiblebydefault,ratherthanputtingtheonusonuserstooptin.
FirmwarePasswordprotectionmacOSsupportstheuseofaFirmwarePasswordtopreventunintendedmodificationsoffirmwaresettingsonaspecificMac.
TheFirmwarePasswordisusedtopreventselectingalternatebootmodessuchasbootingintorecoveryOSorSingle-Usermode,bootingfromanunauthorizedvolume,orbootingintoTargetDiskMode.
ThemostbasicmodeofFirmwarePasswordcanbereachedfromtherecoveryOSFirmwarePasswordUtilityonMaccomputerswithoutanAppleT2SecurityChip,andfromtheStartupSecurityUtilityonMaccomputerswithaT2chip.
Advancedoptions(suchastheabilitytopromptforthepasswordateveryboot)areavailablefromthefirmwarepasswdcommand-linetoolinmacOS.
AsdescribedinBootprocessofMaccomputerswithoutanAppleT2SecurityChip,settingaFirmwarePasswordisespeciallyimportanttoreducetheriskofattacksonMaccomputerswithoutaT2chipviaaphysicallypresentattacker(suchasinacomputerlaborofficeenvironment).
ThefirmwarepasswordcanstopanattackerfrombootingtorecoveryOS,fromwheretheycandisableSystemIntegrityProtection.
Andbyrestrictingbootofalternativemedia,anattackercan'texecuteprivilegedcodefromanotherOSinordertoattackperipheralfirmwares.
AFirmwarePasswordresetmechanismexiststohelpuserswhoforgettheirpassword.
Userspressakeycombinationatboot,andarepresentedwithamodel-specificstringtoprovidetoAppleCare.
AppleCaredigitallysignsaresourcethatissignature-checkedbytheUniformResourceIdentifier(URI).
IfthesignaturevalidatesandthecontentisforthespecificMac,theUEFIfirmwareremovestheFirmwarePassword.
28ForuserswhowantnoonebutthemselvestoremovetheirFirmwarePasswordbysoftwaremeans,the-disable-reset-capabilityoptionhasbeenaddedtothefirmwarepasswdcommand-linetoolinmacOS10.
15.
Beforesettingthisoption,usersmusttoacknowledgethatifthepasswordisforgottenandneedsremoval,theusermustbearthecostofthemotherboardreplacementnecessarytoachievethis.
OrganizationsthatwanttoprotecttheirMaccomputersfromexternalattackersandfromemployeesmustsetaFirmwarePasswordonorganization-ownedsystems.
Thiscanbeaccomplishedonthedevice:Atprovisioningtime,bymanuallyusingthefirmwarepasswdcommand-linetoolWiththird-partymanagementtoolsthatusethefirmwarepasswdcommand-linetoolUsingmobiledevicemanagement(MDM)SecuresoftwareupdatesSecuresoftwareupdatesoverviewAppleregularlyreleasessoftwareupdatestoaddressemergingsecurityconcernsandtoprovidenewfeatures;theseupdatesaregenerallyprovidedforallsupporteddevicessimultaneously.
UsersofiOSandiPadOSdevicesreceiveupdatenotificationsonthedeviceandthroughiTunes(inmacOS10.
14orearlier)ortheFinder(macOS10.
15orlater).
macOSupdatesareavailableinSystemPreferences.
Updatesaredeliveredwirelessly,forrapidadoptionofthelatestsecurityfixes.
ThestartupprocesshelpsensurethatonlyApple-signedcodeisbeinginstalled.
Forexample,SystemSoftwareAuthorizationensuresthatonlylegitimatecopiesofoperatingsystemversionsthatareactivelybeingsignedbyApplecanbeinstalledoniOSandiPadOSdevices,orMaccomputerswiththeFullSecuritysettingconfiguredasthesecurebootpolicyintheStartupSecurityUtility.
ThissystempreventsiOSandiPadOSdevicesfrombeingdowngradedtoolderversionsthatlackthelatestsecurityupdates,andcanbeusedbyAppletopreventsimilardowngradesinmacOS.
Withoutthisprotection,anattackerwhogainspossessionofadevicecouldinstallanolderversionofiOSoriPadOSandexploitavulnerabilitythat'sbeenfixedinnewerversions.
Inaddition,whenadeviceisphysicallyconnectedtoaMac,afullcopyofiOSoriPadOSisdownloadedandinstalled.
Butforover-the-air(OTA)softwareupdates,onlythecomponentsrequiredtocompleteanupdatearedownloaded,improvingnetworkefficiencybynotdownloadingtheentireOS.
Additionally,softwareupdatescanbecachedonaMacrunningmacOS10.
13orlaterwithContentCachingturnedon,sothatiOSandiPadOSdevicesdon'tneedtoredownloadthenecessaryupdateovertheInternet.
They'llstillneedtocontactAppleserverstocompletetheupdateprocess.
29SecuresoftwareupdateprocessDuringupgrades,aconnectionismadetotheAppleinstallationauthorizationserver,whichincludesalistofcryptographicmeasurementsforeachpartoftheinstallationbundletobeinstalled(forexample,iBoot,thekernel,andOSimage),arandomanti-replayvalue(nonce),andthedevice'suniqueExclusiveChipIdentification(ECID).
Theauthorizationserverchecksthepresentedlistofmeasurementsagainstversionsforwhichinstallationispermittedand,ifitfindsamatch,addstheECIDtothemeasurementandsignstheresult.
Theserverpassesacompletesetofsigneddatatothedeviceaspartoftheupgradeprocess.
AddingtheECID"personalizes"theauthorizationfortherequestingdevice.
Byauthorizingandsigningonlyforknownmeasurements,theserverensuresthattheupdatetakesplaceexactlyasAppleprovided.
Theboot-timechain-of-trustevaluationverifiesthatthesignaturecomesfromAppleandthatthemeasurementoftheitemloadedfromthestoragedevice,combinedwiththedevice'sECID,matcheswhatwascoveredbythesignature.
ThesestepsensurethattheauthorizationisforaspecificdeviceandthatanolderiOS,iPadOS,orAppleT2SecurityChip'sfirmwareversionfromonedevicecan'tbecopiedtoanother.
Thenoncepreventsanattackerfromsavingtheserver'sresponseandusingittotamperwithadeviceorotherwisealterthesystemsoftware.
OnadevicewithSecureEnclave,theSecureEnclavecoprocessoralsousesSystemSoftwareAuthorizationtoensuretheintegrityofitssoftwareandpreventdowngradeinstallations.
OSintegrityiniOSandiPadOSiOSandiPadOSsystemsecurityoverviewAppledesignedtheiOSplatformwithsecurityatitscore.
Whenwesetouttocreatethebestpossiblemobileplatform,wedrewfromdecadesofexperiencetobuildanentirelynewarchitecture.
WethoughtaboutthesecurityhazardsofthedesktopenvironmentandestablishedanewapproachtosecurityinthedesignofiOS.
Wedevelopedandincorporatedinnovativefeaturesthattightenmobilesecurityandprotecttheentiresystembydefault.
Asaresult,iOSandsubsequentlyiPadOSareamajorleapforwardinsecurityformobiledevices.
30KernelIntegrityProtectionAftertheiOSandiPadOSkernelscompleteinitialization,KernelIntegrityProtection(KIP)isenabledtopreventmodificationsofkernelanddrivercode.
ThememorycontrollerprovidesaprotectedphysicalmemoryregionthatiBootusestoloadthekernelandkernelextensions.
Afterbootcompletes,thememorycontrollerdenieswritestotheprotectedphysicalmemoryregion.
Additionally,theapplicationprocessor'sMemoryManagementUnit(MMU)isconfiguredtopreventmappingprivilegedcodefromphysicalmemoryoutsidetheprotectedmemoryregion,andtopreventwriteablemappingsofphysicalmemorywithinthekernelmemoryregion.
Topreventreconfiguration,thehardwareusedtoenableKIPislockedafterthebootprocessiscomplete.
KIPissupportedonSoCsstartingwiththeAppleA10andS4.
FortheAppleA11BionicSoC,anewhardwareprimitivehasbeenintroduced.
ThisprimitiveincludesaCPUregisterthatquicklyrestrictspermissionsperthread.
Withthesefastpermissionrestrictions(orAPRR),iOSandiPadOSareabletoremoveexecutepermissionsfrommemory—withouttheoverheadofasystemcallandapagetablewalkorflush.
SystemCoprocessorIntegrityProtectionCoprocessorfirmwarehandlesmanycriticalsystemtasks—forexample,theSecureEnclave,theimagesensorprocessor,andtheMotioncoprocessor.
Thereforeitssecurityisakeypartofthesecurityoftheoverallsystem.
Topreventmodificationofcoprocessorfirmware,AppleusesamechanismcalledSystemCoprocessorIntegrityProtection(SCIP),supportedonSoCsstartingwiththeAppleA12andS4SoCs.
SCIPworksmuchlikeKernelIntegrityProtection:Atboottime,iBootloadseachcoprocessor'sfirmwareintoaprotectedmemoryregion,onethat'sreserved,andseparatefromtheKIPregion.
iBootconfigureseachcoprocessor'smemoryunittoprevent:ExecutablemappingsoutsideitspartoftheprotectedmemoryregionWriteablemappingsinsideitspartoftheprotectedmemoryregionAlsoatboottime,toconfigureSCIPfortheSecureEnclave,theSecureEnclaveoperatingsystemisused.
Afterthebootprocessiscomplete,thehardwareusedtoenableSCIPislockedtopreventreconfiguration.
31PointerAuthenticationCodesPointerauthenticationcodes(PACs)aresupportedstartingwiththeAppleA12andS4SoCsandusedtoprotectagainstexploitationofmemorycorruptionbugs.
Systemsoftwareandbuilt-inappsusePACtopreventmodificationoffunctionpointersandreturnaddresses(codepointers).
PACusesfivesecret128-bitvaluestosignkernelinstructionsanddata,andeachuserspaceprocesshasitsownBkeys.
Itemsaresaltedandsignedasindicatedbelow:ItemKeySaltFunctionReturnAddressIBStorageaddressFunctionPointersIA0BlockInvocationFunctionIAStorageaddressObjective-CMethodCacheIBStorageaddress+Class+SelectorC++V-TableEntriesIAStorageaddress+Hash(mangledmethodname)ComputedGotoLabelIAHash(functionname)KernelThreadStateGAUserThreadStateRegistersIAStorageaddressC++V-TablePointersDA0Thesignaturevalueisstoredintheunusedpaddingbitsatthetopofthe64-bitpointer.
Thesignatureisverifiedbeforeuse,andthepaddingisrestoredtoensureafunctioningpointeraddress.
Failuretoverifyresultsinaspecialvaluebeingsetwhichinvalidatestheaddress,andiniOS13andiPadOS13.
1itaborts.
Thisverificationincreasesthedifficultyofmanyattacks,suchasaReturnOrientedProgramming(ROP)attack,whichattemptstotrickthedeviceintoexecutingexistingcodemaliciouslybymanipulatingfunctionreturnaddressesstoredonthestack.
PACsaresupportedstartingwiththeAppleA12andS4SoCs.
PageProtectionLayerPageProtectionLayer(PPL)iniOSandiPadOSprotectsuserlandcodefrommodificationaftercodesignatureverificationcompletes.
ItbuildsonKIPandAPRRtocarefullymanagethepagetablepermissionoverridestomakesureonlythePPLcanalterprotectedpagescontainingusercodeandpagetables.
Thesystemprovidesamassivereductioninattacksurfacebysupportingsystemwidecodeintegrityenforcement,eveninthefaceofacompromisedkernel.
32OSintegrityinmacOSmacOSsystemsecurityoverviewAppledesignedthemacOSplatformwithanintegratedapproachtohardware,software,andservicesthatprovidessecuritybydesignandmakesitsimpletoconfigure,deploy,andmanage.
macOSincludesthekeysecuritytechnologiesthatanITprofessionalneedstohelpprotectcorporatedataandintegratewithinsecureenterprisenetworkingenvironments.
Applehasalsoworkedwithstandardsbodiestoensurecompliancewiththelatestsecuritycertifications.
MacfirmwaresecurityUEFIfirmwaresecurityoverviewSince2006,MaccomputerswithanIntel-basedCPUuseanIntelfirmwarebasedontheExtensibleFirmwareInterface(EFI)DevelopmentKit(EDK)version1orversion2.
EDK2-basedcodeconformstotheUnifiedExtensibleFirmwareInterface(UEFI)specification.
ThissectionreferstotheIntelfirmwareastheUEFIFirmware.
TheUEFIfirmwarewasthefirstcodetoexecuteontheIntelchip.
InordertopreventattacksthatphysicallyattachtothefirmwarestoragechipthatstoresUEFIfirmware,Maccomputerswererearchitectedstartingin2017torootthetrustintheUEFIfirmwarestoredintheAppleT2SecurityChip.
OntheseMaccomputers,therootoftrustfortheUEFIfirmwareisspecificallytheT2firmware.
ThisdesignreliesontheT2toprotecttheUEFIfirmware(andSecureBootasawhole)frompersistentinfection,inthemuchthesamewaythatbootisprotectedbytheASeriesSoC'siniOSandiPadOS.
ForMaccomputerswithouttheAppleT2SecurityChip,therootoftrustfortheUEFIfirmwareisthechipwherethefirmwareisstored.
UEFIfirmwareupdatesaredigitallysignedbyAppleandverifiedbythefirmwarebeforeupdatingthestorage.
Topreventrollbackattacks,updatesmustalwayshaveaversionnewerthantheexistingone.
However,anattackerwithphysicalaccesstotheMaccouldusehardwaretoattachtothefirmwarestoragechipandupdatethechiptocontainmaliciouscontent.
Likewise,ifvulnerabilitiesarefoundintheearlybootprocessoftheUEFIfirmware(beforeitwrite-restrictsthestoragechip)thiscouldalsoleadtopersistentinfectionoftheUEFIfirmware.
ThisisahardwarearchitecturallimitationcommoninmostIntel-basedPCswhichispresentinallMaccomputerswithouttheT2chip.
Toaddressthislimitation,MaccomputerswererearchitectedtorootthetrustintheUEFIfirmwareintheAppleT2SecurityChip.
OntheseMaccomputers,therootoftrustfortheUEFIfirmwareisspecificallytheT2firmware,asdescribedinthemacOSbootsectionlaterinthissection.
ToachieveapersistentUEFIfirmwareinfection,anattackerwouldneedtoachieveapersistentT2firmwareinfection.
33IntelManagementEngine(ME)OnesubcomponentwhichisstoredwithintheUEFIfirmwareistheIntelManagementEngine(ME)firmware.
TheME—aseparateprocessorandsubsystemwithinIntelchips—canbeusedforremotemanagement,protectedaudioandvideo,andsecurityenhancement.
Toreducethatattacksurface,MaccomputersrunacustomMEfirmwarefromwhichthemajorityofcomponentshavebeenremoved.
ThisallowstheMacMEfirmwaretobesmallerthanthedefaultminimalbuildthatIntelmakesavailable.
Consequently,manycomponents(suchasActiveManagementTechnology)thathavebeenthesubjectofpublicattacksbysecurityresearchersinthepastarenotpresentwithinMacMEfirmware.
TheprimaryuseoftheMEisaudioandvideocopyrightprotectiononMaccomputersthathaveonlyIntel-basedgraphics.
SystemManagementMode(SMM)Intelprocessorshaveaspecialexecutionmodethatisdistinctfromnormaloperation.
CalledSystemManagementMode(SMM),itwasoriginallyintroducedtohandletime-sensitiveoperationssuchaspowermanagement.
However,toperformsuchactions,MaccomputershavehistoricallyusedadiscretemicrocontrollercalledtheSystemManagementController(SMC).
TheSMCisnolongeraseparatemicrocontroller,ithasbeenintegratedintotheAppleT2SecurityChip.
OnPCsthatsupportsecureboot,SMMservesanadditionalroleasbeingaprotectedexecutionenvironmentthatcanbegivenexclusiveaccesstosecurity-sensitivecontentsuchaswriteaccesstothecodeandsecuritypolicystoredontheUEFIfirmwarestoragechip.
Assuch,it'softeninanattacker'sinteresttobreakintotheSMMexecutionenvironmentasaformofprivilegeescalation,toperformoperationsthatakernelcan'tandthuspotentiallycompromisesecureboot.
OnMaccomputers,theSMMexecutionenvironmentisusedaslittleaspossible,andisn'ttreatedasasecurityboundaryforsecurebootpurposes.
ThereforeevenifSMMiscompromised,SecureBootisunaffected.
OntheT2chip,theprivilegeboundaryisinsteadtheactionthatthechipcanperformexclusively.
DMAprotectionsToachievehighthroughputonhigh-speedinterfaceslikePCIe,FireWire,Thunderbolt,andUSB,computersmustsupportDirectMemoryAccess(DMA)fromperipherals.
Thatis,theymustbeabletoreadandwritetoRAMwithoutcontinuousinvolvementoftheIntelCPU.
Since2012,MaccomputershaveimplementednumeroustechnologiestoprotectDMA,resultinginthebestandmostcomprehensivesetofDMAprotectionsonanyPC.
34IntelVirtualizationTechnologyforDirectedIO(VT-d)isatechnologywhichhasbeensupportedsince2012onMaccomputers,andwasfirstusedinOSX10.
9inordertoprotectthekernelfrombeingoverwritteninmemorybymaliciousperipherals.
However,maliciousperipheralscanalsooverwritecodeanddatawhiletheUEFIfirmwareisrunninginordertocompromisebootsecurity.
macOS10.
12.
3updatedtheUEFIfirmwareforallVT-d-capableMaccomputerstouseVT-dtoprotectagainstmaliciousFireWireandThunderboltperipherals.
Italsoisolatesperipheralssothattheycanseeonlytheirownmemoryranges,notthememoryofotherperipherals.
Forexample,anEthernetperipheralrunninginUEFIcan'treadthememoryofastorageperipheral.
DMAprotectionsinUEFIfirmwarewerefurtherimprovedinmacOS10.
13tomovetheinitializationearlierintheUEFIfirmwarestartupsequencetoprotectagainst:MaliciousinternalperipheralprocessorsonthePCIebusAclassofMessageSignaledInterrupt(MSI)attackspresentedbysecurityresearchersAllMaccomputerswiththeAppleT2SecurityChipcomewithfurtherimprovedDMAprotections,wheretheinitializationisperformedasearlyaspossible.
Specifically,theprotectionisenabledbeforeanyRAMisevenavailabletotheUEFIfirmware.
ThisprotectsagainstanycompromisedPCIebuszerodevices(suchastheIntelME)thatmayberunningandcapableofDMAattheinstantthatRAMbecomesavailable.
ThisprotectionwasalsoaddedtoMaccomputerswithoutaT2chipinmacOS10.
15.
OptionROMsBothThunderboltandPCIedevicescanhavean"OptionROM"(OROM)physicallyattachedtothedevice.
(ThisistypicallynotatrueROM,butinsteadarewritablechipthatstoresfirmware.
)OnUEFI-basedsystems,thatfirmwareistypicallyaUEFIdriver,whichisreadinbytheUEFIfirmwareandexecuted.
Theexecutedcodeissupposedtoinitializeandconfigurethehardwareitwasretrievedfrom,sothatthehardwarecanbemadeusablebytherestofthefirmware.
Thiscapabilityisrequiredsothatspecializedthird-partyhardwarecanloadandoperateduringtheearliestbootphases—forexample,tobootfromexternalRAIDarrays.
However,becauseOROMsaregenerallyrewritable,ifanattackeroverwritestheOROMofalegitimateperipheral,theattacker'scodewouldexecuteearlyinthebootprocess,andbeabletotamperwiththeexecutionenvironmentandviolatetheintegrityofsubsequentlyloadedsoftware.
Likewise,iftheattackerintroducestheirownmaliciousdevicetothesystem,theywouldalsobeabletoexecutemaliciouscode.
35InmacOS10.
12.
3,thebehaviorofMaccomputerssoldafter2011waschangedtonotexecuteOROMsbydefaultatthetimetheMacbooted,unlessaspecialkeycombinationwaspressed.
ThiskeycombinationprotectedagainstmaliciousOROMsbeinginadvertentlyintroducedintothemacOSbootsequence.
ThedefaultbehavioroftheFirmwarePasswordUtilitywasalsochangedsothatwhentheusersetafirmwarepassword,OROMscouldn'texecuteevenifthekeycombinationwaspressed.
ThisprotectedagainstaphysicallypresentattackerintentionallyintroducingamaliciousOROM.
ForuserswhostillneedtorunOROMswhiletheyhaveafirmwarepasswordset,anondefaultoptioncanbeconfiguredusingthefirmwarepasswdcommand-linetoolinmacOS.
OptionROM(OROM)sandboxing.
OROMsandboxInmacOS10.
15,UEFIfirmwarewasupdatedtocontainamechanismforsandboxinganddeprivilegingOROMs.
UEFIfirmwaretypicallyexecutesallcode,includingOROMs,atthemaximumIntelCPUprivilegelevel,calledring0,andasinglesharedvirtualmemoryspaceforallcodeanddata.
Ring0isalsotheprivilegelevelatwhichthemacOSkernelruns,whereasthelowerprivilegelevel,ring3,iswhereappsrun.
TheOROMsandboxdeprivilegedOROMsbymakinguseofvirtualmemoryseparationlikethekerneldoes,andthenmakingtheOROMsruninring3.
ThesandboxfurthersignificantlyrestrictsboththeinterfacesthattheOROMscancall(whichissimilartosystemcallfilteringinkernels),andthetypeofdevicethatanOROMcanregisteras(whichissimilartoappwhitelisting.
)ThebenefitofthisdesignisthatmaliciousOROMscannolongerdirectlywriteanywherewithinring0memory,andareinsteadlimitedtoaverynarrowandwell-definedsandboxinterface.
Thislimitedinterfacesignificantlyreducesattacksurfaceandforcesattackerstofirstescapethesandboxandescalateprivilege.
36PeripheralfirmwaresecurityMaccomputershavemanybuilt-inperipheralprocessorsdedicatedtotaskssuchasnetworking,graphics,powermanagement,ormanagingdatabuseslikeUSBorThunderbolt.
Oftenperipheralfirmwareissingle-purpose,andmuchlesspowerfulthantheIntelCPU.
However,built-inperipheralsthatdon'timplementsufficientsecuritybecomeatargetforattackersseekingeveneasiertargetstoexploitandthenpersistentlyinfecttheoperatingsystem.
Havinginfectedaperipheralprocessorfirmware,anattackercouldtargetsoftwareontheIntelCPU,ordirectlycapturesensitivedata(forexample,anEthernetdevicecouldseethecontentsofpacketswhicharen'tencrypted).
Applestrategicallyworkswiththird-partyvendorstoreduce(whereverpossible)thenumberofperipheralprocessorsnecessary,ortoavoiddesignsthatrequirefirmware.
Butwhenfirmwareisrequired,effortsaretakentoensureanattackercan'tpersistonthatprocessor.
Thiscanbeachieved:ByrunningtheprocessorinamodewhereitdownloadsverifiedfirmwarefromtheIntelCPUonstartupByensuringtheperipheralprocessorimplementsitsownsecurebootchainwhereitverifiesitsownfirmwareoneverybootAppleworkswithvendorstoaudittheirimplementations,andenhancetheirdesignstoincludedesiredpropertiessuchas:EnsuringminimumcryptographicstrengthsStrongrevocationofknownbadfirmwareDisablingdebuginterfacesSigningthefirmwarewithcryptographickeysthatarestoredinApple-controlledHardwareSecurityModules(HSMs)InrecentyearsApplehasworkedwithsomeexternalvendorstoadoptthesame"Image4"datastructures,verificationcode,andsigninginfrastructureusedbyiOS,iPadOS,andMaccomputerswiththeAppleT2SecurityChip.
Whenneitherstorage-freeoperationnorstorageplussecurebootisanoption,thedesignmandatesthatfirmwareupdatesbecryptographicallysignedandverifiedbeforethepersistentstoragecanbeupdated.
MandatoryaccesscontrolsmacOSalsousesmandatoryaccesscontrols—policiesthatsetsecurityrestrictions,createdbythedeveloper,thatcan'tbeoverridden.
Thisapproachisdifferentfromdiscretionaryaccesscontrols,whichpermituserstooverridesecuritypoliciesaccordingtotheirpreferences.
Mandatoryaccesscontrolsaren'tvisibletousers,butthey'retheunderlyingtechnologythathelpsenableseveralimportantfeatures,includingsandboxing,parentalcontrols,managedpreferences,extensions,andSystemIntegrityProtection.
37SystemIntegrityProtectionOSX10.
11orlaterincludessystem-levelprotection,calledSystemIntegrityProtection,whichrestrictscomponentstoread-onlyinspecificcriticalfilesystemlocationstopreventmaliciouscodefrommodifyingthem.
SystemIntegrityProtectionisacomputer-specificsettingthat'sonbydefaultwhenauserupgradestoOSX10.
11orlater;disablingitremovesprotectionforallpartitionsonthephysicalstoragedevice.
macOSappliesthissecuritypolicytoeveryprocessrunningonthesystem,regardlessofwhetherit'srunningsandboxedorwithadministrativeprivileges.
KernelextensionsKernelextensions(KEXTs)arenolongerrecommendedformacOS.
KEXTsrisktheintegrityandreliabilityoftheoperatingsystem,andusersshouldprefersolutionsthatdon'trequireextendingthekernel.
macOS10.
15supportstheabilityfordeveloperstoextendthecapabilitiesofmacOSbyinstallingandmanagingsystemextensionsthatruninuserspaceratherthanatthekernellevel.
Byrunninginuserspace,systemextensionsincreasethestabilityandsecurityofmacOS.
WhileKEXTsinherentlyhavefullaccesstotheentireoperatingsystem,extensionsrunninginuserspacearegrantedonlytheprivilegesnecessarytoperformtheirspecifiedfunction.
DeveloperscanuseframeworksincludingDriverKit,EndpointSecurity,andNetworkExtensiontowriteUSBandhumaninterfacedrivers,endpointsecuritytools(likedatalosspreventionorotherendpointagents),andVPNandnetworktools—allwithoutneedingtowriteKEXTs.
Third-partysecurityagentsshouldbeusedonlyiftheytakeadvantageoftheseAPIsorhavearobustroadmaptotransitiontothemandawayfromkernelextensions.
macOSstillprovidesakernelextensionmechanismtoallowdynamicloadingofcodeintothekernelwithouttheneedtorecompileorrelink.
Toimprovesecurity,userconsentisrequiredtoloadkernelextensionsinstalledwithorafterinstallingmacOS10.
13.
ThisisknownasUser-ApprovedKernelExtensionLoading.
Administratorauthorizationisrequiredtoapproveakernelextension.
Kernelextensionsdon'trequireauthorizationifthey:WereinstalledontheMacbeforeupgradingtomacOS10.
13ArereplacingpreviouslyapprovedextensionsAreallowedtoloadwithoutuserconsentbyusingthespctlcommand-linetoolavailablewhenbootedfrommacOSRecoveryAreallowedtoloadusingmobiledevicemanagement(MDM)configurationStartingwithmacOS10.
13.
2,userscanuseMDMtospecifyalistofkernelextensionsthatloadwithoutuserconsent.
ThisoptionrequiresaMacrunningmacOS10.
13.
2that'senrolledinMDM—throughAppleSchoolManager,AppleBusinessManager,oruser-approvedMDMenrollment.
38SystemsecurityinwatchOSwatchOSsystemsecurityoverviewAppleWatchusesthesecurityfeaturesandtechnologybuiltforiOSandiPadOStohelpprotectdataonthedevice,andtoprotectcommunicationwithitspairediPhoneandwiththeInternet.
ThisincludestechnologiessuchasDataProtectionandKeychainaccesscontrol.
Theuser'spasscodeisalsoentangledwiththedeviceUIDtocreateencryptionkeys.
PairingAppleWatchwithiPhoneissecuredusinganout-of-band(OOB)processtoexchangepublickeys,followedbytheBluetoothLowEnergy(BLE)linksharedsecret.
AppleWatchdisplaysananimatedpattern,whichiscapturedbythecameraoniPhone.
ThepatterncontainsanencodedsecretthatisusedforBLE4.
1out-of-bandpairing.
StandardBLEPasskeyEntryisusedasafallbackpairingmethod,ifnecessary.
AftertheBLEsessionisestablishedandencryptedusingthehighestsecurityprotocolavailableinBluetoothCoreSpecification,AppleWatchandiPhoneexchangekeysusingaprocessadaptedfromAppleIdentityService(IDS),asdescribediniMessageoverview.
Afterkeyshavebeenexchanged,theBluetoothsessionkeyisdiscardedandallcommunicationsbetweenAppleWatchandiPhoneareencryptedusingIDS—withtheencryptedBluetooth,Wi-Fi,andCellularlinksprovidingasecondaryencryptionlayer.
TheLowEnergyBluetoothAddressisrotatedat15-minuteintervalstoreducetheriskoflocaltrackingofthedeviceusingthebroadcastofapersistentidentifier.
Tosupportappsthatneedstreamingdata,encryptionisprovidedusingmethodsdescribedinFaceTime,utilizingeithertheIDSserviceprovidedbythepairediPhoneoradirectInternetconnection.
AppleWatchimplementshardware-encryptedstorageandclass-basedprotectionoffilesandKeychainitems,asdescribedintheEncryptionandDataProtectionsectionofthispaper.
Access-controlledkeybagsforKeychainitemsarealsoused.
KeysusedforcommunicationsbetweenthewatchandiPhonearealsosecuredusingclass-basedprotection.
WhenAppleWatchisn'twithinBluetoothrange,Wi-Fiorcellularcanbeusedinstead.
AppleWatchautomaticallyjoinsWi-FinetworksthathavebeenalreadybeenjoinedonthepairediPhoneandwhosecredentialshavesyncedtotheAppleWatchwhilebothdeviceswereinrange.
ThisAuto-JoinbehaviorcanthenbeconfiguredonapernetworkbasisintheWi-FisectionoftheAppleWatchSettingsapp.
Wi-FinetworksthathaveneverbeenjoinedbeforeoneitherdevicecanbemanuallyjoinedinWi-FisectionoftheAppleWatchSettingsapp.
39WhenAppleWatchandiPhoneareoutofrange,AppleWatchconnectsdirectlytoiCloudandGmailserverstofetchMail,asopposedtosyncingMaildatawiththepairediPhoneovertheInternet.
ForGmailaccounts,theuserisrequiredtoauthenticatetoGoogleintheMailsectionoftheWatchapponiPhone.
TheOAuthtokenreceivedfromGoogleissentovertoAppleWatchinencryptedformatoverAppleIdentityService(IDS)soitcanbeusedtofetchMail.
ThisOAuthtokenisneverusedforconnectivitywiththeGmailserverfromthepairediPhone.
Ifwristdetectionisenabled,thedevicelocksautomaticallyshortlyafterit'sremovedfromtheuser'swrist.
Ifwristdetectionisdisabled,ControlCenterprovidesanoptionforlockingAppleWatch.
WhenAppleWatchislocked,ApplePaycanbeusedonlybyenteringthewatch'spasscode.
WristdetectionisturnedoffusingtheAppleWatchapponiPhone.
Thissettingcanalsobeenforcedusingamobiledevicemanagement(MDM)solution.
ThepairediPhonecanalsounlockthewatch,providedthewatchisbeingworn.
Thisisaccomplishedbyestablishingaconnectionauthenticatedbythekeysestablishedduringpairing.
iPhonesendsthekey,whichthewatchusestounlockitsDataProtectionkeys.
Thewatchpasscodeisn'tknowntoiPhonenorisittransmitted.
ThisfeaturecanbeturnedoffusingtheAppleWatchapponiPhone.
AppleWatchcanbepairedwithonlyoneiPhoneatatime.
iPhonecommunicatesinstructionstoeraseallcontentanddatafromAppleWatchwhenunpaired.
AppleWatchcanbeconfiguredforasystemsoftwareupdatethesamenight.
FormoreinformationonhowtheAppleWatchpasscodegetsstoredandusedduringtheupdatesee,Keybags.
EnablingFindMyonthepairediPhonealsoallowstheuseofActivationLockonAppleWatch.
ActivationLockmakesitharderforanyonetouseorsellanAppleWatchthathasbeenlostorstolen.
ActivationLockrequirestheuser'sAppleIDandpasswordtounpair,erase,orreactivateanAppleWatch.
AppleWatchusagewithmacOSAutoUnlockwithAppleWatchinmacOSUserswithAppleWatchcanuseittoautomaticallyunlocktheirMac.
BluetoothLowEnergy(BLE)andpeer-to-peerWi-FiallowAppleWatchtosecurelyunlockaMacafterensuringproximitybetweenthedevices.
ThisrequiresaniCloudaccountwithtwo-factorauthentication(TFA)configured.
WhenenablinganAppleWatchtounlockaMac,asecurelinkusingAutoUnlockIdentitiesisestablished.
TheMaccreatesarandomone-time-useunlocksecretandtransmitsittotheAppleWatchoverthelink.
ThesecretisstoredonAppleWatchandcanonlybeaccessedwhenAppleWatchisunlocked.
Theunlocktokenisnottheuser'spassword.
Duringanunlockoperation,theMacusesBLEtocreateaconnectiontotheAppleWatch.
Asecurelinkisthenestablishedbetweenthetwodevicesusingthesharedkeysusedwhenitwasfirstenabled.
TheMacandAppleWatchthenusepeer-to-peerWi-Fiandasecurekeyderivedfromthesecurelinktodeterminethedistancebetweenthetwodevices.
Ifthedevicesarewithinrange,thesecurelinkisthenusedtotransferthepresharedsecrettounlocktheMac.
Aftersuccessfulunlock,theMacreplacesthecurrentunlocksecretwithanewone-timeuseunlocksecretandtransmitsthenewunlocksecrettotheAppleWatchoverthelink.
40ApprovewithAppleWatchWhenAutoUnlockwithAppleWatchisenabled,theAppleWatchcanbeusedinplaceortogetherwithTouchIDtoapproveauthorizationandauthenticationpromptsfrom:macOSandAppleappsthatrequestauthorizationThird-partyappsthatrequestauthenticationSavedSafaripasswordsSecureNotes41EncryptionandDataProtectionEncryptionandDataProtectionoverviewThesecurebootchain,systemsecurity,andappsecuritycapabilitiesallhelptoensurethatonlytrustedcodeandappsrunonadevice.
Appledeviceshaveadditionalencryptionfeaturestosafeguarduserdata,evenwhenotherpartsofthesecurityinfrastructurehavebeencompromised(forexample,ifadeviceislostorisrunninguntrustedcode).
AllofthesefeaturesbenefitbothusersandITadministrators,protectingpersonalandcorporateinformationatalltimesandprovidingmethodsforinstantandcompleteremotewipeinthecaseofdevicetheftorloss.
iOSandiPadOSdevicesuseafileencryptionmethodologycalledDataProtection,whilethedataonMaccomputersisprotectedwithavolumeencryptiontechnologycalledFileVault.
BothmodelssimilarlyroottheirkeymanagementhierarchiesinthededicatedsiliconoftheSecureEnclave(ondevicesthatincludeaSEP),andbothmodelsleverageadedicatedAESenginetosupportline-speedencryptionandtoensurethatlong-livedencryptionkeysneverneedtobeprovidedtothekernelOSorCPU(wheretheymightbecompromised).
Inaddition,theoperatingsystemkernelsenforceaccesscontrolstopreventunauthorizedaccesstodata.
Thesecontrolsmostoftentaketheformofsandboxingapps(whichrestrictwhatdataanappcanaccess),aswellasenforcingDataVaults.
Datavaultscanbethoughtofasinvertedsandboxes.
Ratherthanrestrictingthecallsanappcanmake,DataVaultsrestrictaccesstotheprotecteddata(again,enforcedbythekernelindependentoffileencryption)regardlessofwhethertheoriginatingprocessisitselfsandboxedornot.
42HowAppleprotectsusers'personalinformationInadditiontoencryptingdataatrest,Appledeviceshelppreventappsfromaccessingauser'spersonalinformationwithoutpermissionusingvarioustechniquesincludingDataVault.
InSettingsiniOS,iPadOS,orSystemPreferencesinmacOS,userscanseewhichappstheyhavepermittedtoaccesscertaininformation,aswellasgrantorrevokeanyfutureaccess.
Accessisenforcedinthefollowing:iOS,iPadOS,andmacOS:Calendars,Camera,Contacts,Microphone,Photos,Reminders,SpeechrecognitioniOSandiPadOS:Bluetooth,Home,Media,MediaappsandAppleMusic,MotionandfitnessiOSandwatchOS:HealthmacOS:Inputmonitoring(forexample,keyboardstrokes),Prompt,Screenrecording(forexample,staticscreenshotsandvideo),SystemPreferencesStartinginiOS13.
4andiPadOS13.
4,allthirdpartyappsautomaticallyhavetheirdataprotectedinaDataVault.
Thishelpsprotectagainstunauthorizedaccesstothedataevenfromprocessesthatarenotthemselvessandboxed.
IftheusersignsintoiCloud,appsiniOSandiPadOSaregrantedaccessbydefaulttoiCloudDrive.
Usersmaycontroleachapp'saccessunderiCloudinSettings.
Additionally,iOSandiPadOSproviderestrictionsthatpreventdatamovementbetweenappsandaccountsinstalledbyamobiledevicemanagement(MDM)solutionandthoseinstalledbytheuser.
RoleofAppleFileSystemAppleFileSystem(APFS)isaproprietaryfilesystemthatwasdesignedwithencryptioninmind.
APFSworksacrossallApple'splatforms—foriOS,iPadOS,macOS,tvOS,andwatchOS.
OptimizedforFlash/SSDstorage,itfeaturesstrongencryption,copy-on-writemetadata,spacesharing,cloningforfilesanddirectories,snapshots,fastdirectorysizing,atomicsafe-saveprimitives,andimprovedfilesystemfundamentals,aswellasauniquecopy-on-writedesignthatusesI/Ocoalescingtodelivermaximumperformancewhileensuringdatareliability.
APFSallocatesstoragespaceondemand.
WhenasingleAPFScontainerhasmultiplevolumes,thecontainer'sfreespaceissharedandcanbeallocatedtoanyoftheindividualvolumesasneeded.
Eachvolumeusesonlypartoftheoverallcontainer,sotheavailablespaceisthetotalsizeofthecontainer,minusthespaceusedinallvolumesinthecontainer.
43InmacOS10.
15anAPFScontainerusedtostartuptheMacmustcontainatleastfivevolumes,thefirstthreeofwhicharehiddenfromtheuser:Prebootvolume:ContainsdataneededforbootingeachsystemvolumeinthecontainerVMvolume:UsedbymacOSforswapfilestorageRecoveryvolume:ContainsrecoveryOSSystemvolume:Containsthefollowing:AllthenecessaryfilestostartuptheMacAllappsinstallednativelybymacOS(appsthatusedtoresideinthe/Applicationsfoldernowresidein/System/Applications)Datavolume:Containsdatathatissubjecttochange,suchas:Anydatainsidetheuser'sfolder,includingphotos,music,videos,anddocumentsAppstheuserinstalled,includingAppleScript,andAutomatorapplicationsCustomframeworksanddaemonsinstalledbytheuser,organization,orthird-partyappsOtherlocationsownedandwritablebytheuser,as/Applications,/Library,/Users,/Volumes,/usr/local,/private,/var,and/tmpADatavolumeiscreatedforeachadditionalSystemvolume.
ThePreboot,VM,andRecoveryvolumeareallsharedandnotduplicated.
Note:Bydefault,noprocesscanwritetotheSystemvolume,evenApplesystemprocesses.
DataProtectioniniOSandiPadOSDataProtectionoverviewIniOSandiPadOS,AppleusesatechnologycalledDataProtectiontoprotectdatastoredinflashstorageonthedevice.
DataProtectionallowsthedevicetorespondtocommoneventssuchasincomingphonecalls,butalsoenablesahighlevelofencryptionforuserdata.
Keysystemapps,suchasMessages,Mail,Calendar,Contacts,Photos,andHealthdatavaluesuseDataProtectionbydefault,andthird-partyappsinstalledoniOS7orlaterandiPadOS13.
1receivethisprotectionautomatically.
ImplementationDataProtectionisimplementedbyconstructingandmanagingahierarchyofkeys,andbuildsonthehardwareencryptiontechnologiesbuiltintoeachiOSandiPadOSdevice.
DataProtectioniscontrolledonaper-filebasisbyassigningeachfiletoaclass;accessibilityisdeterminedaccordingtowhethertheclasskeyshavebeenunlocked.
WiththeadventoftheAppleFileSystem(APFS),thefilesystemisnowabletofurthersubdividethekeysintoaper-extentbasis(whereportionsofafilecanhavedifferentkeys).
44ArchitectureIniOSandiPadOS,storageisdividedintotwoAPFSvolumes:Systemvolume:SystemcontentisstoredontheSystemvolume,anduserdataisstoredontheDatavolume.
Datavolume:Everytimeafileonthedatavolumeiscreated,DataProtectioncreatesanew256-bitkey(theper-filekey)andgivesittothehardwareAESengine,whichusesthekeytoencryptthefileasitiswrittentoflashstorage.
TheencryptionusesAES128inXTSmodewherethe256-bitperfilekeyissplittoprovidea128-bittweakanda128-bitcipherkey.
HowdatafilesarecreatedandprotectedOndeviceswithanA7,S2,orS3SoC,AES-CBCisused.
Theinitializationvectoriscalculatedwiththeblockoffsetintothefile,encryptedwiththeSHA-1hashoftheper-filekey.
Theper-file(orper-extent)keyiswrappedwithoneofseveralclasskeys,dependingonthecircumstancesunderwhichthefileshouldbeaccessible.
LikeallotherwrappingsthatuseRFC3394,thisisperformedusingNISTAESkeywrapping.
Thewrappedper-filekeyisstoredinthefile'smetadata.
DeviceswithAPFSformatmaysupportcloningoffiles(zero-costcopiesusingcopy-on-writetechnology).
Ifafileiscloned,eachhalfoftheclonegetsanewkeytoacceptincomingwritessothatnewdataiswrittentothemediawithanewkey.
Overtime,thefilemaybecomecomposedofvariousextents(orfragments),eachmappingtodifferentkeys.
However,alloftheextentsthatcompriseafileareguardedbythesameclasskey.
Whenafileisopened,itsmetadataisdecryptedwiththefilesystemkey,revealingthewrappedper-filekeyandanotationonwhichclassprotectsit.
Theper-file(orper-extent)keyisunwrappedwiththeclasskeyandthensuppliedtothehardwareAESengine,whichdecryptsthefileasit'sreadfromflashstorage.
AllwrappedfilekeyhandlingoccursintheSecureEnclave;thefilekeyisneverdirectlyexposedtotheIntelCPU.
Atboottime,theSecureEnclavenegotiatesanephemeralkeywiththeAESengine.
WhentheSecureEnclaveunwrapsafile'skeys,theyarerewrappedwiththeephemeralkeyandsentbacktotheapplicationprocessor.
Themetadataofallfilesinthedatavolumefilesystemareencryptedwitharandomvolumekey,whichiscreatedwheniOSandiPadOSarefirstinstalledorwhenthedeviceiswipedbyauser.
ThiskeyisencryptedandwrappedbyakeywrappingkeythatisknownonlytotheSecureEnclaveforlongtermstorage.
Thekeywrappingkeychangeseverytimeausererasestheirdevice.
OnA9(andnewer)SoCs,SecureEnclavereliesuponentropy,backedbyanti-replaynonce,toachieveeffaceabilityandtoprotectitskeywrappingkey,amongotherassets.
45Justlikeper-fileorper-extentkeys,themetadatakeyofthedatavolumeisneverdirectlyexposedtotheapplicationprocessor;theSecureEnclaveprovidesanephemeral,per-bootversioninstead.
Whenstored,theencryptedfilesystemkeyisadditionallywrappedbyan"effaceablekey"storedinEffaceableStorage.
Thiskeydoesn'tprovideadditionalconfidentialityofdata.
Instead,it'sdesignedtobequicklyerasedondemand(bytheuserwiththe"EraseAllContentandSettings"option,orbyauseroradministratorissuingaremotewipecommandfromamobiledevicemanagement(MDM)solution,MicrosoftExchangeActiveSync,oriCloud).
Erasingthekeyinthismannerrendersallfilescryptographicallyinaccessible.
Thecontentsofafilemaybeencryptedwithoneormoreper-file(orper-extent)keysthatarewrappedwithaclasskeyandstoredinafile'smetadata,whichinturnisencryptedwiththefilesystemkey.
TheclasskeyisprotectedwiththehardwareUIDand,forsomeclasses,theuser'spasscode.
Thishierarchyprovidesbothflexibilityandperformance.
Forexample,changingafile'sclassonlyrequiresrewrappingitsper-filekey,andachangeofpasscodejustrewrapstheclasskey.
DataProtectionclassesWhenanewfileiscreatedonaniOSoriPadOSdevice,it'sassignedaclassbytheappthatcreatesit.
Eachclassusesdifferentpoliciestodeterminewhenthedataisaccessible.
Thebasicclassesandpoliciesaredescribedinthefollowingsections.
CompleteProtection(NSFileProtectionComplete):TheclasskeyisprotectedwithakeyderivedfromtheuserpasscodeandthedeviceUID.
Shortlyaftertheuserlocksadevice(10seconds,iftheRequirePasswordsettingisImmediately),thedecryptedclasskeyisdiscarded,renderingalldatainthisclassinaccessibleuntiltheuserentersthepasscodeagainorunlocksthedeviceusingTouchIDorFaceID.
ProtectedUnlessOpen(NSFileProtectionCompleteUnlessOpen):Somefilesmayneedtobewrittenwhilethedeviceislocked.
Agoodexampleofthisisamailattachmentdownloadinginthebackground.
Thisbehaviorisachievedbyusingasymmetricellipticcurvecryptography(ECDHoverCurve25519).
Theusualper-filekeyisprotectedbyakeyderivedusingOne-PassDiffie-HellmanKeyAgreementasdescribedinNISTSP800-56A.
TheephemeralpublickeyfortheAgreementisstoredalongsidethewrappedper-filekey.
TheKDFisConcatenationKeyDerivationFunction(ApprovedAlternative1)asdescribedin5.
8.
1ofNISTSP800-56A.
AlgorithmIDisomitted.
PartyUInfoandPartyVInfoaretheephemeralandstaticpublickeys,respectively.
SHA-256isusedasthehashingfunction.
Assoonasthefileisclosed,theper-filekeyiswipedfrommemory.
Toopenthefileagain,thesharedsecretisre-createdusingtheProtectedUnlessOpenclass'sprivatekeyandthefile'sephemeralpublickey,whichareusedtounwraptheper-filekeythatisthenusedtodecryptthefile.
46ProtectedUntilFirstUserAuthentication(NSFileProtectionCompleteUntilFirstUserAuthentication):ThisclassbehavesinthesamewayasCompleteProtection,exceptthatthedecryptedclasskeyisn'tremovedfrommemorywhenthedeviceislocked.
Theprotectioninthisclasshassimilarpropertiestodesktopfull-volumeencryption,andprotectsdatafromattacksthatinvolveareboot.
Thisisthedefaultclassforallthird-partyappdatanototherwiseassignedtoaDataProtectionclass.
NoProtection(NSFileProtectionNone):ThisclasskeyisprotectedonlywiththeUID,andiskeptinEffaceableStorage.
Sinceallthekeysneededtodecryptfilesinthisclassarestoredonthedevice,theencryptiononlyaffordsthebenefitoffastremotewipe.
Ifafileisn'tassignedaDataProtectionclass,itisstillstoredinencryptedform(asisalldataonaniOSandiPadOSdevice).
DataProtectionclasskeyClassProtectiontypeClassA:CompleteProtection(NSFileProtectionComplete)ClassB:ProtectedUnlessOpen(NSFileProtectionCompleteUnlessOpen)ClassC:ProtectedUntilFirstUserAuthentication(NSFileProtectionCompleteUntilFirstUserAuthentication)ClassD:NoProtection(NSFileProtectionNone)AccessingprotectedkeysinrecoverymodesOndeviceswithAppleA10,A11,andS3SoCs,classkeysprotectedbytheuser'spasscodecan'tbeaccessedfromRecoverymode.
TheA12andS4SoCsextendthisprotectiontoDeviceFirmwareUpgrade(DFU)mode.
TheSecureEnclaveAESengineisequippedwithlockablesoftwareseedbits.
WhenkeysarecreatedfromtheUID,theseseedbitsareincludedinthekeyderivationfunctiontocreateadditionalkeyhierarchies.
StartingwiththeAppleA10andS3SoCs,aseedbitisdedicatedtodistinguishkeysprotectedbytheuser'spasscode.
Theseedbitissetforkeysthatrequiretheuser'spasscode(includingDataProtectionClassA,ClassB,andClassCkeys),andclearedforkeysthatdon'trequiretheuser'spasscode(includingthefilesystemmetadatakeyandClassDkeys).
OnA12SoCs,theSecureEnclaveBootROMlocksthepasscodeseedbitiftheapplicationprocessorhasenteredDFUmodeorRecoverymode.
Whenthepasscodeseedbitislocked,nooperationtochangeitisallowed,preventingaccesstodataprotectedwiththeuser'spasscode.
47OnAppleA10,A11,S3,andS4SoCs,thepasscodeseedbitislockedbytheSecureEnclaveOSifthedevicehasenteredRecoverymode.
TheSecureEnclaveBootROMandOSbothchecktheBootProgressRegister(BPR)tosecurelydeterminethecurrentmode.
Inaddition,iniOS13andiPadOS13.
1orlaterondeviceswithanA10ornewer,alluserdataisrenderedcryptographicallyinaccessiblewhendevicesarebootedintoRecoverymode.
Thisisachievedbyintroducinganadditionalseedbitwhosesettinggovernstheabilitytoaccessthemediakey,whichitselfisneededtoaccessthemetadata(andthereforecontentsof)allfilesonthedatavolumeencryptedwithDataProtection.
Thisprotectionencompassesfilesprotectedinallclasses(A,B,C,andD),notjustthosethatrequiredtheuser'spasscode.
RestoringadeviceafteritentersDFUmodereturnsittoaknowngoodstatewiththecertaintythatonlyunmodifiedApple-signedcodeispresent.
DFUmodecanbeenteredmanually.
SeethefollowingAppleSupportarticlesonhowtoplaceadeviceinDFUmode:DeviceArticleiPhone,iPad,iPodtouchIfyouforgotthepasscodeforyouriPhone,iPad,oriPodtouch,oryourdeviceisdisabledAppleTVRestoreyourAppleTVKeychaindataprotectionanddataclassesKeychaindataprotectionoverviewManyappsneedtohandlepasswordsandothershortbutsensitivebitsofdata,suchaskeysandlogintokens.
TheiOSandiPadOSKeychainprovidesasecurewaytostoretheseitems.
KeychainitemsareencryptedusingtwodifferentAES-256-GCMkeys:atablekey(metadata),andaper-rowkey(secret-key).
Keychainmetadata(allattributesotherthankSecValue)isencryptedwiththemetadatakeytospeedsearcheswhilethesecretvalue(kSecValueData)isencryptedwiththesecret-key.
Themeta-datakeyisprotectedbytheSecureEnclave,butiscachedintheapplicationprocessortoallowfastqueriesofthekeychain.
ThesecretkeyalwaysrequiresaroundtripthroughtheSecureEnclave.
TheKeychainisimplementedasaSQLitedatabase,storedonthefilesystem.
ThereisonlyonedatabaseandthesecurityddaemondetermineswhichKeychainitemseachprocessorappcanaccess.
KeychainaccessAPIsresultincallstothedaemon,whichqueriestheapp's"Keychain-access-groups,""application-identifier,"and"application-group"entitlements.
Ratherthanlimitingaccesstoasingleprocess,accessgroupsallowKeychainitemstobesharedbetweenapps.
48Keychainitemscanonlybesharedbetweenappsfromthesamedeveloper.
Thisismanagedbyrequiringthird-partyappstouseaccessgroupswithaprefixallocatedtothemthroughtheAppleDeveloperProgramthroughapplicationgroups.
Theprefixrequirementandapplicationgroupuniquenessareenforcedthroughcodesigning,provisioningprofiles,andtheAppleDeveloperProgram.
KeychaindataisprotectedusingaclassstructuresimilartotheoneusedinfileDataProtection.
TheseclasseshavebehaviorsequivalenttofileDataProtectionclassesbutusedistinctkeysandarepartofAPIsthatarenameddifferently.
AvailabilityFileDataProtectionKeychainDataProtectionWhenunlockedNSFileProtectionCompletekSecAttrAccessibleWhenUnlockedWhilelockedNSFileProtectionCompleteUnlessOpenN/AAfterfirstunlockNSFileProtectionCompleteUntilFirstUserAuthenticationkSecAttrAccessibleAfterFirstUnlockAlwaysNSFileProtectionNonekSecAttrAccessibleAlwaysPasscodeenabledN/AkSecAttrAccessibleWhenPasscodeSetThisDeviceOnlyAppsthatutilizebackgroundrefreshservicescanusekSecAttrAccessibleAfterFirstUnlockforKeychainitemsthatneedtobeaccessedduringbackgroundupdates.
TheclasskSecAttrAccessibleWhenPasscodeSetThisDeviceOnlybehavesthesameaskSecAttrAccessibleWhenUnlocked;however,it'savailableonlywhenthedeviceisconfiguredwithapasscode.
ThisclassexistsonlyinthesystemKeybag;they:Don'tsynctoiCloudKeychainAren'tbackedupAren'tincludedinescrowkeybagsIfthepasscodeisremovedorreset,theitemsarerendereduselessbydiscardingtheclasskeys.
OtherKeychainclasseshavea"Thisdeviceonly"counterpart,whichisalwaysprotectedwiththeUIDwhenbeingcopiedfromthedeviceduringabackup,renderingituselessifrestoredtoadifferentdevice.
ApplehascarefullybalancedsecurityandusabilitybychoosingKeychainclassesthatdependonthetypeofinformationbeingsecuredandwhenit'sneededbyiOSandiPadOS.
Forexample,aVPNcertificatemustalwaysbeavailablesothedevicekeepsacontinuousconnection,butit'sclassifiedas"non-migratory,"soitcan'tbemovedtoanotherdevice.
49KeychaindataclassprotectionsForKeychainitemscreatedbyiOSandiPadOS,thefollowingclassprotectionsareenforced:ItemAccessibleWi-FipasswordsAfterfirstunlockMailaccountsAfterfirstunlockMicrosoftExchangeActiveSyncaccountsAfterfirstunlockVPNpasswordsAfterfirstunlockLDAP,CalDAV,CardDAVAfterfirstunlockSocialnetworkaccounttokensAfterfirstunlockHandoffadvertisementencryptionkeysAfterfirstunlockiCloudtokenAfterfirstunlockHomesharingpasswordWhenunlockedSafaripasswordsWhenunlockedSafaribookmarksWhenunlockediTunesbackupWhenunlocked,non-migratoryVPNcertificatesAlways,non-migratoryBluetoothkeysAlways,non-migratoryApplePushNotificationservice(APNs)tokenAlways,non-migratoryiCloudcertificatesandprivatekeyAlways,non-migratoryiMessagekeysAlways,non-migratoryCertificatesandprivatekeysinstalledbyaconfigurationprofileAlways,non-migratorySIMPINAlways,non-migratoryFindMytokenAlwaysVoicemailAlwaysKeychainaccesscontrolKeychainscanuseaccesscontrollists(ACLs)tosetpoliciesforaccessibilityandauthenticationrequirements.
Itemscanestablishconditionsthatrequireuserpresencebyspecifyingthattheycan'tbeaccessedunlessauthenticatedusingTouchID,FaceID,orbyenteringthedevice'spasscode.
AccesstoitemscanalsobelimitedbyspecifyingthatTouchIDorFaceIDenrollmenthasn'tchangedsincetheitemwasadded.
ThislimitationhelpspreventanattackerfromaddingtheirownfingerprintinordertoaccessaKeychainitem.
ACLsareevaluatedinsidetheSecureEnclaveandarereleasedtothekernelonlyiftheirspecifiedconstraintsaremet.
50EncryptioninmacOSInternalvolumeencryptionwhenFileVaultisturnedonInMacOSX10.
3orlater,MaccomputersprovideFileVault,abuilt-inencryptioncapabilitytosecurealldataatrest.
FileVaultusestheAES-XTSdataencryptionalgorithmtoprotectfullvolumesoninternalandremovablestoragedevices.
OnMaccomputerswiththeAppleT2SecurityChip,encryptedinternalstoragedevicesdirectlyconnectedtotheT2chipleveragethehardwaresecuritycapabilitiesofthechip.
AfterauserturnsonFileVaultonaMac,theircredentialsarerequiredduringthebootprocess.
Withoutvalidlogincredentialsoracryptographicrecoverykey,theinternalAPFSvolume(inmacOS10.
15,thisincludestheSystemandDatavolumes)remainsencryptedandisprotectedfromunauthorizedaccessevenifthephysicalstoragedeviceisremovedandconnectedtoanothercomputer.
InternalvolumeencryptiononaMacwiththeT2chipisimplementedbyconstructingandmanagingahierarchyofkeys,andbuildsonthehardwareencryptiontechnologiesbuiltintothechip.
Thishierarchyofkeysisdesignedtosimultaneouslyachievefourgoals:Requiretheuser'spasswordfordecryptionProtectthesystemfromabrute-forceattackdirectlyagainststoragemediaremovedfromMacProvideaswiftandsecuremethodforwipingcontentviadeletionofnecessarycryptographicmaterialEnableuserstochangetheirpassword(andinturnthecryptographickeysusedtoprotecttheirfiles)withoutrequiringreencryptionoftheentirevolumeInternalvolumeencryptionwhenFileVaultisturnedoninmacOS.
OnMaccomputerswiththeT2chip,allFileVaultkeyhandlingoccursintheSecureEnclave;encryptionkeysareneverdirectlyexposedtotheIntelCPU.
AllAPFSvolumesarecreatedwithavolumekeybydefault.
Volumeandmetadatacontentsareencryptedwiththisvolumekey,whichiswrappedwiththeclasskey.
Theclasskeyisprotectedbyacombinationoftheuser'spasswordandthehardwareUIDwhenFileVaultisturnedon.
ThisprotectionisthedefaultonMaccomputerswiththeT2chip.
Note:Encryptionofremovablestoragedevicesdoesn'tutilizethesecuritycapabilitiesoftheAppleT2SecurityChip,anditsencryptionisperformedinthesamemannerasMaccomputerswithouttheT2chip.
51InternalvolumeencryptionwhenFileVaultisturnedoffIfFileVaultisn'tturnedononaMacwiththeAppleT2SecurityChipduringtheinitialSetupAssistantprocess,thevolumeisstillencryptedbutthevolumekeyisprotectedonlybythehardwareUIDintheSecureEnclave.
InternalvolumeencryptionwhenFileVaultisturnedoffinmacOS.
IfFileVaultisturnedonlater—aprocessthatisimmediatesincethedatawasalreadyencrypted—ananti-replaymechanismpreventstheoldkey(basedonhardwareUIDonly)frombeingusedtodecryptthevolume.
ThevolumeisthenprotectedbyacombinationoftheuserpasswordwiththehardwareUIDaspreviouslydescribed.
DeletingFileVaultvolumesWhendeletingavolume,itsvolumekeyissecurelydeletedbySecureEnclave.
ThispreventsfutureaccesswiththiskeyevenbytheSecureEnclave.
Inaddition,allvolumekeysarewrappedwithamediakey.
Themediakeydoesn'tprovideadditionalconfidentialityofdata,butinsteadisdesignedtoenableswiftandsecuredeletionofdatabecausewithoutit,decryptionisimpossible.
ThemediakeyislocatedinEffaceableStorageanddesignedtobequicklyerasedondemand—forexample,usingremotewipeusingFindMyorwhenenrolledinamobiledevicemanagement(MDM)solution.
EffaceableStorageaccessestheunderlyingstoragetechnology(forexample,NAND)todirectlyaddressanderaseasmallnumberofblocksataverylowlevel.
Erasingthemediakeyinthismannerrendersthevolumecryptographicallyinaccessible.
PreventingbruteforceattacksandmalwareTopreventbrute-forceattacks,whenMacboots,nomorethan30passwordattemptsareallowedattheLoginWindoworusingTargetDiskMode,andescalatingtimedelaysareimposedafterincorrectattempts.
ThedelaysareenforcedbytheSecureEnclavecoprocessorontheT2chip.
IfMacisrestartedduringatimeddelay,thedelayisstillenforced,withthetimerstartingoverforthecurrentperiod.
52Topreventmalwarefromcausingpermanentdatalossbytryingtoattacktheuser'spassword,theselimitsarenotenforcedaftertheuserhassuccessfullyloggedintotheMac,butisreimposedafterreboot.
Ifthe30attemptsareexhausted,10moreattemptsareavailableafterbootingintomacOSRecovery.
Andifthosearealsoexhausted,then60additionalattemptsareavailableforeachFileVaultrecoverymechanism(iCloudrecovery,FileVaultrecoverykey,andinstitutionalkey),foramaximumof180additionalattempts.
Oncethoseadditionalattemptsareexhausted,theSecureEnclavenolongerprocessesanyrequeststodecryptthevolumeorverifythepassword,andthedataonthedrivebecomesunrecoverable.
Toprotectdatainanenterprisesetting,ITshoulddefineandenforceFileVaultconfigurationpoliciesusingmobiledevicemanagement(MDM).
Organizationshaveseveraloptionsformanagingencryptedvolumes,includinginstitutionalrecoverykeys,personalrecoverykeys(thatcanoptionallybestoredwithMDMforescrow),oracombinationofboth.
KeyrotationcanalsobesetasapolicyinMDM.
DelaysbetweenpasswordattemptsAttemptsDelayenforced1–14None15-171minute18-205minutes21-2615minutes27-301hourManagingFileVaultUsingSecureTokenAppleFileSystem(APFS)inmacOS10.
13orlaterchangeshowFileVaultencryptionkeysaregenerated.
InpreviousversionsofmacOSonCoreStoragevolumes,thekeysusedintheFileVaultencryptionprocesswerecreatedwhenauserororganizationturnedonFileVaultonaMac.
InmacOSonAPFSvolumes,thekeysaregeneratedeitherduringusercreationorduringthefirstloginbyauseroftheMac.
Thisimplementationoftheencryptionkeys,whentheyaregenerated,andhowtheyarestoredareapartofSecureToken.
Specifically,aSecureTokenisawrappedversionofaKeyEncryptionKey(KEK)protectedbyauserspassword.
WhendeployingFileVaultonAPFS,theusercancontinueto:Useexistingtoolsandprocesses,suchasPersonalRecoveryKey(PRK)escrowtoamobiledevicemanagement(MDM)solutionCreateanduseanInstitutionalRecoveryKey(IRK)DeferenablementofFileVaultuntilauserlogsintooroutoftheMac53UsingBootstrapTokenmacOS10.
15introducesanewfeature—BootstrapToken—tohelpwithgrantingaSecureTokentobothmobileaccountsandtheoptionaldeviceenrollment-createdadministratoraccount("managedadministrator").
ThemanagedadministratorcanbecreatedbyconfiguringanMDMsolutiontocreateitduringtheenrollmentprocessthathappensusingAppleSchoolManagerorAppleBusinessManager.
UsingthenewBootstrapTokenfeatureofmacOS10.
15requires:MacenrollmentinMDMusingAppleSchoolManagerorAppleBusinessManagerMDMvendorsupportNote:ABootstrapTokencan'tbegeneratedautomaticallybymacOSduringsetupiflocaluseraccountcreationisskippedentirely.
InmacOS10.
15.
4orlater,aBootstrapTokenisgeneratedtobeescrowedtoMDMonthefirstloginbyanyuserwhoisSecureTokenenablediftheMDMsolutionsupportsthefeature.
ABootstrapTokencanalsostillbegeneratedandescrowedtoMDMusingtheprofilescommand-linetool,ifneeded.
WhenausersetsupaMacontheirownWhenausersetsupaMacontheirown,ITdepartmentsdon'tprovisiontheactualdevice.
Allpoliciesandconfigurationsareprovidedusingamobiledevicemanagement(MDM)solutionorconfigurationmanagementtools.
SetupAssistantisusedtocreatetheinitiallocaladministratoraccount,andtheuserisgrantedaSecureToken.
IftheMDMsolutionsupportstheBootstrapTokenfeatureandinformstheMacduringMDMenrollment,aBootstrapTokenisgeneratedbytheMacandescrowedtotheMDMsolution.
IfaMacisenrolledinanMDMsolution,dependingontheMDMfeaturesavailable,theinitialaccountcanbeanadministratoraccountoralocalaccount.
IftheuserisdowngradedtoastandarduserusingMDM,theuserisautomaticallygrantedaSecureToken.
Iftheuserisdowngraded,startinginmacOS10.
15.
4,aBootstrapTokenisgenerated.
Note:IflocaluseraccountcreationinSetupAssistantisskippedaltogetherusingMDMandadirectoryservicewithmobileaccountsisusedinstead,thedirectoryuserwon'tbegrantedaSecureTokenduringloginandnoBootstrapTokenisgenerated.
IftherearenoSecureTokenusersontheMac,themobileaccountcanstillbeenabledforFileVaultusingdeferredenablementandSecureTokenisgrantedtotheuseratthetimethatFileVaultisturnedon.
OncetheuserisSecureTokenenabled,inmacOS10.
15.
4andlater,aBootstrapTokenisautomaticallygeneratedandescrowedtotheMDMsolutionatloginifitsupportsthefeature.
Inanyoftheabovescenarios,becausethefirstandprimaryuserisgrantedaSecureToken,theycanbeenabledforFileVaultusingdeferredenablement.
DeferredenablementallowstheorganizationtoturnonFileVault,butdeferitsenablementuntilauserlogsintooroutoftheMac.
ItsalsopossibletocustomizeiftheusercanskipturningonFileVault(optionallyadefinednumberoftimes).
TheendresultistheprimaryuseroftheMac—whetheralocaluserofanytypeoramobileaccount—beingabletounlockthestoragedevicewhenencryptedwithFileVault.
54OnMaccomputerswhereaBootstrapTokenwasgeneratedandescrowedtoanMDMsolution,ifthemanagedadministratoraccountlogsintotheMacatafuturedateandtime,theBootstrapTokenisusedtoautomaticallygrantaSecureToken,meaningtheaccountisalsoenabledforFileVaultandabletounlocktheFileVaultvolume.
Tomodifywhetherthemanagedadministratoraccountcanunlockthevolume,theusercanuse:fdesetupremove-user.
WhenaMacisprovisionedbyanorganizationWhenaMacisprovisionedbyanorganizationbeforebeinggiventoauser,theITdepartmentsetsupthedevice.
ThelocaladministrativeaccountcreatedinthemacOSSetupAssistantusedtoprovisionorsetuptheMacisgrantedaSecureToken.
InmacOS10.
15,iftheMDMsolutionsupportstheBootstrapTokenfeature,aBootstrapTokenisalsogeneratedduringthemacOSsetupprocessandescrowedtotheMDMsolution.
IfthemanagedadministratoraccountlogsintotheMacatafuturedateandtime,theBootstrapTokenisusedtoautomaticallygrantitSecureToken.
IftheMacisjoinedtoadirectoryserviceandconfiguredtocreatemobileaccountsandifthereisnoBootstrapToken,directoryserviceusersarepromptedatfirstloginforanexistingSecureTokenadministratorsusernameandpasswordtogranttheiraccountaSecureToken.
ThelocaladministratorcredentialsusedtosetuptheMacshouldbeentered.
IfSecureTokenisntrequired,theuserclicksBypass.
InmacOS10.
13.
5orlater,itspossibletosuppresstheSecureTokendialogcompletelyifFileVaultisn'tgoingtobeusedwiththemobileaccounts.
TosuppresstheSecureTokendialog,applyacustomsettingsconfigurationprofilefromMDMwiththefollowingkeysandvalues:SettingValueDomaincom.
apple.
MCXKeycachedaccounts.
askForSecureTokenAuthBypassValueTrueIftheMDMsolutionsupportstheBootstrapTokenfeatureandonewasgeneratedbytheMacandescrowedtotheMDMsolution,MobileAccountuserswon'tseethisprompt.
Instead,theyareautomaticallygrantedaSecureTokenduringlogin.
IfadditionallocalusersarerequiredontheMacinsteadofuseraccountsfromadirectoryservice,thoselocalusersareautomaticallygrantedaSecureTokenwhentheyarecreatedinSystemPreferences>Users&GroupsbyacurrentSecureToken-enabledadministrator.
Ifcreatinglocalusersusingthecommandlineisrequired,thesysadminctlcommand-linetoolcanbeusedtocreateusersandenableforthemforSecureToken.
55Inthesescenarios,thefollowinguserscanunlocktheFileVault-encryptedvolume:TheoriginallocaladministratorusedforprovisioningAnyadditionaldirectoryserviceusersgrantedSecureTokenduringtheloginprocess,eitherinteractivelyusingthedialogpromptorautomaticallywiththeBootstrapTokenAnynewlocaluserscreatedinSystemPreferencesTomodifythewhetherspecificaccountscanunlockthestoragedevice,theusercanusefdesetupremove-user.
Whenusingoneoftheabovedescribedworkflows,SecureTokenismanagedbymacOSwithoutanyadditionalconfigurationorscriptingbeingneeded;itbecomesanimplementationdetailandnotsomethingthatneedstobeactivelymanagedormanipulated.
Usingcommand-linetoolsCommand-linetoolsareavailableformanagingBootstrapToken,FileVault,andSecureToken.
TheBootstrapTokenisusuallygeneratedontheMacandescrowedtothemobiledevicemanagement(MDM)solutionduringthemacOSsetupprocessaftertheMDMsolutiontellstheMacthatitsupportsthefeature.
However,aBootstrapTokencanalsobegeneratedonaMacthathasalreadybeendeployed.
Forexample,iftheMDMsolutionaddssupportforthisfeatureafteraninitialdeploymentofmacOS10.
15.
InmacOS10.
15.
4orlater,aBootstrapTokenisgeneratedandescrowedtoMDMonthefirstloginbyanyuserwhoisSecureTokenenablediftheMDMsolutionsupportsthefeature.
Thisreducestheneedtousetheprofilescommand-linetoolafterdevicesetuptogenerateandescrowaBootstrapTokentotheMDMsolution.
Theprofilescommand-linetoolhasanumberofoptionsforinteractingwiththeBootstrapTokensudoprofilesinstall-typebootstraptoken:ThiscommandgeneratesanewBootstrapTokenandescrowsittotheMDMsolution.
ThiscommandrequiresexistingSecureTokenadministratorinformationtoinitiallygeneratetheBootstrapToken,theMDMsolutionmustsupportthefeature,andtheMaccomputer'sserialnumbermustappearinAppleSchoolManagerorAppleBusinessManagerandenrolledinthatspecificMDMsolution.
sudoprofilesremove-typebootstraptoken:RemovestheexistingBootstrapTokenontheMacandtheMDMsolution.
sudoprofilesstatus-typebootstraptoken:ReportsbackwhethertheMDMsolutionsupportstheBootstrapTokenfeature,andwhatthecurrentstateoftheBootstrapTokenisontheMac.
fdesetupcommand-linetoolMDMconfigurationsorthefdesetupcommand-linetoolcanbeusedtoconfigureFileVault.
InmacOS10.
15orlater,usingfdesetuptoturnonFileVaultbyprovidingtheusernameandpasswordisdeprecatedandwon'tberecognizedinafuturerelease.
ConsiderusingdeferredenablementusingMDMinstead.
Tolearnmoreaboutthefdesetupcommand-linetool,launchtheTerminalappandentermanfdesetuporfdesetuphelpforadditionalinformation.
56sysadminctlcommand-linetoolThesysadminctlcommand-linetoolcanbeusedtospecificallytomodifySecureTokenstatusforuseraccountsontheMac.
Thisshouldbedonewithcautionandonlywhennecessary.
ChangingtheSecureTokenstatusofauserusingsysadminctlalwaysrequirestheusernameandpasswordofanexistingSecureToken-enabledadministrator,eitherinteractivelyorthroughtheappropriateflagsonthecommand.
BothsysadminctlandSystemPreferencespreventthedeletionofthelastadministratororSecureToken-enableduseronaMac.
Ifthecreationofadditionallocalusersisscriptedusingsysadminctl,forthoseuserstobeenabledforSecureToken,currentSecureToken-enabledadministratorcredentialsarerequiredtobesuppliedeitherusingtheinteractiveoptionordirectlywiththe-adminUserand-adminPasswordflagswithsysadminctl.
Usesysadminctl-hforadditionalusageinstructions.
PasscodesandpasswordsPasscodesBysettingupadevicepasscode,theuserautomaticallyenablesDataProtection.
iOSandiPadOSsupportsix-digit,four-digit,andarbitrary-lengthalphanumericpasscodes.
Inadditiontounlockingthedevice,apasscodeprovidesentropyforcertainencryptionkeys.
Thismeansanattackerinpossessionofadevicecan'tgetaccesstodatainspecificprotectionclasseswithoutthepasscode.
Thepasscodeisentangledwiththedevice'sUID,sobrute-forceattemptsmustbeperformedonthedeviceunderattack.
Alargeiterationcountisusedtomakeeachattemptslower.
Theiterationcountiscalibratedsothatoneattempttakesapproximately80milliseconds.
Thismeansitwouldtakemorethanfiveandone-halfyearstotryallcombinationsofasix-characteralphanumericpasscodewithlowercaselettersandnumbers.
Thestrongertheuserpasscodeis,thestrongertheencryptionkeybecomes.
TouchIDandFaceIDcanbeusedtoenhancethisequationbyenablingtheusertoestablishamuchstrongerpasscodethanwouldotherwisebepractical.
ThisincreasestheeffectiveamountofentropyprotectingtheencryptionkeysusedforDataProtection,withoutadverselyaffectingtheuserexperienceofunlockinganiOSoriPadOSdevicemultipletimesthroughouttheday.
Tofurtherdiscouragebrute-forcepasscodeattacks,thereareescalatingtimedelaysaftertheentryofaninvalidpasscodeattheLockscreen.
IfSettings>TouchID&Passcode>EraseDataisturnedon,thedeviceautomaticallywipesafter10consecutiveincorrectattemptstoenterthepasscode.
Consecutiveattemptsofthesameincorrectpasscodedon'tcounttowardthelimit.
Thissettingisalsoavailableasanadministrativepolicythroughamobiledevicemanagement(MDM)solutionthatsupportsthisfeatureandMicrosoftExchangeActiveSync,andcanbesettoalowerthreshold.
OndeviceswithSecureEnclave,thedelaysareenforcedbytheSecureEnclavecoprocessor.
Ifthedeviceisrestartedduringatimeddelay,thedelayisstillenforced,withthetimerstartingoverforthecurrentperiod.
57SpecifyinglongerpasscodesIfalongpasswordthatcontainsonlynumbersisentered,anumerickeypadisdisplayedattheLockscreeninsteadofthefullkeyboard.
Alongernumericpasscodemaybeeasiertoenterthanashorteralphanumericpasscode,whileprovidingsimilarsecurity.
UserscanspecifyalongeralphanumericpasscodebyselectingCustomAlphanumericCodeinthePasscodeOptionsinSettings>Passcode.
DelaysbetweenpasscodeattemptsAttemptsDelayenforced1–4None51minute65minutes7–815minutes91hourActivatingdataconnectionssecurelyToimprovesecuritywhilemaintainingusabilityTouchID,FaceID,orpasscodeentryisrequiredtoactivatedataconnectionsviatheLightning,USB,orSmartConnectorinterfaceifnodataconnectionhasbeenestablishedrecently.
Thislimitstheattacksurfaceagainstphysicallyconnecteddevicessuchasmaliciouschargerswhilestillenablingusageofotheraccessorieswithinreasonabletimeconstraints.
IfmorethananhourhaspassedsincetheiOSoriPadOSdevicehaslockedorsinceanaccessory'sdataconnectionhasbeenterminated,thedevicewon'tallowanynewdataconnectionstobeestablisheduntilthedeviceisunlocked.
Duringthishourperiod,onlydataconnectionsfromaccessoriesthathavebeenpreviouslyconnectedtothedevicewhileinanunlockedstatewillbeallowed.
Theseaccessoriesarerememberedfor30daysafterthelasttimetheywereconnected.
AttemptsbyanunknownaccessorytoopenadataconnectionduringthisperiodwilldisableallaccessorydataconnectionsoverLighting,USB,andSmartConnectoruntilthedeviceisunlockedagain.
Thishourperiod:EnsuresthatfrequentusersofconnectionstoaMacorPC,toaccessories,orwiredtoCarPlaywon'tneedtoinputtheirpasscodeseverytimetheyattachtheirdevice.
Isnecessarybecausetheaccessoryecosystemdoesn'tprovideacryptographicallyreliablewaytoidentifyaccessoriesbeforeestablishingadataconnection.
Inaddition,ifit'sbeenmorethanthreedayssinceadataconnectionhasbeenestablishedwithanaccessory,thedevicewilldisallownewdataconnectionsimmediatelyafteritlocks.
Thisistoincreaseprotectionforusersthatdon'toftenmakeuseofsuchaccessories.
DataconnectionsoverLightning,USB,andSmartConnectorarealsodisabledwheneverthedeviceisinastatewhereitrequiresapasscodetoreenablebiometricauthentication.
Theusercanchoosetoreenablealways-ondataconnectionsinSettings(settingupsomeassistivedevicesdoesthisautomatically).
58FunctionofpasswordsInMaccomputerswiththeAppleT2SecurityChip,thepasswordservesasimilarfunctiontopasscodesabove,exceptthatthekeygeneratedisusedforFileVaultencryptionratherthandataprotection.
macOSalsooffersadditionalpasswordrecoveryoptions:iCloudrecoveryFileVaultrecoveryFileVaultinstitutionalkeyAuthenticationanddigitalsigningDigitalsigningandencryptionAccessControlListsKeychaindataispartitionedandprotectedwithAccessControlLists(ACLs).
Asaresult,credentialsstoredbythird-partyappscan'tbeaccessedbyappswithdifferentidentitiesunlesstheuserexplicitlyapprovesthem.
ThisprotectionprovidesthemechanismforsecuringauthenticationcredentialsinAppledevicesacrossarangeofappsandserviceswithintheorganization.
MailIntheMailapp,userscansendmessagesthataredigitallysignedandencrypted.
MailautomaticallydiscoversappropriateRFC5322case-sensitiveemailaddresssubjectorsubjectalternativenamesondigitalsigningandencryptioncertificatesonattachedPIVtokensincompatiblesmartcards.
IfaconfiguredemailaccountmatchesanemailaddressonadigitalsigningorencryptioncertificateonanattachedPIVtoken,Mailautomaticallydisplaysthesigningbuttoninthetoolbarofanewmessagewindow.
IfMailhastherecipient'semailencryptioncertificateorcandiscoveritintheMicrosoftExchangeGlobalAddressList(GAL),anunlockediconappearsinthenewmessagetoolbar.
Alockedlockiconindicatesthemessagewillbesentencryptedwiththerecipient'spublickey.
Per-messageS/MIMEiOS,iPadOS,andmacOSsupportper-messageS/MIME.
ThismeansthatS/MIMEuserscanchoosetoalwayssignandencryptmessagesbydefaultortoselectivelysignandencryptindividualmessages.
IdentitiesusedwithS/MIMEcanbedeliveredtoAppledevicesusingaconfigurationprofile,amobiledevicemanagement(MDM)solution,theSimpleCertificateEnrollmentProtocol(SCEP),orMicrosoftActiveDirectoryCertificateAuthority.
59SmartcardsmacOS10.
12orlaterincludesnativesupportforpersonalidentityverification(PIV)cards.
ThesecardsarewidelyusedincommercialandgovernmentorganizationsforTFA,digitalsigning,andencryption.
Smartcardsincludeoneormoredigitalidentitiesthathaveapairofpublicandprivatekeysandanassociatedcertificate.
Unlockingasmartcardwiththepersonalidentificationnumber(PIN)providesaccesstotheprivatekeysusedforauthentication,encryption,andsigningoperations.
Thecertificatedetermineswhatakeycanbeusedfor,whatattributesareassociatedwithit,andwhetherit'svalidated(signed)byaCA.
Smartcardscanbeusedfortwo-factorauthentication.
Thetwofactorsneededtounlockacardare"somethingtheuserhas"(thecard)and"somethingtheuserknows"(thePIN).
macOS10.
12orlateralsohasnativesupportforsmartcardloginwindowauthenticationandclientcertificateauthenticationtowebsitesonSafari.
ItalsosupportsKerberosauthenticationusingkeypairs(PKINIT)forsinglesign-ontoKerberos-supportedservices.
TolearnmoreaboutSmartcardsandmacOS,seeIntrotosmartcardintegrationintheDeploymentReferenceforMac.
EncrypteddiskimagesInmacOS,encrypteddiskimagesserveassecurecontainersinwhichuserscanstoreortransfersensitivedocumentsandotherfiles.
EncrypteddiskimagesarecreatedusingDiskUtility,locatedin/Applications/Utilities/.
Diskimagescanbeencryptedusingeither128-bitor256-bitAESencryption.
BecauseamounteddiskimageistreatedasalocalvolumeconnectedtoaMac,userscancopy,move,andopenfilesandfoldersstoredinit.
AswithFileVault,thecontentsofadiskimageareencryptedanddecryptedinrealtime.
Withencrypteddiskimages,userscansafelyexchangedocuments,files,andfoldersbysavinganencrypteddiskimagetoremovablemedia,sendingitasamailmessageattachment,orstoringitonaremoteserver.
Formoreinformationonencrypteddiskimages,seetheDiskUtilityUserGuide.
KeychainarchitectureinmacOSmacOSoffersarepository,calledKeychain,thatconvenientlyandsecurelystoresusernamesandpasswords,includingdigitalidentities,encryptionkeys,andsecurenotes.
ItcanbeaccessedbyopeningtheKeychainAccessappin/Applications/Utilities/.
Usingakeychaineliminatestherequirementtoenter—orevenremember—thecredentialsforeachresource.
AninitialdefaultkeychainiscreatedforeachMacuser,thoughuserscancreateotherkeychainsforspecificpurposes.
Inadditiontouserkeychains,macOSreliesonanumberofsystem-levelkeychainsthatmaintainauthenticationassetsthataren'tuser-specific,suchasnetworkcredentialsandpublickeyinfrastructure(PKI)identities.
Oneofthesekeychains,SystemRoots,isimmutableandstoresInternetPKIrootcertificateauthority(CA)certificatestofacilitatecommontaskslikeonlinebankingande-commerce.
TheusercansimilarlydeployinternallyprovisionedCAcertificatestomanagedMaccomputerstohelpvalidateinternalsitesandservices.
60KeybagsKeybagsoverviewiniOSandiPadOSThekeysforbothfileandKeychainDataProtectionclassesarecollectedandmanagedinkeybags.
iOSandiPadOSusethefollowingkeybags:user,device,backup,escrow,andiCloudBackup.
UserkeybagTheuserkeybagiswherethewrappedclasskeysusedinnormaloperationofthedevicearestored.
Forexample,whenapasscodeisentered,NSFileProtectionCompleteisloadedfromtheuserkeybagandunwrapped.
Itisabinarypropertylist(.
plist)filestoredintheNoProtectionclass.
FordeviceswithSoCsearlierthantheA9,the.
plistfilecontentsareencryptedwithakeyheldinEffaceableStorage.
Inordertogiveforwardsecuritytokeybags,thiskeyiswipedandregeneratedeachtimeauserchangestheirpasscode.
FordeviceswiththeA9ornewerSoCs,the.
plistfilecontainsakeythatindicatesthatthekeybagisstoredinalockerprotectedbySecureEnclavecontrolledanti-replaynonce.
TheSecureEnclavemanagestheuserkeybagandcanbequeriedregardingadevice'slockstate.
Itreportsthatthedeviceisunlockedonlyifalltheclasskeysintheuserkeybagareaccessibleandhavebeenunwrappedsuccessfully.
DevicekeybagThedevicekeybagisusedtostorethewrappedclasskeysusedforoperationsinvolvingdevice-specificdata.
iOSandiPadOSdevicesconfiguredforsharedusesometimesneedaccesstocredentialsbeforeanyuserhasloggedin;therefore,akeybagthatisn'tprotectedbytheuser'spasscodeisrequired.
iOSandiPadOSdon'tsupportcryptographicseparationofper-userfilesystemcontent,whichmeansthesystemusesclasskeysfromthedevicekeybagtowrapper-filekeys.
TheKeychain,however,usesclasskeysfromtheuserkeybagtoprotectitemsintheuserKeychain.
IniOSandiPadOSdevicesconfiguredforusebyasingleuser(thedefaultconfiguration),thedevicekeybagandtheuserkeybagareoneandthesame,andareprotectedbytheuser'spasscode.
61BackupkeybagThebackupkeybagiscreatedwhenanencryptedbackupismadebyiTunes(inmacOS10.
14orearlier)ortheFinder(macOS10.
15orlater)andstoredonthecomputertowhichthedeviceisbackedup.
Anewkeybagiscreatedwithanewsetofkeys,andthebacked-updataisreencryptedtothesenewkeys.
Asexplainedpreviously,non-migratoryKeychainitemsremainwrappedwiththeUID-derivedkey,allowingthemtoberestoredtothedevicetheywereoriginallybackedupfrombutrenderingtheminaccessibleonadifferentdevice.
Thekeybag—protectedwiththepasswordsetiniTunes(inmacOS10.
14orearlier)ortheFinder(macOS10.
15orlater)—isrunthrough10millioniterationsofPBKDF2.
Despitethislargeiterationcount,there'snotietoaspecificdevice,andthereforeabrute-forceattackparallelizedacrossmanycomputerscouldtheoreticallybeattemptedonthebackupkeybag.
Thisthreatcanbemitigatedwithasufficientlystrongpassword.
Ifauserchoosesnottoencryptthebackup,thefilesaren'tencryptedregardlessoftheirDataProtectionclassbuttheKeychainremainsprotectedwithaUID-derivedkey.
ThisiswhyKeychainitemsmigratetoanewdeviceonlyifabackuppasswordisset.
EscrowkeybagTheescrowkeybagisusedforiTunessyncingandmobiledevicemanagement(MDM).
ThiskeybagallowsiTunestobackupandsyncwithoutrequiringtheusertoenterapasscode,anditallowsanMDMsolutiontoremotelyclearauser'spasscode.
Itisstoredonthecomputerthat'susedtosyncwithiTunes,orontheMDMsolutionthatremotelymanagesthedevice.
Theescrowkeybagimprovestheuserexperienceduringdevicesynchronization,whichpotentiallyrequiresaccesstoallclassesofdata.
Whenapasscode-lockeddeviceisfirstconnectedtoiTunes,theuserispromptedtoenterapasscode.
Thedevicethencreatesanescrowkeybagcontainingthesameclasskeysusedonthedevice,protectedbyanewlygeneratedkey.
Theescrowkeybagandthekeyprotectingitaresplitbetweenthedeviceandthehostorserver,withthedatastoredonthedeviceintheProtectedUntilFirstUserAuthenticationclass.
ThisiswhythedevicepasscodemustbeenteredbeforetheuserbacksupwithiTunesforthefirsttimeafterareboot.
Inthecaseofanover-the-air(OTA)softwareupdate,theuserispromptedfortheirpasscodewheninitiatingtheupdate.
Thisisusedtosecurelycreateaone-timeUnlockToken,whichunlockstheuserkeybagaftertheupdate.
Thistokencan'tbegeneratedwithoutenteringtheuser'spasscode,andanypreviouslygeneratedtokenisinvalidatediftheuser'spasscodechanged.
One-timeUnlockTokensareeitherforattendedorunattendedinstallationofasoftwareupdate.
TheyareencryptedwithakeyderivedfromthecurrentvalueofamonotoniccounterintheSecureEnclave,theUUIDofthekeybag,andtheSecureEnclave'sUID.
FordeviceswithSoCsearlierthantheA9,incrementingtheone-timeUnlockTokencounterintheSecureEnclaveinvalidatesanyexistingtoken.
Thecounterisincrementedwhenatokenisused,afterthefirstunlockofarestarteddevice,whenasoftwareupdateiscanceled(bytheuserorbythesystem),orwhenthepolicytimerforatokenhasexpired.
OnA9(andnewer)SoCs,one-timeUnlocktokennolongerreliesoncountersorEffaceableStorage.
Instead,it'sprotectedbySecureEnclavecontrolledanti-replaynonce.
62Theone-timeUnlockTokenforattendedsoftwareupdatesexpiresafter20minutes.
PriortoiOS13,thistokenisexportedfromtheSecureEnclaveandiswrittentoEffaceableStorage.
Apolicytimerincrementsthecounterifthedevicehasn'trebootedwithin20minutes.
IniOS13andiPadOS13.
1,thetokenisstoredinalockerprotectedbytheSecureEnclave.
Unattendedsoftwareupdatesoccurwhenthesystemdetectsanupdateisavailableand:AutomaticupdatesareconfigurediniOS12(orlater)orTheuserchooses"InstallLater"whennotifiedoftheupdateAftertheuserenterstheirpasscode,aone-timeUnlockTokenisgeneratedandcanremainvalidinSecureEnclaveforupto8hours.
Iftheupdatehasn'tyetoccurred,thisone-timeUnlockTokenisdestroyedoneverylockandrecreatedoneverysubsequentunlock.
Eachunlockrestartsthe8hourwindow.
After8hoursapolicytimerinvalidatestheone-timeUnlockToken.
iCloudBackupkeybagTheiCloudBackupkeybagissimilartothebackupkeybag.
Alltheclasskeysinthiskeybagareasymmetric(usingCurve25519,liketheProtectedUnlessOpenDataProtectionclass).
AnasymmetrickeybagisalsousedforthebackupintheKeychainrecoveryaspectofiCloudKeychain.
63AppSecurityAppsecurityoverviewAppsareamongthemostcriticalelementsofamodernsecurityarchitecture.
Whileappsprovideamazingproductivitybenefitsforusers,theyalsohavethepotentialtonegativelyimpactsystemsecurity,stability,anduserdataifthey'renothandledproperly.
Becauseofthis,Appleprovideslayersofprotectiontoensurethatappsarefreeofknownmalwareandhaven'tbeentamperedwith.
Additionalprotectionsenforcethataccessfromappstouserdataiscarefullymediated.
Thesesecuritycontrolsprovideastable,secureplatformforapps,enablingthousandsofdeveloperstodeliverhundredsofthousandsofappsforiOS,iPadOS,andmacOS—allwithoutimpactingsystemintegrity.
AnduserscanaccesstheseappsontheirAppledeviceswithoutunduefearofviruses,malware,orunauthorizedattacks.
OniPhone,iPad,andiPodtouch,allappsareobtainedfromtheAppStore—andallappsaresandboxed—toprovidethetightestcontrols.
OnMac,manyappsareobtainedfromtheAppStore,butMacusersalsodownloadanduseappsfromtheInternet.
TosafelysupportInternetdownloading,macOSlayersadditionalcontrols.
First,bydefaultonmacOS10.
15orlater,allMacappsneedtobenotarizedbyAppletolaunch.
ThisrequirementensuresthattheseappsarefreeofknownmalwarewithoutrequiringthattheappsbeprovidedthroughtheAppStore.
Inaddition,macOSincludesstate-of-the-artanti-virusprotectiontoblock—andifnecessaryremove—malware.
Asanadditionalcontrolacrossplatforms,sandboxinghelpsprotectuserdatafromunauthorizedaccessbyapps.
AndinmacOS,dataincriticalareasisitselfsandboxed—whichensures—thatusersremainincontrolofaccesstofilesinDesktop,Documents,Downloads,andotherareasfromallapps,whethertheappsattemptingaccessarethemselvessandboxedornot.
64NativecapabilityThird-partyequivalentPlug-inunapprovedlist,SafariextensionunapprovedlistVirus/MalwareDefinitionsFilequarantineVirus/MalwareDefinitionsXProtect/YarasignaturesVirus/MalwareDefinitionsMRT(MalwareRemovalTool)EndpointprotectionGatekeeperEndpointprotection.
Enforcescodesigningonappstoensureonlytrustedsoftwareruns.
eficheck(NecessaryforMaccomputerswithoutanAppleT2Securitychip)Endpointprotection–rootkitdetectionApplicationfirewallEndpointprotection–firewallingPacketFilter(pf)FirewallsolutionsSystemIntegrityProtectionOnlyApplecanprovidethisMandatoryAccessControlsOnlyApplecanprovidethisKEXTexcludelistOnlyApplecanprovidethisMandatoryappcodesigningOnlyApplecanprovidethisAppnotarizationOnlyApplecanprovidethisAppsecurityiniOSandiPadOSiOSandiPadOSappsecurityoverviewUnlikeothermobileplatforms,iOSandiPadOSdon'tallowuserstoinstallpotentiallymaliciousunsignedappsfromwebsites,orrununtrustedapps.
Atruntime,codesignaturechecksofallexecutablememorypagesaremadeastheyareloadedtoensurethatanapphasn'tbeenmodifiedsinceitwasinstalledorlastupdated.
Afteranappisverifiedtobefromanapprovedsource,iOSandiPadOSenforcesecuritymeasuresdesignedtopreventitfromcompromisingotherappsortherestofthesystem.
AppcodesigningprocessMandatorycodesigningAftertheiOSoriPadOSkernelhasstarted,itcontrolswhichuserprocessesandappscanberun.
Toensurethatallappscomefromaknownandapprovedsourceandhaven'tbeentamperedwith,iOSandiPadOSrequirethatallexecutablecodebesignedusinganApple-issuedcertificate.
Appsprovidedwiththedevice,likeMailandSafari,aresignedbyApple.
Third-partyappsmustalsobevalidatedandsignedusinganApple-issuedcertificate.
MandatorycodesigningextendstheconceptofchainoftrustfromtheOStoappsandpreventsthird-partyappsfromloadingunsignedcoderesourcesorusingself-modifyingcode.
65HowdeveloperssigntheirappsCertificatevalidationTodevelopandinstallappsiniOSoriPadOSdevices,developersmustregisterwithAppleandjointheAppleDeveloperProgram.
Thereal-worldidentityofeachdeveloper,whetheranindividualorabusiness,isverifiedbyApplebeforetheircertificateisissued.
ThiscertificateenablesdeveloperstosignappsandsubmitthemtotheAppStorefordistribution.
Asaresult,allappsintheAppStorehavebeensubmittedbyanidentifiablepersonororganization,servingasadeterrenttothecreationofmaliciousapps.
TheyhavealsobeenreviewedbyAppletoensuretheygenerallyoperateasdescribedanddon'tcontainobviousbugsorothernotableproblems.
Inadditiontothetechnologyalreadydiscussed,thiscurationprocessgivesusersconfidenceinthequalityoftheappstheybuy.
ValidationofdynamiclibrariesiOSandiPadOSallowdeveloperstoembedframeworksinsideoftheirapps,whichcanbeusedbytheappitselforbyextensionsembeddedwithintheapp.
Toprotectthesystemandotherappsfromloadingthird-partycodeinsideoftheiraddressspace,thesystemperformsacodesignaturevalidationofallthedynamiclibrariesthataprocesslinksagainstatlaunchtime.
Thisverificationisaccomplishedthroughtheteamidentifier(TeamID),whichisextractedfromanApple-issuedcertificate.
Ateamidentifierisa10-characteralphanumericstring—forexample,1A2B3C4D5F.
Aprogrammaylinkagainstanyplatformlibrarythatshipswiththesystemoranylibrarywiththesameteamidentifierinitscodesignatureasthemainexecutable.
Sincetheexecutablesshippingaspartofthesystemdon'thaveateamidentifier,theycanonlylinkagainstlibrariesthatshipwiththesystemitself.
VerifyingenterpriseappsBusinessesalsohavetheabilitytowritein-houseappsforusewithintheirorganizationanddistributethemtotheiremployees.
BusinessesandorganizationscanapplytotheAppleDeveloperEnterpriseProgram(ADEP)withaD-U-N-Snumber.
Appleapprovesapplicantsafterverifyingtheiridentityandeligibility.
AfteranorganizationbecomesamemberofADEP,itcanregistertoobtainaprovisioningprofilethatpermitsin-houseappstorunondevicesitauthorizes.
Usersmusthavetheprovisioningprofileinstalledtorunthein-houseapps.
Thisensuresthatonlytheorganization'sintendedusersareabletoloadtheappsontotheiriOSandiPadOSdevices.
Appsinstalledthroughmobiledevicemanagement(MDM)areimplicitlytrustedbecausetherelationshipbetweentheorganizationandthedeviceisalreadyestablished.
Otherwise,usershavetoapprovetheapp'sprovisioningprofileinSettings.
Organizationscanrestrictusersfromapprovingappsfromunknowndevelopers.
Onfirstlaunchofanyenterpriseapp,thedevicemustreceivepositiveconfirmationfromApplethattheappisallowedtorun.
66SecurityofruntimeprocessSandboxingAllthird-partyappsare"sandboxed,"sotheyarerestrictedfromaccessingfilesstoredbyotherappsorfrommakingchangestothedevice.
Sandboxingpreventsappsfromgatheringormodifyinginformationstoredbyotherapps.
Eachapphasauniquehomedirectoryforitsfiles,whichisrandomlyassignedwhentheappisinstalled.
Ifathird-partyappneedstoaccessinformationotherthanitsown,itdoessoonlybyusingservicesexplicitlyprovidedbyiOSandiPadOS.
Systemfilesandresourcesarealsoshieldedfromtheuser'sapps.
ThemajorityofiOSandiPadOSrunasthenonprivilegeduser"mobile,"asdoallthird-partyapps.
TheentireOSpartitionismountedasread-only.
Unnecessarytools,suchasremoteloginservices,aren'tincludedinthesystemsoftware,andAPIsdon'tallowappstoescalatetheirownprivilegestomodifyotherappsoriOSandiPadOS.
UseofentitlementsAccessbythird-partyappstouserinformation,andtofeaturessuchasiCloudandextensibility,iscontrolledusingdeclaredentitlements.
Entitlementsarekey-valuepairsthataresignedintoanappandallowauthenticationbeyondruntimefactors,likeUNIXuserID.
Sinceentitlementsaredigitallysigned,theycan'tbechanged.
Entitlementsareusedextensivelybysystemappsanddaemonstoperformspecificprivilegedoperationsthatwouldotherwiserequiretheprocesstorunasroot.
Thisgreatlyreducesthepotentialforprivilegeescalationbyacompromisedsystemappordaemon.
Inaddition,appscanonlyperformbackgroundprocessingthroughsystem-providedAPIs.
Thisenablesappstocontinuetofunctionwithoutdegradingperformanceordramaticallyimpactingbatterylife.
FurtherprotectionsAddressSpaceLayoutRandomizationAddressSpaceLayoutRandomization(ASLR)protectsagainsttheexploitationofmemorycorruptionbugs.
Built-inappsuseASLRtoensurethatallmemoryregionsarerandomizeduponlaunch.
Randomlyarrangingthememoryaddressesofexecutablecode,systemlibraries,andrelatedprogrammingconstructsreducesthelikelihoodofmanysophisticatedexploits.
Forexample,areturn-to-libcattackattemptstotrickadeviceintoexecutingmaliciouscodebymanipulatingmemoryaddressesofthestackandsystemlibraries.
Randomizingtheplacementofthesemakestheattackfarmoredifficulttoexecute,especiallyacrossmultipledevices.
Xcode,theiOSoriPadOSdevelopmentenvironments,automaticallycompilesthird-partyprogramswithASLRsupportturnedon.
ExecuteNeverFurtherprotectionisprovidedbyiOSandiPadOSusingARM'sExecuteNever(XN)feature,whichmarksmemorypagesasnon-executable.
Memorypagesmarkedasbothwritableandexecutablecanbeusedonlybyappsundertightlycontrolledconditions:ThekernelchecksforthepresenceoftheApple-onlydynamiccode-signingentitlement.
Eventhen,onlyasinglemmapcallcanbemadetorequestanexecutableandwritablepage,whichisgivenarandomizedaddress.
SafariusesthisfunctionalityforitsJavaScriptJITcompiler.
67SupportingextensionsiOSandiPadOSallowappstoprovidefunctionalitytootherappsbyprovidingextensions.
Extensionsarespecial-purposesignedexecutablebinariespackagedwithinanapp.
Duringinstallation,thesystemautomaticallydetectsextensionsandmakesthemavailabletootherappsusingamatchingsystem.
ExtensionpointsAsystemareathatsupportsextensionsiscalledanextensionpoint.
EachextensionpointprovidesAPIsandenforcespoliciesforthatarea.
Thesystemdetermineswhichextensionsareavailablebasedonextensionpoint–specificmatchingrules.
Thesystemautomaticallylaunchesextensionprocessesasneededandmanagestheirlifetime.
Entitlementscanbeusedtorestrictextensionavailabilitytoparticularsystemapps.
Forexample,aTodayviewwidgetappearsonlyinNotificationCenter,andasharingextensionisavailableonlyfromtheSharingpane.
ExamplesofextensionpointsareTodaywidgets,Share,Actions,PhotoEditing,FileProvider,andCustomKeyboard.
HowextensionscommunicateExtensionsrunintheirownaddressspace.
Communicationbetweentheextensionandtheappfromwhichitwasactivatedusesinterprocesscommunicationsmediatedbythesystemframework.
Theydon'thaveaccesstoeachother'sfilesormemoryspaces.
Extensionsaredesignedtobeisolatedfromeachother,fromtheircontainingapps,andfromtheappsthatusethem.
Theyaresandboxedlikeanyotherthird-partyappandhaveacontainerseparatefromthecontainingapp'scontainer.
However,theysharethesameaccesstoprivacycontrolsasthecontainerapp.
SoifausergrantsContactsaccesstoanapp,thisgrantisextendedtotheextensionsthatareembeddedwithintheapp,butnottotheextensionsactivatedbytheapp.
HowcustomkeyboardsareusedCustomkeyboardsareaspecialtypeofextensionsincethey'reenabledbytheuserfortheentiresystem.
Onceenabled,akeyboardextensionisusedforanytextfieldexceptthepasscodeinputandanysecuretextview.
Torestrictthetransferofuserdata,customkeyboardsrunbydefaultinaveryrestrictivesandboxthatblocksaccesstothenetwork,toservicesthatperformnetworkoperationsonbehalfofaprocess,andtoAPIsthatwouldallowtheextensiontoexfiltratetypingdata.
DevelopersofcustomkeyboardscanrequestthattheirextensionhaveOpenAccess,whichletsthesystemruntheextensioninthedefaultsandboxaftergettingconsentfromtheuser.
MDMandextensionsFordevicesenrolledinamobiledevicemanagement(MDM)solution,documentandkeyboardextensionsobeyManagedOpenInrules.
Forexample,theMDMsolutioncanpreventauserfromexportingadocumentfromamanagedapptoanunmanagedDocumentProvider,orusinganunmanagedkeyboardwithamanagedapp.
Additionally,appdeveloperscanpreventtheuseofthird-partykeyboardextensionswithintheirapp.
68AdoptingDataProtectioninappsTheiOSSoftwareDevelopmentKit(SDK)foriOSandiPadOSoffersafullsuiteofAPIsthatmakeiteasyforthird-partyandin-housedeveloperstoadoptDataProtectionandhelpensurethehighestlevelofprotectionintheirapps.
DataProtectionisavailableforfileanddatabaseAPIs,includingNSFileManager,CoreData,NSData,andSQLite.
TheMailappdatabase(includingattachments),managedbooks,Safaribookmarks,applaunchimages,andlocationdataarealsostoredthroughencryption,withkeysprotectedbytheuser'spasscodeontheirdevice.
Calendar(excludingattachments),Contacts,Reminders,Notes,Messages,andPhotosimplementtheDataProtectionentitlementProtectedUntilFirstUserAuthentication.
User-installedappsthatdon'toptintoaspecificDataProtectionclassreceiveProtectedUntilFirstUserAuthenticationbydefault.
JoininganAppGroupAppsandextensionsownedbyagivendeveloperaccountcansharecontentwhenconfiguredtobepartofanAppGroup.
It'suptothedevelopertocreatetheappropriategroupsontheAppleDeveloperPortalandincludethedesiredsetofappsandextensions.
OnceconfiguredtobepartofanAppGroup,appshaveaccesstothefollowing:Asharedon-volumecontainerforstorage,whichstaysonthedeviceaslongasatleastoneappfromthegroupisinstalledSharedpreferencesSharedKeychainitemsTheAppleDeveloperPortalensuresthatAppGroupIDs(GID)areuniqueacrosstheappecosystem.
VerifyingaccessoriesTheMadeforiPhone,iPad,andiPodtouch(MFi)licensingprogramprovidesvettedaccessorymanufacturersaccesstotheiPodAccessoriesProtocol(iAP)andthenecessarysupportinghardwarecomponents.
WhenanMFiaccessorycommunicateswithaniOSoriPadOSdeviceusingaLightningconnectororthroughBluetooth,thedeviceaskstheaccessorytoproveithasbeenauthorizedbyApplebyrespondingwithanApple-providedcertificate,whichisverifiedbythedevice.
Thedevicethensendsachallenge,whichtheaccessorymustanswerwithasignedresponse.
Thisprocessisentirelyhandledbyacustomintegratedcircuit(IC)thatAppleprovidestoapprovedaccessorymanufacturersandistransparenttotheaccessoryitself.
Accessoriescanrequestaccesstodifferenttransportmethodsandfunctionality—forexample,accesstodigitalaudiostreamsovertheLightningcable,orlocationinformationprovidedoverBluetooth.
AnauthenticationICensuresthatonlyapprovedaccessoriesaregrantedfullaccesstothedevice.
Ifanaccessorydoesn'tsupportauthentication,itsaccessislimitedtoanalogaudioandasmallsubsetofserial(UART)audioplaybackcontrols.
69AirPlayalsousestheauthenticationICtoverifythatreceivershavebeenapprovedbyApple.
AirPlayaudioandCarPlayvideostreamsusetheMFi-SAP(SecureAssociationProtocol),whichencryptscommunicationbetweentheaccessoryanddeviceusingAES-128inCTRmode.
EphemeralkeysareexchangedusingECDHkeyexchange(Curve25519)andsignedusingtheauthenticationIC's1024-bitRSAkeyaspartoftheStation-to-Station(STS)protocol.
AppsecurityinmacOSmacOSappsecurityoverviewAppsecurityonmacOSconsistsofanumberofoverlappinglayers—thefirstofwhichistheoptiontorunonlysignedandtrustedappsfromtheAppStore.
Inaddition,macOSlayersprotectionstoensurethatappsdownloadedfromtheInternetarefreeofknownmalware.
Itofferstechnologiestodetectandremovemalware,andoffersadditionalprotectionsdesignedtopreventuntrustedappsfromaccessinguserdata.
Ultimately,macOSusersarefreetooperatewithinthesecuritymodelthatmakessenseforthem—evenincludingrunningcompletelyunsignedanduntrustedcode.
AppcodesigningprocessinmacOSAllappsfromtheAppStorearesignedbyAppletoensurethattheyhaven'tbeentamperedwithoraltered.
ApplesignsanyappsprovidedwithAppledevices.
InmacOS10.
15,allappsdistributedoutsidetheAppStoremustbesignedbythedeveloperusinganApple-issuedDeveloperIDcertificate(combinedwithaprivatekey)andnotarizedbyAppletorununderthedefaultGatekeepersettings.
Appsdevelopedin-houseshouldalsobesignedwithanApple-issuedDeveloperIDsothatuserscanvalidatetheirintegrity.
OnmacOS,codesigningandnotarizationworkindependently—andcanbeperformedbydifferentactors—fordifferentgoals.
CodesigningisperformedbythedeveloperusingtheirDeveloperIDcertificate(issuedbyApple),andverificationofthissignatureprovestotheuserthatadeveloper'ssoftwarehasn'tbeentamperedwithsincethedeveloperbuiltandsignedit.
NotarizationcanbeperformedbyanyoneinthesoftwaredistributionchainandprovesthatApplehasbeenprovidedacopyofthecodetocheckformalwareandnoknownmalwarewasfound.
TheoutputofNotarizationisaticket,whichisstoredonAppleserversandcanbeoptionallystapledtotheapp(byanyone)withoutinvalidatingthesignatureofthedeveloper.
MandatoryAccessControls(MACs)requirecodesigningtoenableentitlementsprotectedbythesystem.
Forexample,appsrequiringaccessthroughthefirewallmustbecodesignedwiththeappropriateMACentitlement.
70GatekeeperandruntimeprotectionGatekeepermacOSincludesatechnologycalledGatekeeperwhichensuresthat,bydefault,onlytrustedsoftwarerunsonauser'sMac.
Whenauserdownloadsandopensanapp,aplug-in,oraninstallerpackagefromoutsidetheAppStore,Gatekeeperverifiesthatthesoftwareisfromanidentifieddeveloper,isnotarizedbyAppletobefreeofknownmaliciouscontent,andhasnotbeenaltered.
Gatekeeperalsorequestsuserapprovalbeforeopeningdownloadedsoftwareforthefirsttimetomakesuretheuserhasnotbeentrickedintorunningexecutablecodetheybelievedtosimplybeadatafile.
Bydefault,GatekeeperensuresthatalldownloadedsoftwarehasbeensignedbytheAppStoreorsignedbyaregistereddeveloperandnotarizedbyApple.
BoththeAppStorereviewprocessaswellasthenotarizationpipelineensureappscontainnoknownmalware.
Therefore,allsoftwareinmacOSischeckedforknownmaliciouscontentthefirsttimeit'sopened,regardlessofhowitarrivedontheMac.
UsersandorganizationshavetheoptiontoallowonlysoftwareinstalledfromtheAppStore.
Furthermore,userscanoverrideGatekeeper'spoliciestoopenanysoftware,unlessrestrictedbyamobiledevicemanagement(MDM)solution.
OrganizationscanuseMDMtoconfigureGatekeepersettings,includingallowingsoftwaresignedwithalternateidentities.
Gatekeepercanalsobecompletelydisabled,ifnecessary.
Gatekeeperprotectsagainstthedistributionofmaliciousplug-inswithbenignapps,whereusingtheapptriggersloadingamaliciouspluginwithouttheuser'sknowledge.
Whennecessary,Gatekeeperopensappsfromrandomized,read-onlylocations,preventingtheautomaticloadingofplug-insdistributedalongsidetheapp.
RuntimeprotectionSystemfiles,resources,andthekernelareshieldedfromauser'sappspace.
AllappsfromtheAppStorearesandboxedtorestrictaccesstodatastoredbyotherapps.
IfanappfromtheAppStoreneedstoaccessdatafromanotherapp,itcandosoonlybyusingtheAPIsandservicesprovidedbymacOS.
ProtectingagainstmalwareXProtectmacOSincludesbuilt-instate-of-the-artantivirustechnologycalledXProtectforthesignature-baseddetectionofmalware,theuseofwhichsupportsbest-practiceprotectionfromvirusesandmalware.
ThesystemusesYARAsignatures,whichAppleupdatesregularly.
Applemonitorsfornewmalwareinfectionsandstrains,andupdatessignaturesautomatically—independentfromsystemupdates—tohelpdefendMaccomputersfrommalwareinfections.
XProtectautomaticallydetectsandblockstheexecutionofknownmalware.
InmacOS10.
15orlater,XProtectchecksforknownmaliciouscontentwheneveranapp:IsfirstlaunchedHasbeenchangedWhenXProtectdetectsknownmalware,thesoftwareisblockedandtheuserisnotifiedandgiventheoptiontomovethesoftwaretotheTrash.
71MalwareRemovalToolShouldmalwaremakeitswayontoaMac,macOSalsoincludestechnologytoremediateinfections.
TheMalwareRemovalTool(MRT)isanengineinmacOSthatremediatesinfectionsbasedonupdatesautomaticallydeliveredfromApple(aspartofautomaticupdatesofsystemdatafilesandsecurityupdates).
InadditiontomonitoringformalwareactivityintheecosystemtobeabletorevokeDeveloperIDs(ifapplicable)andissueXProtectupdates,ApplealsoissuesupdatestoMRTtoremovemalwarefromanyimpactedsystemsthatareconfiguredtoreceiveautomaticsecurityupdates.
MRTremovesmalwareuponreceivingupdatedinformation,anditcontinuestocheckforinfectionsonrestartandlogin.
MRTdoesn'tautomaticallyreboottheMac.
AutomaticsecurityupdatesAppleissuestheupdatesforXProtectandthemalwareremovaltoolautomaticallybasedonthelatestthreatintelligenceavailable.
Bydefault,macOSchecksfortheseupdatesdaily.
Formoreinformationonautomaticsecurityupdates,seetheAppleSupportarticleAutomaticsecurityupdates.
ControllingappaccesstofilesApplebelievesthatusersshouldhavefulltransparency,consent,andcontroloverwhatappsaredoingwiththeirdata.
InmacOS10.
15,thismodelisenforcedbythesystemtoensurethatallappsmustobtainuserconsentbeforeaccessingfilesinDocuments,Downloads,Desktop,iCloudDrive,ornetworkvolumes.
InmacOS10.
13orlater,appsthatrequireaccesstothefullstoragedevicemustbeexplicitlyaddedinSystemPreferences.
Inaddition,accessibilityandautomationcapabilitiesrequireuserpermissiontoensuretheydon'tcircumventotherprotections.
Dependingontheaccesspolicy,usersmaybepromptedormustchangethesettinginSystemPreferences>Security&Privacy>Privacy:ItemUserpromptedbyappUsermusteditsystemprivacysettingsAccessibilityFullinternalstorageaccessFilesandfoldersNote:Includes:Desktop,Documents,Downloads,networkvolumes,andremovablevolumesAutomation(Appleevents)Itemsintheuser'sTrashareprotectedfromanyappsthatareusingFullDiskAccess;theuserwon'tgetpromptedforappaccess.
Iftheuserwantsappstoaccessthefiles,theymustbemovedfromtheTrashtoanotherlocation.
AuserwhoenablesFileVaultonaMacisaskedtoprovidevalidcredentialsbeforecontinuingthebootprocessandgainaccesstospecializedstartupmodes.
Withoutvalidlogincredentialsorarecoverykey,theentirevolumeremainsencryptedandisprotectedfromunauthorizedaccess,evenifthephysicalstoragedeviceisremovedandconnectedtoanothercomputer.
72Toprotectdatainanenterprisesetting,ITshoulddefineandenforceFileVaultconfigurationpoliciesusingmobiledevicemanagement(MDM).
Organizationshaveseveraloptionsformanagingencryptedvolumes,includinginstitutionalrecoverykeys,personalrecoverykeys(thatcanoptionallybestoredwithMDMforescrow),oracombinationofboth.
KeyrotationcanalsobesetasapolicyinMDM.
SecurefeaturesinNotesappSecureNotesTheNotesappincludesasecurenotesfeaturethatallowsuserstoprotectthecontentsofspecificnotes.
Securenotesareend-to-endencryptedusingauser-providedpassphrasethatisrequiredtoviewthenotesiniOS,iPadOS,macOS,andtheiCloudwebsite.
EachiCloudaccount(including"Onmy"deviceaccounts)canhaveaseparatepassphrase.
Whenausersecuresanote,a16-bytekeyisderivedfromtheuser'spassphraseusingPBKDF2andSHA256.
ThenoteandallofitsattachmentsareencryptedusingAES-GCM.
NewrecordsarecreatedinCoreDataandCloudKittostoretheencryptednote,attachments,tag,andinitializationvector.
Afterthenewrecordsarecreated,theoriginalunencrypteddataisdeleted.
Attachmentsthatsupportencryptionincludeimages,sketches,tables,maps,andwebsites.
Notescontainingothertypesofattachmentscan'tbeencrypted,andunsupportedattachmentscan'tbeaddedtosecurenotes.
Toviewasecurenote,theusermustentertheirpassphraseorauthenticateusingTouchIDorFaceID.
Aftersuccessfullyauthenticatingtheuser,whethertovieworcreateasecurenote,Notesopensasecuresession.
Whilethesecuresessionisopen,theusercanvieworsecureothernoteswithoutadditionalauthentication.
However,thesecuresessionappliesonlytonotesprotectedwiththeprovidedpassphrase.
Theuserstillneedstoauthenticatefornotesprotectedbyadifferentpassphrase.
Thesecuresessionisclosedwhen:TheusertapstheLockNowbuttoninNotesNotesisswitchedtothebackgroundformorethan3minutes(8minutesinmacOS)TheiOSoriPadOSdevicelocksTochangethepassphraseonasecurenote,theusermustenterthecurrentpassphrase,asTouchIDandFaceIDaren'tavailablewhenchangingthepassphrase.
Afterchoosinganewpassphrase,theNotesapprewrapsthekeysofallexistingnotesinthesameaccountthatareencryptedbythepreviouspassphrase.
Ifausermistypesthepassphrasethreetimesinarow,Notesshowsauser-suppliedhint,ifonewasprovidedbytheuseratsetup.
Iftheuserstilldoesn'tremembertheirpassphrase,theycanresetitinNotessettings.
Thisfeatureallowsuserstocreatenewsecurenoteswithanewpassphrase,butitwon'tallowthemtoseepreviouslysecurednotes.
Thepreviouslysecurednotescanstillbeviewediftheoldpassphraseisremembered.
Resettingthepassphraserequirestheuser'siCloudaccountpassphrase.
73SharedNotesNotesthataren'tend-to-endencryptedwithapassphrasecanbesharedwithothers.
SharednotesstillusetheCloudKitencrypteddatatypeforanytextorattachmentsthattheuserputsinanote.
Assetsarealwaysencryptedwithakeythat'sencryptedintheCKRecord.
Metadata,suchasthecreationandmodificationdates,aren'tencrypted.
CloudKitmanagestheprocessbywhichparticipantscanencryptanddecrypteachother'sdata.
SecurefeaturesinShortcutsappIntheShortcutsapp,shortcutsareoptionallysyncedacrossAppledevicesusingiCloud.
ShortcutscanalsobesharedwithotherusersthroughiCloud.
Shortcutsarestoredlocallyinanencryptedformat.
Customshortcutsareversatile—they'resimilartoscriptsorprograms.
WhendownloadingshortcutsfromtheInternet,theuseriswarnedthattheshortcuthasnotbeenreviewedbyAppleandisgiventheopportunitytoinspecttheshortcut.
Toprotectagainstmaliciousshortcuts,updatedmalwaredefinitionsaredownloadedtoidentifymaliciousshortcutsatruntime.
Customshortcutscanalsorunuser-specifiedJavaScriptonwebsitesinSafariwheninvokedfromthesharesheet.
ToprotectagainstmaliciousJavaScriptthat,forexample,trickstheuserintorunningascriptonasocialmediawebsitethatharveststheirdata,theJavaScriptisvalidatedagainsttheaforementionedmalwaredefinitions.
ThefirsttimeauserrunsJavaScriptonadomain,theuserispromptedtoallowshortcutscontainingJavaScripttorunonthecurrentwebpageforthatdomain.
74ServicesSecurityServicessecurityoverviewApplehasbuiltarobustsetofservicestohelpusersgetevenmoreutilityandproductivityoutoftheirdevices.
TheseservicesincludeAppleID,iCloud,SigninwithApple,ApplePay,iMessage,FaceTime,andFindMy.
Theseservicesprovidepowerfulcapabilitiesforcloudstorageandsync,authentication,payment,messaging,communications,andmore,allwhileprotectingusers'privacyandthesecurityoftheirdata.
Note:NotallAppleservicesandcontentareavailableinallcountriesorregions.
AppleIDandManagedAppleIDAppleIDandManagedAppleIDoverviewAnAppleIDistheaccountthatisusedtosignintoAppleservicessuchasiCloud,iMessage,FaceTime,theiTunesStore,AppStore,AppleTVapp,BookStore,andmore.
It'simportantforuserstokeeptheirAppleIDssecuretopreventunauthorizedaccesstotheiraccounts.
Tohelpwiththis,AppleIDsrequirestrongpasswordsthat:MustbeatleasteightcharactersinlengthMustcontainbothlettersandnumbersMustnotcontainmorethanthreeconsecutiveidenticalcharactersCan'tbeacommonlyusedpasswordUsersareencouragedtoexceedtheseguidelinesbyaddingextracharactersandpunctuationmarkstomaketheirpasswordsevenstronger.
Applealsonotifiesusersinemailand/orpushnotificationswhenimportantchangesaremadetotheiraccount—forexample,ifapasswordorbillinginformationhasbeenchanged,ortheAppleIDhasbeenusedtosigninonanewdevice.
Ifanythinglooksunfamiliar,usersareinstructedtochangetheirAppleIDpasswordimmediately.
75Inaddition,Appleemploysavarietyofpoliciesandproceduresdesignedtoprotectuseraccounts.
Theseincludelimitingthenumberofretriesforsign-inandpasswordresetattempts,activefraudmonitoringtohelpidentifyattacksastheyoccur,andregularpolicyreviewsthatallowAppletoadapttoanynewinformationthatcouldaffectusersecurity.
Note:TheManagedAppleIDpasswordpolicyissetbyanadministratorinAppleSchoolManagerorAppleBusinessManager.
Two-factorauthenticationwithAppleIDTohelpusersfurthersecuretheiraccounts,Appleofferstwo-factorauthentication—anextralayerofsecurityforAppleIDs.
Itisdesignedtoensurethatonlytheaccount'sownercanaccesstheaccount,evenifsomeoneelseknowsthepassword.
Withtwo-factorauthentication,auser'saccountcanbeaccessedononlytrusteddevices,suchastheuser'siPhone,iPad,iPodtouch,orMac,oronotherdevicesaftercompletingaverificationfromoneofthesetrusteddevicesoratrustedphonenumber.
Tosigninforthefirsttimeonanynewdevice,twopiecesofinformationarerequired—theAppleIDpasswordandasix-digitverificationcodethat'sdisplayedontheuser'strusteddevicesorsenttoatrustedphonenumber.
Byenteringthecode,theuserconfirmsthattheytrustthenewdeviceandthatit'ssafetosignin.
Becauseapasswordaloneisnolongerenoughtoaccessauser'saccount,two-factorauthenticationimprovesthesecurityoftheuser'sAppleIDandallthepersonalinformationtheystorewithApple.
ItisintegrateddirectlyintoiOS,iPadOS,macOS,tvOS,watchOS,andtheauthenticationsystemsusedbyApplewebsites.
WhenausersignsintoanApplewebsiteusingawebbrowser,asecondfactorrequestissenttoalltrusteddevicesassociatedtotheuser'siCloudaccount,requestingapprovalofthewebsession.
IncaseswheretheuserissigningintoanApplewebsitefromabrowseronatrusteddevice,theyseethecodedisplayedlocallyonthedevicetheyareusing.
Enteringitapprovesthewebsessionusingtheuser'strusteddevice.
AccountrecoveryAnAppleIDaccountcanberestoredifthepasswordisforgottenbyusingatrusteddevicetoresettheAppleIDpassword.
Ifatrusteddeviceisn'tavailablebutthepasswordisknown,atrustedphonenumbercanbeusedtoauthenticatethroughSMSverification.
Inaddition,apreviouslyusedpasscodecanbeusedtoresetAppleIDinconjunctionwithSMSverificationtoprovideimmediaterecoveryforanAppleID.
Iftheseoptionsarenotpossible,thentheaccountrecoveryprocessmustbefollowed.
SeetheAppleSupportarticleRecoveryourAppleIDwhenyoucan'tresetyourpassword.
76Two-stepverificationwithAppleIDSince2013,Applehasalsoofferedasimilarsecuritymethodcalledtwo-stepverification.
Whentwo-stepverificationisenabled,theuser'sidentitymustbeverifiedusingatemporarycodesenttooneoftheuser'strusteddevices.
Two-stepverificationisrequiredbeforechangesarepermittedtotheirAppleIDaccountinformation;beforesigningintoiCloud,iMessage,FaceTime,orGameCenter;andbeforeapurchaseismadewithanewdevicefromtheiTunesStore,theAppStore,theAppleTVapp,orAppleBooks.
Usersarealsoprovidedwitha14-characterRecoveryKeytobestoredinasafeplaceincasetheyeverforgettheirpasswordorloseaccesstotheirtrusteddevices.
Whilemostnewusersareencouragedtousetwo-factorauthentication,therearestillsomesituationswheretwo-stepverificationisrecommendedinstead.
ManagedAppleIDsManagedAppleIDsfunctionmuchlikeanAppleID,butareownedandcontrolledbyenterpriseoreducationalorganizations.
Theseorganizationscanresetpasswords,limitpurchasingandcommunicationssuchasFaceTimeandMessages,andsetuprole-basedpermissionsforemployees,staffmembers,teachers,andstudents.
ForManagedAppleIDs,someservicesaredisabled(forexample,ApplePay,iCloudKeychain,HomeKit,andFindMy).
InspectingManagedAppleIDsManagedAppleIDsalsosupportinspection,whichallowsorganizationstocomplywithlegalandprivacyregulations.
AnAppleSchoolManageradministrator,manager,orteachercaninspectspecificManagedAppleIDaccounts.
Inspectorscanmonitoronlyaccountsthatarebelowthemintheorganization'shierarchy.
Forexample,teacherscanmonitorstudents,managerscaninspectteachersandstudents,andadministratorscaninspectmanagers,teachers,andstudents.
WheninspectingcredentialsarerequestedusingAppleSchoolManager,aspecialaccountisissuedthathasaccesstoonlytheManagedAppleIDforwhichinspectingwasrequested.
Theinspectorcanthenreadandmodifytheuser'scontentstorediniCloudorCloudKit-enabledapps.
EveryrequestforauditingaccessisloggedinAppleSchoolManager.
Thelogsshowwhotheinspectorwas,theManagedAppleIDtheinspectorrequestedaccessto,thetimeoftherequest,andwhethertheinspectingwasperformed.
ManagedAppleIDsandpersonaldevicesManagedAppleIDscanalsobeusedwithpersonally-ownediOSandiPadOSdevicesandMaccomputers.
StudentssignintoiCloudusingtheManagedAppleIDissuedbytheinstitutionandanadditionalhome-usepasswordthatservesasthesecondfactoroftheAppleIDtwo-factorauthenticationprocess.
WhileusingaManagedAppleIDonapersonaldevice,iCloudKeychainisn'tavailable,andtheinstitutionmightrestrictotherfeaturessuchasFaceTimeorMessages.
AnyiClouddocumentscreatedbystudentswhentheyaresignedinaresubjecttoauditasdescribedpreviouslyinthissection.
77iCloudiCloudoverviewiCloudstoresauser'scontacts,calendars,photos,documents,andmore,andkeepstheinformationuptodateacrossalloftheirdevices,automatically.
iCloudcanalsobeusedbythird-partyappstostoreandsyncdocuments,aswellaskeyvaluesforappdataasdefinedbythedeveloper.
UserssetupiCloudbysigninginwithanAppleIDandchoosingwhichservicestheywouldliketouse.
CertainiCloudfeatures,iCloudDrive,andiCloudBackupcanbedisabledbyITadministratorsusingmobiledevicemanagement(MDM)configurationprofiles.
Theserviceisagnosticaboutwhatisbeingstoredandhandlesallfilecontentthesameway,asacollectionofbytes.
EachfileisbrokenintochunksandencryptedbyiCloudusingAES-128andakeyderivedfromeachchunk'scontents,withthekeysusingSHA-256.
Thekeysandthefile'smetadataarestoredbyAppleintheuser'siCloudaccount.
Theencryptedchunksofthefilearestored,withoutanyuser-identifyinginformationorthekeys,usingbothAppleandthird-partystorageservices—suchasAmazonWebServicesorGoogleCloudPlatform—butthesepartnersdon'thavethekeystodecrypttheuser'sdatastoredontheirservers.
iCloudDriveiCloudDriveaddsaccount-basedkeystoprotectdocumentsstorediniCloud.
iCloudDrivechunksandencryptsfilecontentsandstorestheencryptedchunksusingthird-partyservices.
However,thefilecontentkeysarewrappedbyrecordkeysstoredwiththeiCloudDrivemetadata.
Theserecordkeysareinturnprotectedbytheuser'siCloudDriveServiceKey,whichisthenstoredwiththeuser'siCloudaccount.
UsersgetaccesstotheiriClouddocuments'metadatabyhavingauthenticatedwithiCloud,buttheymustalsopossesstheiCloudDriveServiceKeytoexposeprotectedpartsofiCloudDrivestorage.
iCloudDrivebackupiCloudalsobacksupinformation—includingdevicesettings,appdata,photos,andvideosintheCameraRoll,andconversationsintheMessagesapp—dailyoverWi-Fi.
iCloudsecuresthecontentbyencryptingitwhenit'swhensentovertheInternet,storingitinanencryptedformat,andusingsecuretokensforauthentication.
iCloudBackupoccursonlywhenthedeviceislocked,connectedtoapowersource,andhasWi-FiaccesstotheInternet.
BecauseoftheencryptionusediniOSandiPadOS,iCloudBackupisdesignedtokeepdatasecurewhileallowingincremental,unattendedbackupandrestorationtooccur.
WhenfilesarecreatedinDataProtectionclassesthataren'taccessiblewhenthedeviceislocked,theirper-filekeysareencrypted,usingtheclasskeysfromtheiCloudBackupkeybag,andbackeduptoiCloudintheiroriginal,encryptedstate.
Allfilesareencryptedduringtransportand,whenstored,encryptedusingaccount-basedkeys,asdescribedinCloudKit.
TheiCloudBackupkeybagcontainsasymmetric(Curve25519)keysforDataProtectionclassesthataren'taccessiblewhenthedeviceislocked.
Thebackupsetisstoredintheuser'siCloudaccountandconsistsofacopyoftheuser'sfilesandtheiCloudBackupkeybag.
TheiCloudBackupkeybagisprotectedbyarandomkey,whichisalsostoredwiththebackupset.
(Theuser'siCloudpasswordisn'tusedforencryption,sochangingtheiCloudpasswordwon'tinvalidateexistingbackups.
)78Whiletheuser'sKeychaindatabaseisbackeduptoiCloud,itremainsprotectedbyaUID-tangledkey.
ThisallowstheKeychaintoberestoredonlytothesamedevicefromwhichitoriginated,anditmeansnooneelse,includingApple,canreadtheuser'sKeychainitems.
Onrestore,thebacked-upfiles,iCloudBackupkeybag,andthekeyforthekeybagareretrievedfromtheuser'siCloudaccount.
TheiCloudBackupkeybagisdecryptedusingitskey,thentheper-filekeysinthekeybagareusedtodecryptthefilesinthebackupset,whicharewrittenasnewfilestothefilesystem,thusreencryptingthemaccordingtotheirDataProtectionclass.
iCloudBackupcontentsThefollowingcontentisbackedupusingiCloudBackup:Recordsforpurchasedmusic,movies,TVshows,apps,andbooks.
Auser'siCloudBackupincludesinformationaboutpurchasedcontentpresentontheuser'sdevice,butnotthepurchasedcontentitself.
WhentheuserrestoresfromaniCloudBackup,theirpurchasedcontentisautomaticallydownloadedfromtheiTunesStore,theAppStore,theAppleTVapp,orAppleBooks.
Sometypesofcontentaren'tdownloadedautomaticallyinallcountriesorregions,andpreviouspurchasesmaybeunavailableiftheyhavebeenrefundedorarenolongeravailableinthestore.
Fullpurchasehistoryisassociatedwithauser'sAppleID.
Photosandvideosonauser'sdevices.
NotethatifauserturnsoniCloudPhotosiniOS8.
1,iPadOS13.
1,orOSX10.
10.
3(orlater),theirphotosandvideosarealreadystorediniCloud,sotheyaren'tincludedintheuser'siCloudBackup.
iOS8.
1orlateriPadOS13.
1OSX10.
10.
3orlaterContacts,calendarevents,reminders,andnotesDevicesettingsAppdataHomescreenandapporganizationHomeKitconfigurationMedicalIDdataVisualVoicemailpassword(requirestheSIMcardthatwasinuseduringbackup)iMessage,BusinessChat,text(SMS),andMMSmessages(requirestheSIMcardthatwasinuseduringbackup)79WhenMessagesiniCloudisenabled,iMessage,BusinessChat,text(SMS),andMMSmessagesareremovedfromtheuser'sexistingiCloudBackup,andareinsteadstoredinanend-to-endencryptedCloudKitcontainerforMessages.
Theuser'siCloudBackupretainsakeytothatcontainer.
IftheusersubsequentlydisablesiCloudBackup,thatcontainer'skeyisrolled,thenewkeyisstoredonlyiniCloudKeychain(inaccessibletoAppleandanythirdparties),andnewdatawrittentothecontainercan'tbedecryptedwiththeoldcontainerkey.
ThekeyusedtorestorethemessagesiniCloudBackupisplacedintwolocations,iCloudKeychainandabackupinCloudKit.
ThebackupinCloudKitisdoneifiCloudBackupisenabledandunconditionallyrestoredregardlessofwhethertheuserrestoresaiCloudbackupornot.
CloudKitend-to-endencryptionManyAppleservices,listedintheAppleSupportarticleiCloudsecurityoverview,useend-to-endencryptionwithaCloudKitServiceKeyprotectedbyiCloudKeychainsyncing.
FortheseCloudKitcontainers,thekeyhierarchyisrootediniCloudKeychainandthereforesharesthesecuritycharacteristicsofiCloudKeychain—namely,thekeysareavailableonlyontheuser'strusteddevices,andnottoAppleoranythirdparty.
IfaccesstoiCloudKeychaindataislostthedatainCloudKitisreset;andifdataisavailablefromthetrustedlocaldevice,it'suploadedagaintoCloudKit.
Formoreinformation,seeEscrowsecurityforiCloudKeychain.
MessagesiniCloudalsousesCloudKitend-to-endencryptionwithaCloudKitServiceKeyprotectedbyiCloudKeychainsyncing.
IftheuserhasenablediCloudBackup,theCloudKitServiceKeyusedfortheMessagesiniCloudcontainerisbackeduptoiCloudtoallowtheusertorecovertheirmessageseveniftheyhavelostaccesstoiCloudKeychainandtheirtrusteddevices.
ThisiCloudServiceKeyisrolledwhenevertheuserturnsoffiCloudBackup.
SituationUserrecoveryoptionsforCloudKitend-to-endencryptionAccesstotrusteddeviceDatarecoverypossibleusingatrusteddeviceoriCloudKeychainrecovery.
NotrusteddevicesDatarecoveryonlypossibleusingiCloudKeychainrecovery.
iCloudBackupenabledandaccesstotrusteddeviceDatarecoverypossibleusingiCloudBackup,accesstoatrusteddevice,oriCloudKeychainrecovery.
iCloudBackupenabledandnoaccesstotrusteddeviceDatarecoverypossibleusingiCloudBackuporiCloudKeychainrecovery.
iCloudBackupdisabledandaccesstotrusteddeviceDatarecoverypossibleusingatrusteddeviceoriCloudKeychainrecovery.
BackupdisabledandnotrusteddevicesDatarecoveryonlypossibleusingiCloudKeychainrecovery.
80PasscodeandpasswordmanagementPasscodeandpasswordmanagementoverviewiOS,iPadOS,andmacOSofferanumberoffeaturestomakeiteasyforuserstosecurelyandconvenientlyauthenticatetothird-partyappsandwebsitesthatusepasswordsforauthentication.
Thebestwaytomanagepasswordsisnottohavetouseone.
SigninwithAppleletsuserssignintothirdpartyappsandwebsiteswithouthavingtocreateandmanageanadditionalaccountorpasswordwhileprotectingthesigninwiththeirtwofactorauthenticationforAppleID.
Forsitesthatdon'tsupportSigninwithApple,AutomaticStrongPasswordenableauser'sdevicestoautomaticallycreate,sync,andenteruniquestrongpasswordsforsitesandapps.
PasswordsaresavedtoaspecialPasswordAutoFillKeychainthatisusercontrolledandmanageable,iniOSandiPadOS,bygoingtoSettings>Passwords&Accounts>Website&AppPasswords.
InmacOS,savedpasswordscanbemanagedinSafariPasswordspreferences.
Thissyncsystemcanalsobeusedtosyncpasswordsthataremanuallycreatedbytheuser.
SigninwithAppleSigninwithAppleisaprivacy-friendlyalternativetoothersinglesign-onsystems.
Itprovidestheconvenienceandefficiencyofone-tapsign-inwhilegivingtheusermoretransparencyandcontrolovertheirpersonalinformation.
SigninwithAppleallowsuserstosetupanaccountandsignintoappsandwebsitesusingtheAppleIDtheyalreadyhave,anditgivesthemmorecontrolovertheirpersonalinformation.
Appscanonlyaskfortheuser'snameandemailaddresswhensettingupanaccount,andtheuseralwayshasachoice:Theycansharetheirpersonalemailaddresswithanapp,orchoosetokeeptheirpersonalemailprivateanduseApple'snewprivateemailrelayserviceinstead.
Thisemailrelayservicesharesaunique,anonymizedemailaddressthatforwardstotheuser'spersonaladdresssotheycanstillreceiveusefulcommunicationfromthedeveloperwhilemaintainingadegreeofprivacyandcontrolovertheirpersonalinformation.
SigninwithAppleisbuiltforsecurity.
EverySigninwithAppleuserisrequiredtohavetwo-factorauthenticationenabled.
Two-factorauthenticationhelpssecurenotonlytheuser'sAppleIDbutalsotheaccountstheyestablishwiththeirapps.
Furthermore,Applehasdevelopedandintegratedaprivacy-friendlyanti-fraudsignalintoSigninwithApplethatgivesdevelopersconfidencethatthenewuserstheyacquirearerealpeopleandnotbotsorscriptedaccounts.
81AutomaticStrongPasswordsWheniCloudKeychainisenabled,iOS,iPadOS,andmacOScreatestrong,random,uniquepasswordswhenuserssignupfororchangetheirpasswordonawebsiteinSafari.
IniOSandiPadOS,AutomaticStrongPasswordsisalsoavailableinapps.
Usersmustoptoutofusingstrongpasswords.
GeneratedpasswordsaresavedinthekeychainandsynchronizedacrossdeviceswithiCloudKeychain,whenit'senabled.
Bydefault,passwordsgeneratedbyiOSandiPadOSare20characterslong.
Theycontainonedigit,oneuppercasecharacter,twohyphens,and16lowercasecharacters.
Thesegeneratedpasswordsarestrong,containing71bitsofentropy.
Passwordsaregeneratedbasedonheuristicsthatdeterminewhetherapassword-fieldexperienceisforpasswordcreation.
Iftheheuristicfailstorecognizeapasswordcontextasforpasswordcreation,appdeveloperscansetUITextContentType.
newPasswordontheirtextfield,andwebdeveloperscansetautocomplete="new-password"ontheirelements.
Toensurethatgeneratedpasswordsarecompatiblewiththerelevantservices,appsandwebsitescanproviderules.
DevelopersprovidetheserulesusingUITextInputPasswordRulesorthepasswordrulesattributeontheirelements.
Devicesthengeneratethestrongestpasswordtheycanthatfulfillstheserules.
PasswordAutoFillPasswordAutoFillautomaticallyfillscredentialsstoredinthekeychain.
TheiCloudKeychainpasswordmanagerandPasswordAutoFillprovidethefollowingfeatures:FillingcredentialsinappsandwebsitesGeneratingstrongpasswordsSavingpasswordsinbothappsandwebsitesinSafariSharingpasswordssecurelytoausers'contactsProvidingpasswordstoanearbyAppleTVthat'srequestingcredentialsGeneratingandsavingpasswordswithinapps,aswellasprovidingpasswordstoAppleTV,areavailableonlyiniOSandiPadOS.
PasswordAutoFillinappsiOSandiPadOSallowuserstoinputsavedusernamesandpasswordsintocredential-relatedfieldsinapps,similartohowPasswordAutoFillworksinSafari.
IniOSandiPadOS,usersdothisbytappingakeyaffordanceinthesoftwarekeyboard'sQuickTypebar.
InmacOS,forappsbuiltwithMacCatalyst,aPasswordsdrop-downmenuappearsbelowcredential-relatedfields.
Whenanappisstronglyassociatedwithawebsiteusingthesameapp-websiteassociationmechanism,poweredbytheapple-app-site-associationfile,theiOSandiPadOSQuickTypebarandmacOSdrop-downmenudirectlysuggestcredentialsfortheapp,ifanyaresavedtothePasswordAutoFillKeychain.
ThisallowsuserstochoosetodiscloseSafari-savedcredentialstoappswiththesamesecurityproperties,butwithoutappshavingtoadoptanAPI.
82PasswordAutoFillexposesnocredentialinformationtoanappuntilauserconsentstoreleaseacredentialtotheapp.
Thecredentiallistsaredrawnorpresentedoutoftheapp'sprocess.
Whenanappandwebsitehaveatrustedrelationshipandausersubmitscredentialswithinanapp,iOSandiPadOSmayprompttheusertosavethosecredentialstothePasswordAutoFillKeychainforlateruse.
AppaccesstosavedpasscodesiOSandiPadOSappscaninteractwiththePasswordAutoFillKeychainusingthefollowingtwoAPIs:SecRequestSharedWebCredentialSecAddSharedWebCredentialiOS,iPadOS,andmacOSappscanrequestthePasswordAutoFillKeychain'shelpwithsigningauserinusingASAuthorizationPasswordProvider.
ThePasswordprovideranditsrequestcanbeusedinconjunctionwithSigninwithApple,sothatthesameAPIcalltohelpuserssignintoanapp,regardlessofwhethertheuser'saccountispasswordbasedorwascreatedusingSigninwithApple.
Appscanaccesssavedpasswordsonlyiftheappdeveloperandwebsiteadministratorhavegiventheirapprovalandtheuserhasgivenconsent.
AppdevelopersexpresstheirintenttoaccessSafarisavedpasswordsbyincludinganentitlementintheirapp.
Theentitlementliststhefullyqualifieddomainnamesofassociatedwebsites,andthewebsitesmustplaceafileontheirserverlistingtheuniqueappidentifiersofappsapprovedbyApple.
Whenanappwiththecom.
apple.
developer.
associated-domainsentitlementisinstalled,iOSandiPadOSmakeaTLSrequesttoeachlistedwebsite,requestingoneofthefollowingfiles:apple-app-site-association.
well-known/apple-app-site-associationIfthefileliststheappidentifieroftheappbeinginstalled,theniOSandiPadOSmarkthewebsiteandappashavingatrustedrelationship.
OnlywithatrustedrelationshipwillcallstothesetwoAPIsresultinaprompttotheuser,whomustagreebeforeanypasswordsarereleasedtotheapp,updated,ordeleted.
PasswordreuseandstrengthauditingThePasswordAutoFillKeychainpasswordslistiniOS,iPadOS,andmacOSindicateswhichofauser'ssavedpasswordswillbereusedwithotherwebsites,aswellaspasswordsthatareconsideredweak.
Usingthesamepasswordformorethanoneservicemayleavethoseaccountsvulnerabletoacredentialstuffingattack.
Ifaserviceisbreachedandpasswordsareleaked,attackersmaytrythesamecredentialsonotherservicestocompromiseadditionalaccounts.
83Passwordsaremarkedweakiftheymaybeeasilyguessedbyanattacker.
iOS,iPadOS,andmacOSdetectcommonpatternsusedtocreatememorablepasswords,suchasusingwordsfoundinadictionary,commoncharactersubstitutions(suchasusing"p4ssw0rd"insteadof"password"),patternsfoundonakeyboard(suchas"q12we34r"fromaQWERTYkeyboard),orrepeatedsequences(suchas"123123").
Thesepatternsareoftenusedtocreatepasswordsthatsatisfyminimumpasswordrequirementsforservices,butarealsocommonlyusedbyattackersattemptingtobruteforceapassword.
Becausemanyservicesspecificallyrequireafour-orsix-digitPINcode,theseshortpasscodesareevaluatedwithdifferentrules.
PINcodesareconsideredweakiftheyareoneofthemostcommonPINcodes,iftheyareanincreasingordecreasingsequencesuchas"1234"or"8765,"oriftheyfollowarepetitionpattern,suchas"123123"or"123321.
"Weakandreusedpasswordsareindicatedinthelistofpasswords.
IftheuserlogsintoawebsiteinSafariusingapreviouslysavedpasswordthatisveryweak,suchasoneofthemostcommonpasswords,theyareshownanalertstronglyencouragingthemtoupgradetoanAutomaticStrongPassword.
SendingpasswordstootherusersordevicesAirDropWheniCloudisenabled,userscanAirDropasavedcredential—includingthewebsitesit'ssavedfor,itsusername,anditspassword—toanotherdevice.
SendingcredentialswithAirDropalwaysoperatesinContactsOnlymode,regardlessoftheuser'ssettings.
Onthereceivingdevice,afteruserconsent,thecredentialarestoredintheuser'sPasswordAutoFillKeychain.
AppleTVPasswordAutoFillisavailabletofillcredentialsinappsonAppleTV.
WhentheuserfocusesonausernameorpasswordtextfieldintvOS,AppleTVbeginsadvertisingarequestforPasswordAutoFilloverBluetoothLowEnergy(BLE).
AnynearbyiPhone,iPad.
oriPodtouchdisplaysapromptinvitingtheusertoshareacredentialwithAppleTV.
Here'showtheencryptionmethodisestablished:IfthedeviceandAppleTVusesthesameiCloudaccount,encryptionbetweenthedeviceshappensautomatically.
IfthedeviceissignedintoaniCloudaccountotherthantheoneusedbyAppleTV,theuserispromptedtoestablishanencryptedconnectionthroughuseofaPINcode.
Toreceivethisprompt,iPhonemustbeunlockedandincloseproximitytotheSiriRemotepairedtothatAppleTV.
AftertheencryptedconnectionismadeusingBLElinkencryption,thecredentialissenttoAppleTVandisautomaticallyfilledintotherelevanttextfieldsontheapp.
84CredentialproviderextensionsIniOSandiPadOS,userscandesignateaconformingthird-partyappasacredentialprovidertoAutoFillinPasswords&Accountssettings.
Thismechanismisbuiltonextensions.
Thecredentialproviderextensionmustprovideaviewforchoosingcredentials,andcanoptionallyprovideiOSandiPadOSmetadataaboutsavedcredentialssotheycanbeoffereddirectlyontheQuickTypebar.
Themetadataincludesthewebsiteofthecredentialandtheassociatedusername,butnotitspassword.
iOSandiPadOScommunicatewiththeextensiontogetthepasswordwhentheuserchoosestofillitintoanapporawebsiteinSafari.
Credentialmetadataisstoredinsidethecredentialprovider'ssandbox,andisautomaticallyremovedwhenanappisuninstalled.
iCloudKeychainiCloudKeychainoverviewiCloudKeychainallowsuserstosecurelysynctheirpasswordsbetweeniOSandiPadOSdevicesandMaccomputerswithoutexposingthatinformationtoApple.
Inadditiontostrongprivacyandsecurity,othergoalsthatheavilyinfluencedthedesignandarchitectureofiCloudKeychainwereeaseofuseandtheabilitytorecoveraKeychain.
iCloudKeychainconsistsoftwoservices:KeychainsyncingandKeychainrecovery.
AppledesignediCloudKeychainandKeychainrecoverysothatauser'spasswordsarestillprotectedunderthefollowingconditions:Auser'siCloudaccountiscompromised.
iCloudiscompromisedbyanexternalattackeroremployee.
Athirdpartyaccessesuseraccounts.
KeychainsyncingWhenauserenablesiCloudKeychainforthefirsttime,thedeviceestablishesacircleoftrustandcreatesasyncingidentityforitself.
Thesyncingidentityconsistsofaprivatekeyandapublickey.
Thepublickeyofthesyncingidentityisputinthecircle,andthecircleissignedtwice:firstbytheprivatekeyofthesyncingidentity,thenagainwithanasymmetricellipticalkey(usingP-256)derivedfromtheuser'siCloudaccountpassword.
Alsostoredwiththecirclearetheparameters(randomsaltanditerations)usedtocreatethekeythatisbasedontheuser'siCloudpassword.
Thesignedsyncingcircleisplacedintheuser'siCloudkey-valuestoragearea.
Itcan'tbereadwithoutknowingtheuser'siCloudpassword,andcan'tbemodifiedvalidlywithouthavingtheprivatekeyofthesyncingidentityofitsmember.
WhentheuserturnsoniCloudKeychainonanotherdevice,iCloudKeychainnoticesthattheuserhasapreviouslyestablishedsyncingcircleiniCloudthatitisn'tamemberof.
Thedevicecreatesitssyncingidentitykeypair,thencreatesanapplicationtickettorequestmembershipinthecircle.
Theticketconsistsofthedevice'spublickeyofitssyncingidentity,andtheuserisaskedtoauthenticatewiththeiriCloudpassword.
Theellipticalkey-generationparametersareretrievedfromiCloudandgenerateakeythatisusedtosigntheapplicationticket.
Finally,theapplicationticketisplacediniCloud.
85Whenthefirstdeviceseesthatanapplicationtickethasarrived,itasksfortheusertoacknowledgethatanewdeviceisaskingtojointhesyncingcircle.
TheuserenterstheiriCloudpassword,andtheapplicationticketisverifiedassignedbyamatchingprivatekey.
Now,theuserswhogeneratedtherequesttojointhecirclecanjoinit.
Upontheuser'sapprovaltoaddthenewdevicetothecircle,thefirstdeviceaddsthepublickeyofthenewmembertothesyncingcircle,andsignsitagainwithbothitssyncingidentityandthekeyderivedfromtheuser'siCloudpassword.
ThenewsyncingcircleisplacediniCloud,whereit'ssimilarlysignedbythenewmemberofthecircle.
Therearenowtwomembersofthesigningcircle,andeachmemberhasthepublickeyofitspeer.
TheynowbegintoexchangeindividualKeychainitemsthroughiCloudkey-valuestorageorstoretheminCloudKit,whicheverismostappropriateforthesituation.
Ifbothcirclemembershavethesameitem,theonewiththemostrecentmodificationdateissynced.
Iftheothermemberhastheitemandthemodificationdatesareidentical,itemsareskipped.
Eachitemthat'ssyncedisencryptedsoitcanbedecryptedonlybyadevicewithintheuser'scircleoftrust;itcan'tbedecryptedbyanyotherdevicesorbyApple.
Thisprocessisrepeatedasnewdevicesjointhesyncingcircle.
Forexample,whenathirddevicejoins,theconfirmationappearsonbothoftheotheruser'sdevices.
Theusercanapprovethenewmemberfromeitherofthosedevices.
Asnewpeersareadded,eachpeersyncswiththenewonetoensurethatallmembershavethesameKeychainitems.
However,theentireKeychainisn'tsynced.
Someitemsaredevicespecific,suchasVPNidentities,andshouldn'tleavethedevice.
OnlyitemswiththekSecAttrSynchronizableattributearesynced.
ApplehassetthisattributeforSafariuserdata(includingusernames,passwords,andcreditcardnumbers),aswellasforWi-FipasswordsandHomeKitencryptionkeys.
Additionally,bydefault,Keychainitemsaddedbythird-partyappsdon'tsync.
DevelopersmustsetthekSecAttrSynchronizableattributewhenaddingitemstotheKeychain.
iCloudKeychainrecoveryKeychainrecoveryprovidesawayforuserstooptionallyescrowtheirKeychainwithApple,withoutallowingAppletoreadthepasswordsandotherdataitcontains.
Eveniftheuserhasonlyasingledevice,Keychainrecoveryprovidesasafetynetagainstdataloss.
ThisisparticularlyimportantwhenSafariisusedtogeneraterandom,strongpasswordsforwebaccounts,becausetheonlyrecordofthosepasswordsisintheKeychain.
AcornerstoneofKeychainrecoveryissecondaryauthenticationandasecureescrowservice,createdbyApplespecificallytosupportthisfeature.
Theuser'sKeychainisencryptedusingastrongpasscode,andtheescrowserviceprovidesacopyoftheKeychainonlyifastrictsetofconditionsaremet.
Thereareseveralwaystoestablishastrongpasscode:Iftwo-factorauthenticationisenabledfortheuser'saccount,thedevicepasscodeisusedtorecoveranescrowedKeychain.
Iftwo-factorauthenticationisn'tsetup,theuserisaskedtocreateaniCloudSecurityCodebyprovidingasix-digitpasscode.
Alternatively,withouttwo-factorauthentication,userscanspecifytheirown,longercode,ortheycanlettheirdevicescreateacryptographicallyrandomcodethattheycanrecordandkeepontheirown.
86ManyusersnextwanttoescrowtheirkeychainwithApple.
TheprocessisthattheiOS,iPadOS,ormacOSdeviceexportsacopyoftheuser'sKeychain,encryptsitwrappedwithkeysinanasymmetrickeybag,andplacesitintheuser'siCloudkey-valuestoragearea.
Thekeybagiswrappedwiththeuser'siCloudSecurityCodeandwiththepublickeyofthehardwaresecuritymodule(HSM)clusterthatstorestheescrowrecord.
Thisbecomestheuser'siCloudEscrowRecord.
Iftheuserdecidestoacceptacryptographicallyrandomsecuritycodeinsteadofspecifyingtheirownorusingafour-digitvalue,noescrowrecordisnecessary.
Instead,theiCloudSecurityCodeisusedtowraptherandomkeydirectly.
Inadditiontoestablishingasecuritycode,usersmustregisteraphonenumber.
ThisprovidesasecondarylevelofauthenticationduringKeychainrecovery.
TheuserreceivesanSMSthatmustberepliedtoinorderfortherecoverytoproceed.
EscrowsecurityforiCloudKeychainiCloudprovidesasecureinfrastructureforKeychainescrowtoensurethatonlyauthorizedusersanddevicescanperformarecovery.
TopographicallypositionedbehindiCloudareHSMclustersthatguardtheescrowrecords.
Asdescribedpreviously,eachhasakeythatisusedtoencrypttheescrowrecordsundertheirwatch.
TorecoveraKeychain,usersmustauthenticatewiththeiriCloudaccountandpasswordandrespondtoanSMSsenttotheirregisteredphonenumber.
Afterthisisdone,usersmustentertheiriCloudSecurityCode.
TheHSMclusterverifiesthatauserknowstheiriCloudSecurityCodeusingtheSecureRemotePassword(SRP)protocol;thecodeitselfisn'tsenttoApple.
Eachmemberoftheclusterindependentlyverifiesthattheuserhasn'texceededthemaximumnumberofattemptsallowedtoretrievetheirrecord,asdiscussedbelow.
Ifamajorityagree,theclusterunwrapstheescrowrecordandsendsittotheuser'sdevice.
Next,thedeviceusestheiCloudSecurityCodetounwraptherandomkeyusedtoencrypttheuser'sKeychain.
Withthatkey,theKeychain—retrievedfromiCloudkeyvaluestorage—isdecryptedandrestoredontothedevice.
iOS,iPadOS,andmacOSallowonly10attemptstoauthenticateandretrieveanescrowrecord.
Afterseveralfailedattempts,therecordislockedandtheusermustcallAppleSupporttobegrantedmoreattempts.
Afterthe10thfailedattempt,theHSMclusterdestroystheescrowrecordandtheKeychainislostforever.
Thisprovidesprotectionagainstabrute-forceattempttoretrievetherecord,attheexpenseofsacrificingtheKeychaindatainresponse.
ThesepoliciesarecodedintheHSMfirmware.
Theadministrativeaccesscardsthatpermitthefirmwaretobechangedhavebeendestroyed.
AnyattempttoalterthefirmwareoraccesstheprivatekeycausestheHSMclustertodeletetheprivatekey.
Shouldthisoccur,theownerofeachKeychainprotectedbytheclusterreceivesamessageinformingthemthattheirescrowrecordhasbeenlost.
Theycanthenchoosetoreenroll.
SafariintegrationwithiCloudKeychainSafaricanautomaticallygeneratecryptographicallystrongrandomstringsforwebsitepasswords,whicharestoredinKeychainandsyncedtootherdevices.
Keychainitemsaretransferredfromdevicetodevice,travelingthroughAppleservers,butareencryptedinsuchawaythatAppleandotherdevicescan'treadtheircontents.
87ApplePayApplePayoverviewWithApplePay,userscanusesupportediOSdevices,iPad,Mac,andAppleWatchtopayinaneasy,secure,andprivatewayinstores,apps,andonthewebinSafari.
UserscanalsoaddApplePay–enabledtransitcardstoAppleWallet.
It'ssimpleforusers,andit'sbuiltwithintegratedsecurityinbothhardwareandsoftware.
ApplePayisalsodesignedtoprotecttheuser'spersonalinformation.
ApplePaydoesn'tcollectanytransactioninformationthatcanbetiedbacktotheuser.
Paymenttransactionsarebetweentheuser,themerchant,andthecardissuer.
ApplePaycomponentsSecureElementTheSecureElementisanindustry-standard,certifiedchiprunningtheJavaCardplatform,whichiscompliantwithfinancialindustryrequirementsforelectronicpayments.
TheSecureElementICandtheJavacardplatformarecertifiedinaccordancewiththeEMVCoSecurityEvaluationprocess.
AfterthesuccessfulcompletionoftheSecurityevaluation,EMVCoissuesauniqueICandplatformcertificate.
TheSecureElementIChasbeencertifiedbasedontheCommonCriteriastandard.
NFCcontrollerTheNFCcontrollerhandlesNearFieldCommunicationprotocolsandroutescommunicationbetweentheapplicationprocessorandtheSecureElement,andbetweentheSecureElementandthepoint-of-saleterminal.
AppleWalletAppleWalletisusedtoaddandmanagecredit,debit,andstorecardsandtomakepaymentswithApplePay.
Userscanviewtheircardsandmaybeabletoviewadditionalinformationprovidedbytheircardissuer,suchastheircardissuer'sprivacypolicy,recenttransactions,andmoreinAppleWallet.
UserscanalsoaddcardstoApplePayin:SetupAssistantandSettingsforiOSandiPadOSTheWatchappforAppleWatchWallet&ApplePayinSystemPreferencesforMaccomputerswithTouchIDInaddition,AppleWalletallowsuserstoaddandmanagetransitcards,rewardscards,boardingpasses,tickets,giftcards,StudentIDcards,andmore.
SecureEnclaveOniPhone,iPad,AppleWatch,andMaccomputerswithTouchID,theSecureEnclavemanagestheauthenticationprocessandenablesapaymenttransactiontoproceed.
OnAppleWatch,thedevicemustbeunlocked,andtheusermustdouble-clickthesidebutton.
Thedouble-clickisdetectedandpasseddirectlytotheSecureElementorSecureEnclave,whereavailable,withoutgoingthroughtheapplicationprocessor.
88ApplePayserversTheApplePayserversmanagethesetupandprovisioningofcredit,debit,transit,andStudentIDcardsintheWalletapp.
TheserversalsomanagetheDeviceAccountNumbersstoredintheSecureElement.
Theycommunicatebothwiththedeviceandwiththepaymentnetworkorcardissuerservers.
TheApplePayserversarealsoresponsibleforreencryptingpaymentcredentialsforpaymentswithinapps.
HowApplePayusestheSecureElementandNFCcontrollerSecureElementTheSecureElementhostsaspeciallydesignedapplettomanageApplePay.
Italsoincludesappletscertifiedbypaymentnetworksorcardissuers.
Credit,debit,orprepaidcarddataissentfromthepaymentnetworkorcardissuerencryptedtotheseappletsusingkeysthatareknownonlytothepaymentnetworkorcardissuerandtheapplets'securitydomain.
ThisdataisstoredwithintheseappletsandprotectedusingtheSecureElement'ssecurityfeatures.
Duringatransaction,theterminalcommunicatesdirectlywiththeSecureElementthroughtheNearFieldCommunication(NFC)controlleroveradedicatedhardwarebus.
NFCcontrollerAsthegatewaytotheSecureElement,theNFCcontrollerensuresthatallcontactlesspaymenttransactionsareconductedusingapoint-of-saleterminalthatisincloseproximitywiththedevice.
Onlypaymentrequestsarrivingfromanin-fieldterminalaremarkedbytheNFCcontrollerascontactlesstransactions.
Afteracredit,debit,orprepaidcard(includingstorecards)paymentisauthorizedbythecardholderusingTouchID,FaceID,orapasscode,oronanunlockedAppleWatchbydouble-clickingthesidebutton,contactlessresponsespreparedbythepaymentappletswithintheSecureElementareexclusivelyroutedbythecontrollertotheNFCfield.
Consequently,paymentauthorizationdetailsforcontactlesspaymenttransactionsarecontainedtothelocalNFCfieldandareneverexposedtotheapplicationprocessor.
Incontrast,paymentauthorizationdetailsforpaymentswithinappsandonthewebareroutedtotheapplicationprocessor,butonlyafterencryptionbytheSecureElementtotheApplePayserver.
Credit,Debit,andPrepaidCardsCredit,debit,andprepaidcardprovisioningoverviewwithApplePayWhenauseraddsacredit,debit,orprepaidcard(includingstorecards)toAppleWallet,Applesecurelysendsthecardinformation,alongwithotherinformationaboutuser'saccountanddevice,tothecardissuerorcardissuer'sauthorizedserviceprovider.
Usingthisinformation,thecardissuerdetermineswhethertoapproveaddingthecardtoAppleWallet.
Aspartofthecardprovisioningprocess,ApplePayusesthreeserver-sidecallstosendandreceivecommunicationwiththecardissuerornetwork:RequiredFields,CheckCard,andLinkandProvision.
Thecardissuerornetworkusesthesecallstoverify,approve,andaddcardstoAppleWallet.
Theseclient-serversessionsareencryptedusingTLSv1.
2.
89Fullcardnumbersaren'tstoredonthedeviceoronApplePayservers.
Instead,auniqueDeviceAccountNumberiscreated,encrypted,andthenstoredintheSecureElement.
ThisuniqueDeviceAccountNumberisencryptedinsuchawaythatApplecan'taccessit.
TheDeviceAccountNumberisuniqueanddifferentfrommostcreditordebitcardnumbers;thecardissuerorpaymentnetworkcanpreventitsuseonamagneticstripecard,overthephone,oronwebsites.
TheDeviceAccountNumberintheSecureElementisneverstoredonApplePayserversorbackeduptoiCloud,anditisisolatedfromiOS,iPadOS,watchOS,andMaccomputerswithTouchID.
CardsforusewithAppleWatchareprovisionedforApplePayusingtheAppleWatchapponiPhone,orwithinacardissuer'siPhoneapp.
AddingacardtoAppleWatchrequiresthatthewatchbewithinBluetoothcommunicationsrange.
CardsarespecificallyenrolledforusewithAppleWatchandhavetheirownDeviceAccountNumbers,whicharestoredwithintheSecureElementontheAppleWatch.
Whencredit,debit,orprepaidcards(includingstorecards)areadded,theyappearinalistofcardsduringSetupAssistantondevicesthataresignedintothesameiCloudaccount.
Thesecardsremaininthislistforaslongastheyareactiveonatleastonedevice.
Cardsareremovedfromthislistaftertheyhavebeenremovedfromalldevicesfor7days.
Thisfeaturerequirestwo-factorauthenticationtobeenabledontherespectiveiCloudaccount.
AddcreditordebitcardsmanuallytoApplePayToaddacardmanually,thename,cardnumber,expirationdate,andCVVareusedtofacilitatetheprovisioningprocess.
FromwithinSettings,theWalletapp,ortheAppleWatchapp,userscanenterthatinformationeitherbytypingorbyusingthedevice'scamera.
Whenthecameracapturesthecardinformation,Appleattemptstopopulatethename,cardnumber,andexpirationdate.
Thephotoisneversavedtothedeviceorstoredinthephotolibrary.
Afterallthefieldsarefilledin,theCheckCardprocessverifiesthefieldsotherthantheCVV.
TheyarethenencryptedandsenttotheApplePayserver.
IfatermsandconditionsIDisreturnedwiththeCheckCardprocess,Appledownloadsanddisplaysthetermsandconditionsofthecardissuertotheuser.
Iftheuseracceptsthetermsandconditions,ApplesendstheIDofthetermsthatwereacceptedaswellastheCVVtotheLinkandProvisionprocess.
Additionally,aspartoftheLinkandProvisionprocess,Applesharesinformationfromthedevicewiththecardissuerornetwork,likeinformationabouttheuser'siTunesandAppStoreaccountactivity(forexample,whethertheuserhasalonghistoryoftransactionswithiniTunes),informationabouttheuser'sdevice(forexample,phonenumber,name,andmodeloftheuser'sdeviceplusanycompanionAppledevicenecessarytosetupApplePay),aswellastheuser'sapproximatelocationatthetimetheuseraddstheircard(iftheuserhasLocationServicesenabled).
Usingthisinformation,thecardissuerdetermineswhethertoapproveaddingthecardtoApplePay.
AstheresultoftheLinkandProvisionprocess,twothingsoccur:ThedevicebeginstodownloadtheWalletpassfilerepresentingthecreditordebitcard.
ThedevicebeginstobindthecardtotheSecureElement.
ThepassfilecontainsURLstodownloadcardart,metadataaboutthecardsuchascontactinformation,therelatedissuer'sapp,andsupportedfeatures.
Italsocontainsthepassstate,whichincludesinformationsuchaswhetherthepersonalizingoftheSecureElementhascompleted,whetherthecardiscurrentlysuspendedbythecardissuer,orwhetheradditionalverificationisrequiredbeforethecardcanmakepaymentswithApplePay.
90AddcreditordebitcardsfromaniTunesStoreaccounttoApplePayForacreditordebitcardonfilewithiTunes,theusermayberequiredtoreentertheirAppleIDpassword.
ThecardnumberisretrievedfromiTunes,andtheCheckCardprocessisinitiated.
IfthecardiseligibleforApplePay,thedevicedownloadsanddisplaystermsandconditions,thensendalongtheterm'sIDandthecardsecuritycodetotheLinkandProvisionprocess.
AdditionalverificationmayoccurforiTunesaccountcardsonfile.
Addcreditordebitcardsfromacardissuer'sappWhentheappisregisteredforusewithApplePay,keysareestablishedfortheappandforthecardissuer'sserver.
Thesekeysareusedtoencryptthecardinformationthat'ssenttothecardissuer,whichpreventstheinformationfrombeingreadbytheAppledevice.
Theprovisioningflowissimilartothatusedformanuallyaddedcards,describedpreviously,exceptone-timepasswordsareusedinlieuoftheCVV.
AdditionalverificationwithApplePayAcardissuercandecidewhetheracreditordebitcardrequiresadditionalverification.
Dependingonwhatisofferedbythecardissuer,theusermaybeabletochoosebetweendifferentoptionsforadditionalverification,suchasatextmessage,email,customerservicecall,oramethodinanapprovedthird-partyapptocompletetheverification.
Fortextmessagesoremail,theuserselectsfromcontactinformationtheissuerhasonfile.
Acodeissent,whichmustbeenteredintotheWalletapp,Settings,ortheAppleWatchapp.
Forcustomerserviceorverificationusinganapp,theissuerperformstheirowncommunicationprocess.
PaymentauthorizationwithApplePayFordeviceshavingaSecureEnclave,theSecureElementallowsapaymenttobemadeonlyafteritreceivesauthorizationfromtheSecureEnclave.
OniPhoneoriPad,thisinvolvesconfirmingtheuserhasauthenticatedwithTouchID,FaceID,orthedevicepasscode.
TouchIDorFaceID,ifavailable,isthedefaultmethod,butthepasscodecanbeusedatanytime.
Apasscodeisautomaticallyofferedafterthreeunsuccessfulattemptstomatchafingerprint,ortwounsuccessfulattemptstomatchaface;afterfiveunsuccessfulattempts,thepasscodeisrequired.
ApasscodeisalsorequiredwhenTouchIDorFaceIDisnotconfiguredornotenabledforApplePay.
ForapaymenttobemadeonAppleWatch,thedevicemustbeunlockedwithpasscodeandthesidebuttonmustbedouble-clicked.
CommunicationbetweentheSecureEnclaveandtheSecureElementtakesplaceoveraserialinterface,withtheSecureElementconnectedtotheNFCcontroller,whichinturnisconnectedtotheapplicationprocessor.
Thoughnotdirectlyconnected,theSecureEnclaveandSecureElementcancommunicatesecurelyusingasharedpairingkeythatisprovisionedduringthemanufacturingprocess.
TheencryptionandauthenticationofthecommunicationarebasedonAES,withcryptographicnoncesusedbybothsidestoprotectagainstreplayattacks.
ThepairingkeyisgeneratedinsidetheSecureEnclavefromitsUIDkeyandtheSecureElement'suniqueidentifier.
ThepairingkeyisthensecurelytransferredfromtheSecureEnclavetoahardwaresecuritymodule(HSM)inthefactory,whichhasthekeymaterialrequiredtotheninjectthepairingkeyintotheSecureElement.
91TransactionauthorizationWhentheuserauthorizesatransaction,whichincludesaphysicalgesturecommunicateddirectlytotheSecureEnclave,theSecureEnclavethensendssigneddataaboutthetypeofauthenticationanddetailsaboutthetypeoftransaction(contactlessorwithinapps)totheSecureElement,tiedtoanAuthorizationRandom(AR)value.
TheARisgeneratedintheSecureEnclavewhenauserfirstprovisionsacreditcardandpersistswhileApplePayisenabled,protectedbytheSecureEnclave'sencryptionandanti-rollbackmechanism.
It'ssecurelydeliveredtotheSecureElementthroughthepairingkey.
OnreceiptofanewARvalue,theSecureElementmarksanypreviouslyaddedcardsasdeleted.
Transaction-specificdynamicsecuritycodeinApplePayPaymenttransactionsoriginatingfromthepaymentappletsincludeapaymentcryptogramalongwithaDeviceAccountNumber.
Thiscryptogram,aone-timecode,iscomputedusingatransactioncounterandakey.
Thetransactioncounterisincrementedforeachnewtransaction.
Thekeyisprovisionedinthepaymentappletduringpersonalizationandisknownbythepaymentnetworkand/orthecardissuer.
Dependingonthepaymentscheme,otherdatamayalsobeusedinthecalculation,including:ATerminalUnpredictableNumber(forNFCtransactions)AnApplePayservernonce(fortransactionswithinapps)Thesesecuritycodesareprovidedtothepaymentnetworkandtothecardissuer,whichallowstheissuertoverifyeachtransaction.
Thelengthofthesesecuritycodesmayvarybasedonthetypeoftransaction.
PaywithcreditanddebitcardsinstoreswithApplePayIfiPhoneorAppleWatchisonanddetectsanNFCfield,itpresentstheuserwiththerequestedcard(ifautomaticselectionisturnedonforthatcard)orthedefaultcard,whichismanagedinSettings.
TheusercanalsogototheWalletappandchooseacard,orwhenthedeviceislocked:Double-clicktheHomebuttonondeviceswithTouchIDDouble-clickthesidebuttonondeviceswithFaceIDNext,beforeinformationistransmitted,theusermustauthenticateusingTouchID,FaceID,ortheirpasscode.
WhenAppleWatchisunlocked,double-clickingthesidebuttonactivatesthedefaultcardforpayment.
Nopaymentinformationissentwithoutuserauthentication.
Aftertheuserauthenticates,theDeviceAccountNumberandatransaction-specificdynamicsecuritycodeareusedwhenprocessingthepayment.
NeitherApplenorauser'sdevicesendsthefullactualcreditordebitcardnumberstomerchants.
Applemayreceiveanonymoustransactioninformationsuchastheapproximatetimeandlocationofthetransaction,whichhelpsimproveApplePayandotherAppleproductsandservices.
92PaywithcreditanddebitcardswithinappsusingApplePayApplePaycanalsobeusedtomakepaymentswithiniOS,iPadOS,andAppleWatchapps.
WhenuserspaywithinappsusingApplePay,Applereceivestheencryptedtransactioninformation.
Beforethatinformationissenttothedeveloperormerchant,Applereencryptsthetransactionwithadeveloper-specifickey.
ApplePayretainsanonymoustransactioninformation,suchasapproximatepurchaseamount.
Thisinformationcan'tbetiedtotheuserandneverincludeswhattheuserisbuying.
WhenanappinitiatesanApplePaypaymenttransaction,theApplePayserversreceivetheencryptedtransactionfromthedevicepriortothemerchantreceivingit.
TheApplePayserversthenreencryptthetransactionwithamerchant-specifickeybeforerelayingittothemerchant.
Whenanapprequestsapayment,itcallsanAPItodetermineifthedevicesupportsApplePayandiftheuserhascreditordebitcardsthatcanmakepaymentsonapaymentnetworkacceptedbythemerchant.
Theapprequestsanypiecesofinformationitneedstoprocessandfulfillthetransaction,suchasthebillingandshippingaddress,andcontactinformation.
TheappthenasksiOS,iPadOS,orwatchOStopresenttheApplePaysheet,whichrequestsinformationfortheapp,aswellasothernecessaryinformation,suchasthecardtouse.
Atthistime,theappispresentedwithcity,state,andzipcodeinformationtocalculatethefinalshippingcost.
Thefullsetofrequestedinformationisn'tprovidedtotheappuntiltheuserauthorizesthepaymentwithTouchID,FaceID,orthedevicepasscode.
Afterthepaymentisauthorized,theinformationpresentedintheApplePaysheetistransferredtothemerchant.
ApppaymentauthorizationWhentheuserauthorizesthepayment,acallismadetotheApplePayserverstoobtainacryptographicnonce,whichissimilartothevaluereturnedbytheNFCterminalusedforin-storetransactions.
Thenonce,alongwithothertransactiondata,ispassedtotheSecureElementtogenerateapaymentcredentialthatisencryptedwithanApplekey.
WhentheencryptedpaymentcredentialcomesoutoftheSecureElement,it'spassedtotheApplePayservers,whichdecryptthecredential,verifythenonceinthecredentialagainstthenonceoriginallysentbytheApplePayservers,andreencryptthepaymentcredentialwiththemerchantkeyassociatedwiththeMerchantID.
Thepaymentisthenreturnedtothedevice,whichhandsitbacktotheappthroughtheAPI.
Theappthenpassesitalongtothemerchantsystemforprocessing.
Themerchantcanthendecryptthepaymentcredentialwithitsprivatekeyforprocessing.
This,togetherwiththesignaturefromApple'sservers,allowsthemerchanttoverifythatthetransactionwasintendedforthisparticularmerchant.
TheAPIsrequireanentitlementthatspecifiesthesupportedMerchantIDs.
Anappcanalsoincludeadditionaldata(suchasanordernumberorcustomeridentity)tosendtotheSecureElementtobesigned,ensuringthatthetransactioncan'tbedivertedtoadifferentcustomer.
Thisisaccomplishedbytheappdeveloper,whocanspecifyapplicationDataonthePKPaymentRequest.
Ahashofthisdataisincludedintheencryptedpaymentdata.
ThemerchantisthenresponsibleforverifyingthattheirapplicationDatahashmatcheswhat'sincludedinthepaymentdata.
93PaywithcreditanddebitcardsonthewebusingApplePayApplePaycanbeusedtomakepaymentsonwebsiteswithiPhone,iPad,andAppleWatch.
ApplePaytransactionscanalsostartonaMacandbecompletedonanApplePay–enablediPhoneorAppleWatchusingthesameiCloudaccount.
ApplePayonthewebrequiresallparticipatingwebsitestoregisterwithApple.
TheAppleserversperformdomainnamevalidationandissueaTLSclientcertificate.
WebsitessupportingApplePayarerequiredtoservetheircontentoverHTTPS.
Foreachpaymenttransaction,websitesneedtoobtainasecureanduniquemerchantsessionwithanAppleserverusingtheApple-issuedTLSclientcertificate.
MerchantsessiondataissignedbyApple.
Afteramerchantsessionsignatureisverified,awebsitemayquerywhethertheuserhasanApplePay–capabledeviceandwhethertheyhaveacredit,debit,orprepaidcardactivatedonthedevice.
Nootherdetailsareshared.
Iftheuserdoesn'twanttosharethisinformation,theycandisableApplePayqueriesinSafariprivacysettingsiniOS,iPadOS,andmacOS.
Afteramerchantsessionisvalidated,allsecurityandprivacymeasuresarethesameaswhenauserpayswithinanapp.
Iftheuseristransmittingpayment-relatedinformationfromaMactoaniPhoneorAppleWatch,ApplePayHandoffusestheend-to-endencryptedAppleIdentityService(IDS)protocoltotransmitpayment-relatedinformationbetweentheuser'sMacandtheauthorizingdevice.
IDSusestheuser'sdevicekeystoperformencryptionsonootherdevicecandecryptthisinformation,andthekeysaren'tavailabletoApple.
DevicediscoveryforApplePayHandoffcontainsthetypeanduniqueidentifieroftheuser'screditcardsalongwithsomemetadata.
Thedevice-specificaccountnumberoftheuser'scardisn'tshared,anditcontinuestoremainstoredsecurelyontheuser'siPhoneorAppleWatch.
Applealsosecurelytransferstheuser'srecentlyusedcontact,shipping,andbillingaddressesoveriCloudKeychain.
AftertheuserauthorizespaymentusingTouchID,FaceID,apasscode,ordouble-clickingthesidebuttononAppleWatch,apaymenttokenuniquelyencryptedtoeachwebsite'smerchantcertificateissecurelytransmittedfromtheuser'siPhoneorAppleWatchtotheirMac,andthendeliveredtothemerchant'swebsite.
Onlydevicesinproximitytoeachothermayrequestandcompletepayment.
ProximityisdeterminedthroughBluetoothLowEnergy(BLE)advertisements.
ContactlesspassesinApplePayTotransmitdatafromsupportedpassestocompatibleNFCterminals,AppleusestheAppleWalletValueAddedServicesprotocol(AppleVAS).
TheVASprotocolcanbeimplementedoncontactlessterminalsandusesNFCtocommunicatewithsupportedAppledevices.
TheVASprotocolworksoverashortdistanceandcanbeusedtopresentcontactlesspassesindependentlyoraspartofanApplePaytransaction.
WhenthedeviceisheldneartheNFCterminal,theterminalinitiatesreceivingthepassinformationbysendingarequestforapass.
Iftheuserhasapasswiththepassprovider'sidentifier,theuserisaskedtoauthorizeitsuseusingTouchID,FaceID,orapasscode.
Thepassinformation,atimestamp,andasingle-userandomECDHP-256keyareusedwiththepassprovider'spublickeytoderiveanencryptionkeyforthepassdata,whichissenttotheterminal.
94IniOS12toiOS13,usersmaymanuallyselectapassbeforepresentingittothemerchant'sNFCterminal.
IniOS13.
1orlater,passproviderscanconfiguremanuallyselectedpassestoeitherrequireuserauthenticationortobeusedwithoutauthentication.
RendercardsunusablewithApplePayCredit,debit,andprepaidcardsaddedtotheSecureElementcanbeusedonlyiftheSecureElementispresentedwithauthorizationusingthesamepairingkeyandARvaluefromwhenthecardwasadded.
OnreceiptofanewARvalue,theSecureElementmarksanypreviouslyaddedcardsasdeleted.
ThisallowstheOStoinstructtheSecureEnclavetorendercardsunusablebymarkingitscopyoftheARasinvalidunderthefollowingscenarios:MethodDeviceWhenthepasscodeisdisablediPhone,iPad,AppleWatchWhenthepasswordisdisabledMacTheusersignsoutofiCloudiPhone,iPad,Mac,AppleWatchTheuserselectsEraseAllContentandSettingsiPhone,iPad,AppleWatchThedeviceisrestoredfromRecoverymodeiPhone,iPad,Mac,AppleWatchUnpairingAppleWatchSuspending,removing,anderasingcardsUserscansuspendApplePayoniPhone,iPad,andAppleWatchbyplacingtheirdevicesinLostModeusingFindMy.
UsersalsohavetheabilitytoremoveanderasetheircardsfromApplePayusingFindMy,iCloud.
com,ordirectlyontheirdevicesusingtheWalletapp.
OnAppleWatch,cardscanberemovedusingiCloudsettings,theAppleWatchapponiPhone,ordirectlyonthewatch.
TheabilitytomakepaymentsusingcardsonthedeviceissuspendedorremovedfromApplePaybythecardissuerorrespectivepaymentnetwork,evenifthedeviceisofflineandnotconnectedtoacellularorWi-Finetwork.
UserscanalsocalltheircardissuertosuspendorremovecardsfromApplePay.
Additionally,whenausererasestheentiredevice—usingEraseAllContentandSettings,usingFindMy,orrestoringtheirdevicein—iOS,iPadOS,andmacOSdevicesinstructtheSecureElementtomarkallcardsasdeleted.
ThishastheeffectofimmediatelychangingthecardstoanunusablestateuntiltheApplePayserverscanbecontactedtofullyerasethecardsfromtheSecureElement.
Independently,theSecureEnclavemarkstheARasinvalidsothatfurtherpaymentauthorizationsforpreviouslyenrolledcardsaren'tpossible.
Whenthedeviceisonline,itattemptstocontacttheApplePayserverstoensurethatallcardsintheSecureElementareerased.
95AppleCashIniOS11.
2orlaterandwatchOS4.
2orlater,ApplePaycanbeusedonaniPhone,iPad,orAppleWatchtosend,receive,andrequestmoneyfromotherusers.
Whenauserreceivesmoney,it'saddedtoanAppleCashaccountthatcanbeaccessedintheWalletapporwithinSettings>Wallet&ApplePayacrossanyoftheeligibledevicestheuserhassignedinwiththeirAppleID.
Touseperson-to-personpaymentsandAppleCash,ausermustbesignedintotheiriCloudaccountonanAppleCash–compatibledevice,andhavetwo-factorauthenticationsetupontheiCloudaccount.
WhentheusersetsupAppleCash,thesameinformationaswhentheuseraddsacreditordebitcardmaybesharedwithourpartnerbankGreenDotBankandwithApplePaymentsInc.
,awhollyownedsubsidiarycreatedtoprotecttheuser'sprivacybystoringandprocessinginformationseparatelyfromtherestofApple,andinawaythattherestofAppledoesn'tknow.
Thisinformationisusedonlyfortroubleshooting,fraudprevention,andregulatorypurposes.
MoneyrequestsandtransfersbetweenusersareinitiatedfromwithintheMessagesapporbyaskingSiri.
Whenauserattemptstosendmoney,iMessagedisplaystheApplePaysheet.
TheAppleCashbalanceisalwaysusedfirst.
Ifnecessary,additionalfundsaredrawnfromasecondcreditordebitcardtheuserhasaddedtotheWalletapp.
TheAppleCashcardintheWalletappcanbeusedwithApplePaytomakepaymentsinstores,inapps,andontheweb.
MoneyintheAppleCashaccountcanalsobetransferredtoabankaccount.
Inadditiontomoneybeingreceivedfromanotheruser,moneycanbeaddedtotheAppleCashaccountfromadebitorprepaidcardintheWalletapp.
ApplePaymentsInc.
storesandmayusetheuser'stransactiondatafortroubleshooting,fraudprevention,andregulatorypurposesonceatransactioniscompleted.
TherestofAppledoesn'tknowwhotheusersentmoneyto,receivedmoneyfrom,orwheretheusermadeapurchasewiththeirAppleCashcard.
WhentheusersendsmoneywithApplePay,addsmoneytoanAppleCashaccount,ortransfersmoneytoabankaccount,acallismadetotheApplePayserverstoobtainacryptographicnonce,whichissimilartothevaluereturnedforApplePaywithinapps.
Thenonce,alongwithothertransactiondata,ispassedtotheSecureElementtogenerateapaymentsignature.
WhenthepaymentsignaturecomesoutoftheSecureElement,it'spassedtotheApplePayservers.
Theauthentication,integrity,andcorrectnessofthetransactionisverifiedthroughthepaymentsignatureandthenoncebyApplePayservers.
Moneytransferistheninitiated,andtheuserisnotifiedofacompletedtransaction.
IfthetransactioninvolvesacreditordebitcardforaddingmoneytoAppleCash,sendingmoneytoanotheruser,orprovidingsupplementalmoneyiftheAppleCashbalanceisinsufficient,thenanencryptedpaymentcredentialisalsoproducedandsenttoApplePayservers,similartowhatisusedforApplePaywithinappsandwebsites.
AfterthebalanceoftheAppleCashaccountexceedsacertainamountorifunusualactivityisdetected,theuserispromptedtoverifytheiridentity.
Informationprovidedtoverifytheuser'sidentity—suchassocialsecuritynumberoranswerstoquestions(forexample,toconfirmastreetnametheuserhaslivedonpreviously)—issecurelytransmittedtoApple'spartnerandencryptedusingtheirkey.
Applecan'tdecryptthisdata.
96AppleCardAppleCardapplicationintheWalletappIniOS12.
4orlater,macOS10.
14.
6orlater,watchOS5.
3orlater,AppleCardcanbeusedwithApplePaytomakepaymentsinstores,inapps,andontheweb.
ToapplyforAppleCard,theusermustbesignedintotheiriCloudaccountonanApplePay–compatibleiOSoriPadOSdeviceandhavetwo-factorauthenticationsetupontheiCloudaccount.
Whentheapplicationisapproved,AppleCardisavailableintheWalletapporwithinSettings>Wallet&ApplePayacrossanyoftheeligibledevicestheuserhassignedinwiththeirAppleID.
WhenapplyingforAppleCard,useridentityinformationissecurelyverifiedbyApple'sidentityproviderpartnersthensharedwithGoldmanSachsBankUSAforthepurposesofidentityandcreditevaluation.
InformationsuchasthesocialsecuritynumberorIDdocumentimageprovidedduringtheapplication,issecurelytransmittedtoApple'sidentityproviderpartnersand/orGoldmanSachsBankUSAencryptedwiththeirrespectivekeys.
Applecan'tdecryptthisdata.
Theincomeinformationprovidedduringtheapplication,andthebankaccountinformationusedforbillpayments,aresecurelytransmittedtoGoldmanSachsBankUSAencryptedwiththeirkey.
ThebankaccountinformationissavedinKeychain.
Applecan'tdecryptthisdata.
WhenaddingAppleCardtotheWalletapp,thesameinformationaswhenauseraddsacreditordebitcardmaybesharedwiththeApplepartnerbankGoldmanSachsBankUSAandwithApplePaymentsInc.
Thisinformationisusedonlyfortroubleshooting,fraudprevention,andregulatorypurposes.
AphysicalcardcanbeorderedfromAppleCardintheWalletapp.
Afterthephysicalcardisreceivedbytheuser,thecardisactivatedusingtheNFCtagpresentinthebi-foldenvelopeofthephysicalcard.
Thetagisuniquepercardandcan'tbeusedtoactivateanotheruser'scard.
Alternatively,thecardcanbemanuallyactivatedintheWalletsettings.
Additionally,theusercanalsochoosetolockorunlockthephysicalcardatanytimefromtheWalletapp.
AppleCardpaymentsandAppleWalletpassdetailsPaymentsdueontheAppleCardaccountcanbemadefromtheWalletapponiOSwithAppleCashandabankaccount.
Billpaymentscanbescheduledasrecurring,orasaone-timepaymentataspecificdatewithAppleCashandabankaccount.
Whenausermakesapayment,acallismadetotheApplePayserverstoobtainacryptographicnoncesimilartoAppleCash.
Thenonce,alongwiththepaymentsetupdetails,ispassedtotheSecureElementtogenerateasignature.
WhenthepaymentsignaturecomesoutoftheSecureElement,it'spassedtotheApplePayservers.
Theauthentication,integrity,andcorrectnessofthepaymentareverifiedthroughthesignatureandthenoncebyApplePayservers,andtheorderispassedontoGoldmanSachsBankUSAforprocessing.
DisplayingtheAppleCardnumberdetailsinthepassusingtheWalletapprequiresuserauthenticationwithFaceID,TouchID,orapasscode.
Itcanbereplacedbytheuserinthecardinformationsection,anddisablesthepreviousone.
97TransitcardsintheWalletappInmanyglobalmarkets,userscanaddsupportedtransitcardstotheWalletapponsupportedmodelsofiPhoneandAppleWatch.
Dependingonthetransitoperator,thismaybedonebytransferringthevalueandcommuterpassfromaphysicalcardintoitsdigitalAppleWalletrepresentationorbyprovisioninganewtransitcardintotheWalletappfromtheWalletapporthetransitcardissuer'sapp.
AftertransitcardsareaddedtotheWalletapp,userscanridetransitsimplybyholdingiPhoneorAppleWatchnearthetransitreader.
Somecardscanalsobeusedtomakepayments.
Addedtransitcardsareassociatedwithauser'siCloudaccount.
IftheuseraddsmorethanonecardtotheWalletapp,Appleorthetransitcardissuermaybeabletolinktheuser'spersonalinformationandtheassociatedaccountinformationbetweencards.
Transitcardsandtransactionsareprotectedbyasetofhierarchicalcryptographickeys.
DuringtheprocessoftransferringthebalancefromaphysicalcardtotheWalletapp,usersarerequiredtoentercardspecificinformation.
Usersmayalsoneedtoprovidepersonalinformationforproofofcardpossession.
WhentransferringpassesfromiPhonetoAppleWatch,bothdevicesmustbeonlineduringtransfer.
Thebalancecanberechargedwithfundsfromcredit,debitandprepaidcardsthroughWalletorfromthetransitcardissuer'sapp.
ThesecurityofreloadingthebalancewhenusingApplePayisdescribedinPaywithcreditanddebitcardswithinappsusingApplePay.
Theprocessofprovisioningthetransitcardfromwithinthetransitcardissuer'sappisdescribedinAddcreditordebitcardsfromacardissuer'sapp.
Ifprovisioningfromaphysicalcardissupported,thetransitcardissuerhasthecryptographickeysneededtoauthenticatethephysicalcardandverifytheuser'sentereddata.
Afterthedataisverified,thesystemcancreateaDeviceAccountNumberfortheSecureElementandactivatethenewlyaddedpassintheWalletappwiththetransferredbalance.
Insomecities,afterprovisioningfromthephysicalcardiscomplete,thephysicalcardisdisabled.
Attheendofeithertypeofprovisioning,ifthetransitcardbalanceisstoredonthedevice,it'sencryptedandstoredtoadesignatedappletintheSecureElement.
Thetransitoperatorhasthekeystoperformcryptographicoperationsonthecarddataforbalancetransactions.
Bydefault,usersbenefitfromtheseamlessExpressTransitexperiencethatallowsthemtopayandridewithoutrequiringTouchID,FaceID,orapasscode.
Informationlikerecentlyvisitedstations,transactionhistory,andadditionalticketsmaybeaccessedbyanynearbycontactlesscardreaderwithExpressModeenabled.
UserscanenabletheTouchID,FaceID,orpasscodeauthorizationrequirementintheWallet&ApplePaysettingsbydisablingExpressTransit.
98AswithotherApplePaycards,userscansuspendorremovetransitcardsby:ErasingthedeviceremotelywithFindMyEnablingLostModewithFindMyMobiledevicemanagement(MDM)remotewipecommandRemovingallcardsfromtheirAppleIDaccountpageRemovingallcardsfromiCloud.
comRemovingallcardsfromtheWalletappRemovingthecardintheissuer'sappApplePayserversnotifythetransitoperatortosuspendordisablethosecards.
Ifauserremovesatransitcardfromanonlinedevice,thebalancecanberecoveredbyaddingitbacktoadevicesignedinwiththesameAppleID.
Ifadeviceisoffline,poweredoff,orunusable,recoverymaynotbepossible.
CreditanddebitcardsfortransitintheWalletappInsomecities,transitreadersacceptEMVcardstopayfortransitrides,whenuserspresentacreditordebitcardtothosereaders,userauthenticationisrequiredjustas"Paywithcreditanddebitcardsinthestores.
"IniOS12.
3orlater,someexistingEMVcredit/debitcardsintheWalletappcanbeenabledforExpressTransit,whichallowstheusertopayforatripatsupportedtransitoperatorswithoutrequiringTouchID,FaceID,orapasscode.
WhenauserprovisionsanEMVcreditordebitcard,thefirstcardprovisionedtotheWalletappisenabledforExpressTransit.
TheusercantaptheMorebuttononthefrontofthecardintheWalletappanddisableExpressTransitforthatcardbysettingExpressTransitSettings>None.
TheusercanalsoselectadifferentcreditordebitcardastheirExpressTransitcardviatheWalletapp.
TouchID,FaceID,orapasscodeisrequiredtoreenableorselectadifferentcardforExpressTransit.
AppleCardandAppleCashareeligibleforExpressTransit.
StudentIDcardsintheWalletappIniOS12orlater,students,faculty,andstaffatparticipatingcampusescanaddtheirStudentIDcardtotheWalletapponsupportedmodelsofiPhoneandAppleWatchtoaccesslocationsandpaywherevertheircardisaccepted.
AuseraddstheirStudentIDcardtotheWalletappthroughanappprovidedbythecardissuerorparticipatingschool.
ThetechnicalprocessbywhichthisoccursisthesameastheonedescribedinAddcreditordebitcardsfromacardissuer'sapp.
Inaddition,issuingappsmustsupporttwo-factorauthenticationontheaccountsthatguardaccesstotheirStudentIDs.
AcardmaybesetupsimultaneouslyonuptoanytwosupportedAppledevicessignedinwiththesameAppleID.
WhenaStudentIDcardisaddedtotheWalletapp,ExpressModeisturnedonbydefault.
StudentIDcardsinExpressModeinteractwithacceptingterminalswithoutTouchID,FaceID,passcodeauthentication,ordouble-clickingthesidebuttononAppleWatch.
TheusercantaptheMorebuttononthefrontofthecardintheWalletappandturnoffExpressModetodisablethisfeature.
TouchID,FaceID,orapasscodeisrequiredtoreenableExpressMode.
99StudentIDcardscanbedisabledorremovedby:ErasingthedeviceremotelywithFindMyEnablingLostModewithFindMyMobiledevicemanagement(MDM)remotewipecommandRemovingallcardsfromtheirAppleIDaccountpageRemovingallcardsfromiCloud.
comRemovingallcardsfromtheWalletappRemovingthecardintheissuer'sappiMessageiMessageoverviewAppleiMessageisamessagingserviceforiOSandiPadOSdevices,AppleWatch,andMaccomputers.
iMessagesupportstextandattachmentssuchasphotos,contacts,locations,links,andattachmentsdirectlyontoamessage,suchasathumb'supicon.
Messagesappearonallofauser'sregistereddevicessothataconversationcanbecontinuedfromanyoftheuser'sdevices.
iMessagemakesextensiveuseoftheApplePushNotificationservice(APNs).
Appledoesn'tlogthecontentsofmessagesorattachments,whichareprotectedbyend-to-endencryptionsonoonebutthesenderandreceivercanaccessthem.
Applecan'tdecryptthedata.
WhenauserturnsoniMessageonadevice,thedevicegeneratesencryptionandsigningpairsofkeysforusewiththeservice.
Forencryption,thereisanencryptionRSA1280-bitkeyaswellasanencryptionEC256-bitkeyontheNISTP-256curve.
ForsignaturesECDSA256-bitsigningkeysareused.
Theprivatekeysaresavedinthedevice'sKeychainandonlyavailableafterfirstunlock.
ThepublickeysaresenttoAppleIdentityService(IDS),wheretheyareassociatedwiththeuser'sphonenumberoremailaddress,alongwiththedevice'sAPNsaddress.
AsusersenableadditionaldevicesforusewithiMessage,theirencryptionandsigningpublickeys,APNsaddresses,andassociatedphonenumbersareaddedtothedirectoryservice.
Userscanalsoaddmoreemailaddresses,whichareverifiedbysendingaconfirmationlink.
PhonenumbersareverifiedbythecarriernetworkandSIM.
Withsomenetworks,thisrequiresusingSMS(theuserispresentedwithaconfirmationdialogiftheSMSisnotzerorated).
PhonenumberverificationmayberequiredforseveralsystemservicesinadditiontoiMessage,suchasFaceTimeandiCloud.
Alloftheuser'sregistereddevicesdisplayanalertmessagewhenanewdevice,phonenumber,oremailaddressisadded.
HowiMessagesendsandreceivesmessagesUsersstartanewiMessageconversationbyenteringanaddressorname.
Iftheyenteraphonenumberoremailaddress,thedevicecontactstheAppleIdentityService(IDS)toretrievethepublickeysandAPNsaddressesforallofthedevicesassociatedwiththeaddressee.
Iftheuserentersaname,thedevicefirstusestheuser'sContactsapptogatherthephonenumbersandemailaddressesassociatedwiththatname,thengetsthepublickeysandAPNsaddressesfromIDS.
100Theuser'soutgoingmessageisindividuallyencryptedforeachofthereceiver'sdevices.
ThepublicencryptionkeysandsigningkeysofthereceivingdevicesareretrievedfromIDS.
Foreachreceivingdevice,thesendingdevicegeneratesarandom88-bitvalueandusesitasanHMAC-SHA256keytoconstructa40-bitvaluederivedfromthesenderandreceiverpublickeyandtheplaintext.
Theconcatenationofthe88-bitand40-bitvaluesmakesa128-bitkey,whichencryptsthemessagewithitusingAESinCTRmode.
The40-bitvalueisusedbythereceiversidetoverifytheintegrityofthedecryptedplaintext.
Thisper-messageAESkeyisencryptedusingRSA-OAEPtothepublickeyofthereceivingdevice.
ThecombinationoftheencryptedmessagetextandtheencryptedmessagekeyisthenhashedwithSHA-1,andthehashissignedwithECDSAusingthesendingdevice'sprivatesigningkey.
StartingwithiOS13andiPadOS13.
1,devicesmayuseanECIESencryptioninsteadofRSAencryption.
Theresultingmessages,oneforeachreceivingdevice,consistoftheencryptedmessagetext,theencryptedmessagekey,andthesender'sdigitalsignature.
TheyarethendispatchedtotheAPNsfordelivery.
Metadata,suchasthetimestampandAPNsroutinginformation,isn'tencrypted.
CommunicationwithAPNsisencryptedusingaforward-secretTLSchannel.
APNscanonlyrelaymessagesupto4KBor16KBinsize,dependingoniOSoriPadOSversion.
Ifthemessagetextistoolongorifanattachmentsuchasaphotoisincluded,theattachmentisencryptedusingAESinCTRmodewitharandomlygenerated256-bitkeyanduploadedtoiCloud.
TheAESkeyfortheattachment,itsUniformResourceIdentifier(URI),andaSHA-1hashofitsencryptedformarethensenttotherecipientasthecontentsofaniMessage,withtheirconfidentialityandintegrityprotectedthroughnormaliMessageencryption,asshowninthefollowingdiagram.
HowiMessagesendsandreceivesmessages.
101Forgroupconversations,thisprocessisrepeatedforeachrecipientandtheirdevices.
Onthereceivingside,eachdevicereceivesitscopyofthemessagefromAPNs,and,ifnecessary,retrievestheattachmentfromiCloud.
Theincomingphonenumberoremailaddressofthesenderismatchedtothereceiver'scontactssothatanamecanbedisplayedwhenpossible.
Aswithallpushnotifications,themessageisdeletedfromAPNswhenit'sdelivered.
UnlikeotherAPNsnotifications,however,iMessagemessagesarequeuedfordeliverytoofflinedevices.
Messagesarestoredforupto30days.
iMessagenameandphotosharingiMessageNameandPhotoSharingallowsausertoshareaNameandPhotousingiMessage.
TheusermayselecttheirMeCardinformation,orcustomizethenameandincludeanyimagetheychoose.
iMessageNameandPhotosharingusesatwostagesystemtodistributethenameandphoto.
Thedataissubdividedinfields,eachencryptedandauthenticatedseparatelyaswellasauthenticatedtogetherwiththeprocessbelow.
Therearethreefields:NamePhotoPhotofilenameAfirststepofthedatacreationistorandomlygeneratearecord128-bitkeyonthedevice.
ThisrecordkeyisthenderivedwithHKDF-HMAC-SHA256tocreatethreesubkeys:Key1:Key2:Key3=HKDF(recordkey,"nicknames").
Foreachfield,arandom96-bitIVisgeneratedandthedataisencryptedusingAES-CTRandKey1.
Amessageauthenticationcode(MAC)isthencomputedwithHMAC-SHA256usingKey2andcoveringthefieldname,thefieldIV,andthefieldciphertext.
Finally,thesetofindividualfieldMACvaluesareconcatenatedandtheirMACiscomputedwithHMAC-SHA256usingKey3.
The256-bitMACisstoredalongsidetheencrypteddata.
Thefirst128-bitofthisMACisusedasRecordID.
ThisencryptedrecordisthenstoredintheCloudKitpublicdatabaseundertheRecordID.
ThisrecordisnevermutatedandwhentheuserchoosestochangetheirNameandPhotoanewencryptedrecordisgeneratedeachtime.
Whenuser1choosestosharetheirNameandPhotowithuser2,theysendtherecordkeyalongwiththerecordIDinsidetheiriMessagepayload,whichisencrypted.
Whenuser2'sdevicereceivesthisiMessagepayload,itnoticesthepayloadcontainsaNicknameandPhotorecordIDandkey.
User2'sdevicethengoesouttothepublicCloudKitdatabasetoretrievetheencryptedNameandPhotoattherecordIDandsendsitacrossintheiMessage.
Onceretrieved,user2'sdevicedecryptsthepayloadandverifiesthesignatureusingtherecordIDitself.
Ifthispasses,user2ispresentedwiththeNameandPhotoandtheycanchoosetoaddthistotheircontacts,oruseitforMessages.
102BusinessChatBusinessChatisamessagingservicethatenablesuserstocommunicatewithbusinessesusingtheMessagesapp.
Onlyuserscaninitiatetheconversation,andthebusinessreceivesanopaqueidentifierfortheuser.
Thebusinessdoesn'treceivetheuser'sphonenumber,emailaddress,oriCloudaccountinformation.
WhentheuserchatswithApple,ApplereceivesaBusinessChatIDassociatedwiththeuser'sAppleID.
Usersremainincontrolofwhethertheywanttocommunicate.
DeletingaBusinessChatconversationremovesitfromtheuser'sMessagesappandblocksthebusinessfromsendingfurthermessagestotheuser.
Messagessenttothebusinessareindividuallyencryptedbetweentheuser'sdeviceandApple'smessagingservers.
Apple'smessagingserversdecryptthesemessagesandrelaythemtothebusinessoverTLS.
Businesses'repliesaresimilarlysentoverTLStoApple'smessagingservers,whichthenreencryptthemessagetotheuser'sdevice.
AswithiMessage,messagesarequeuedfordeliverytoofflinedevicesforupto30days.
FaceTimeFaceTimeisApple'svideoandaudiocallingservice.
LikeiMessage,FaceTimecallsalsousetheApplePushNotificationservice(APNs)toestablishaninitialconnectiontotheuser'sregistereddevices.
Theaudio/videocontentsofFaceTimecallsareprotectedbyend-to-endencryption,sonoonebutthesenderandreceivercanaccessthem.
Applecan'tdecryptthedata.
TheinitialFaceTimeconnectionismadethroughanAppleserverinfrastructurethatrelaysdatapacketsbetweentheusers'registereddevices.
UsingAPNsnotificationsandSessionTraversalUtilitiesforNAT(STUN)messagesovertherelayedconnection,thedevicesverifytheiridentitycertificatesandestablishasharedsecretforeachsession.
ThesharedsecretisusedtoderivesessionkeysformediachannelsstreamedusingtheSecureReal-timeTransportProtocol(SRTP).
SRTPpacketsareencryptedusingAES-256inCounterModeandHMAC-SHA1.
Subsequenttotheinitialconnectionandsecuritysetup,FaceTimeusesSTUNandInternetConnectivityEstablishment(ICE)toestablishapeer-to-peerconnectionbetweendevices,ifpossible.
GroupFaceTimeextendsFaceTimetosupportupto33concurrentparticipants.
Aswithclassicone-to-oneFaceTime,callsareend-to-endencryptedamongtheinvitedparticipants'devices.
EventhoughGroupFaceTimereusesmuchoftheinfrastructureanddesignofone-to-oneFaceTime,GroupFaceTimecallsfeatureanewkey-establishmentmechanismbuiltontopoftheauthenticityprovidedbyAppleIdentityService(IDS).
Thisprotocolprovidesforwardsecrecy,meaningthecompromiseofauser'sdevicewon'tleakthecontentsofpastcalls.
SessionkeysarewrappedusingAES-SIVanddistributedamongparticipantsusinganECIESconstructionwithephemeralP-256ECDHkeys.
WhenanewphonenumberoremailaddressisaddedtoanongoingGroupFaceTimecall,activedevicesestablishnewmediakeysandneversharepreviouslyusedkeyswiththenewlyinviteddevices.
103FindMyFindMyoverviewTheFindMyappcombinesFindMyiPhoneandFindMyFriendsintoasingleappiniOS,iPadOS,andmacOS.
FindMycanhelpuserslocateamissingdevice,evenanofflineMac.
AnonlinedevicecansimplyreportitslocationtotheuserviaiCloud.
FindMyworksofflinebysendingoutshortrangeBluetoothsignalsfromthemissingdevicethatcanbedetectedbyotherAppledevicesinusenearby.
ThosenearbydevicesthenrelaythedetectedlocationofthemissingdevicetoiCloudsouserscanlocateitintheFindMyapp—allwhileprotectingtheprivacyandsecurityofalltheusersinvolved.
FindMyevenworkswithaMacthatisofflineandasleep.
UsingBluetoothandthehundredsofmillionsofiOS,iPadOS,andmacOSdevicesinactiveusearoundtheworld,theusercanlocateamissingdevice,evenifitcan'tconnecttoaWi-Fiorcellularnetwork.
AnyiOS,iPadOS,ormacOSdevicewith"offlinefinding"enabledinFindMysettingscanactasa"finderdevice.
"ThismeansthedevicecandetectthepresenceofanothermissingofflinedeviceusingBluetoothandthenuseitsnetworkconnectiontoreportanapproximatelocationbacktotheowner.
Whenadevicehasofflinefindingenabled,italsomeansthatitcanbelocatedbyotherparticipantsinthesameway.
Thisentireinteractionisend-to-endencrypted,anonymous,anddesignedtobebatteryanddataefficient,sothereisminimalimpactonbatterylifecellulardataplanusageanduserprivacyisprotected.
Note:FindMymaynotbeavailableinallcountriesorregions.
End-to-endencryptioninFindMyFindMyisbuiltonafoundationofadvancedpublickeycryptography.
WhenofflinefindingisenabledinFindMysettings,anECP-224privateencryptionkeypairnoted{d,P}isgenerateddirectlyonthedevicewheredistheprivatekeyandPisthepublickey.
Additionally,a256-bitsecretSK0andacounteriisinitializedtozero.
ThisprivatekeypairandthesecretareneversenttoAppleandaresyncedonlyamongtheuser'sotherdevicesinanend-to-endencryptedmannerusingiCloudKeychain.
ThesecretandthecounterareusedtoderivethecurrentsymmetrickeySKiwiththefollowingrecursiveconstruction:SKi=KDF(SKi-1,"update")BasedonthekeySKi,twolargeintegersuiandviarecomputedwith(ui,vi)=KDF(SKi,"diversify").
BoththeP-224privatekeydenoteddandcorrespondingpublickeyreferredtoasParethenderivedusinganaffinerelationinvolvingthetwointegerstocomputeashortlivedkeypair:thederivedprivatekeyisdiwheredi=ui*d+vi(modulotheorderoftheP-224curve)andthecorrespondingpublicpartisPiandverifiesPi=ui*P+vi*G.
Whenadevicegoesmissingandcan'tconnecttoWi-Fiorcellular—forexample,aMacBookleftonaparkbench—itbeginsperiodicallybroadcastingthederivedpublickeyPiforalimitedperiodoftimeinaBluetoothpayload.
ByusingP-224,thepublickeyrepresentationcanfitintoasingleBluetoothpayload.
Thesurroundingdevicescanthenhelpinthefindingoftheofflinedevicebyencryptingtheirlocationtothepublickey.
Approximatelyevery15minutes,thepublickeyisreplacedbyanewoneusinganincrementedvalueofthecounterandtheprocessabovesothattheusercan'tbetrackedbyapersistentidentifier.
ThederivationmechanismpreventsthevariouspublickeysPifrombeinglinkedtothesamedevice.
104LocatingmissingdevicesinFindMyAnyAppledeviceswithinBluetoothrangethathaveofflinefindingenabledcandetectthissignalandreadthecurrentbroadcastkeyPi.
UsinganECIESconstructionandthepublickeyPifromthebroadcast,thefinderdevicesencrypttheircurrentlocationinformationandrelayittoApple.
TheencryptedlocationisassociatedwithaserverindexwhichiscomputedastheSHA-256hashoftheP-224publickeyPiobtainedfromtheBluetoothpayload.
Appleneverhasthedecryptionkey,soApplecan'treadthelocationencryptedbythefinder.
Theownerofthemissingdevicecanreconstructtheindexanddecrypttheencryptedlocation.
HowFindMylocatesdevices.
Whentryingtolocatethemissingdevice,anexpectedrangeofcountervaluesisestimatedforthelocationsearchperiod.
WiththeknowledgeoftheoriginalprivateP-224keydandsecretvaluesSKiintherangeofcountervaluesofthesearchperiodtheownercanthenreconstructthesetofvalues{di,SHA-256(Pi)}fortheentiresearchperiod.
TheownerdeviceusedtolocatethemissingdevicecanthenperformqueriestotheserverusingthesetofindexvaluesSHA-256(Pi)anddownloadtheencryptedlocationsfromtheserver.
TheFindMyappthenlocallydecryptstheencryptedlocationswiththematchingprivatekeysdiandshowsanapproximatelocationofthemissingdeviceintheapp.
Locationreportsfrommultiplefinderdevicesarecombinedbytheowner'sapptogenerateamorepreciselocation.
105HowtheownergetsthedevicelocationfromFindMy.
IfauserhasFindMyiPhoneenabledontheirdevice,offlinefindingisenabledbydefaultwhentheyupgradeadevicetoiOS13,iPadOS13.
1,andmacOS10.
15.
Thisensureseveryuserhasthebestpossiblechancetolocatetheirdeviceifitgoesmissing.
However,ifatanytimetheuserprefersnottoparticipate,theycandisableofflinefindinginFindMysettingsontheirdevice.
Whenofflinefindingisdisabled,thedevicenolongeractsasafindernorisitdetectablebyotherfinderdevices.
However,theusercanstilllocatethedeviceaslongasitcanconnecttoaWi-Fiorcellularnetwork.
KeepingusersanddevicesanonymousinFindMyInadditiontomakingsurethatlocationinformationandotherdataarefullyencrypted,participants'identitiesremainprivatefromeachotherandfromApple.
ThetrafficsenttoApplebyfinderdevicescontainsnoauthenticationinformationinthecontentsorheaders.
Asaresult,Appledoesn'tknowwhothefinderisorwhosedevicehasbeenfound.
Further,Appledoesn'tloginformationthatwouldrevealtheidentityofthefinder,andretainsnoinformationthatwouldallowanyonetocorrelatethefinderandowner.
Thedeviceownerreceivesonlytheencryptedlocationinformationthat'sdecryptedanddisplayedintheFindMyappwithnoindicationastowhofoundthedevice.
ViewingofflinedevicesinFindMyWhenamissingofflinedeviceislocated,theuserreceivesanotificationandemailmessagetoletthemknowthedevicehasbeenfound.
Toviewthelocationofthemissingdevice,theuseropenstheFindMyappandselectstheDevicestab.
Ratherthanshowingthedeviceonablankmapasitwouldhavepriortothedevicebeinglocated,FindMyshowsamaplocationwithanapproximateaddressandinformationonhowlongagothedevicewasdetected.
Ifmorelocationreportscomein,thecurrentlocationandtimestampbothupdateautomatically.
Whileuserscan'tplayasoundonanofflinedeviceoreraseitremotely,theycanusethelocationinformationtoretracetheirstepsortakeotheractionstohelpthemrecoverit.
106ContinuityContinuityoverviewContinuitytakesadvantageoftechnologieslikeiCloud,Bluetooth,andWi-Fitoenableuserstocontinueanactivityfromonedevicetoanother,makeandreceivephonecalls,sendandreceivetextmessages,andshareacellularInternetconnection.
HandoffWithHandoff,whenauser'siOS,iPadOS,andmacOSdevicesareneareachother,theusercanautomaticallypasswhateverthey'reworkingonfromonedevicetotheother.
Handoffletstheuserswitchdevicesandinstantlycontinueworking.
WhenausersignsintoiCloudonasecondHandoffcapabledevice,thetwodevicesestablishaBluetoothLowEnergy(BLE)4.
2pairingout-of-bandusingAPNs.
TheindividualmessagesareencryptedmuchlikemessagesiniMessageare.
Afterthedevicesarepaired,eachdevicegeneratesasymmetric256-bitAESkeythatgetsstoredinthedevice'sKeychain.
ThiskeycanencryptandauthenticatetheBLEadvertisementsthatcommunicatethedevice'scurrentactivitytootheriCloudpaireddevicesusingAES-256inGCMmode,withreplayprotectionmeasures.
Thefirsttimeadevicereceivesanadvertisementfromanewkey,itestablishesaBLEconnectiontotheoriginatingdeviceandperformsanadvertisementencryptionkeyexchange.
ThisconnectionissecuredusingstandardBLE4.
2encryptionaswellasencryptionoftheindividualmessages,whichissimilartohowiMessageisencrypted.
Insomesituations,thesemessagesaresentusingAPNsinsteadofBLE.
TheactivitypayloadisprotectedandtransferredinthesamewayasaniMessage.
HandoffbetweennativeappsandwebsitesHandoffallowsaniOS,iPadOS,ormacOSnativeapptoresumeuseractivityonawebpageindomainslegitimatelycontrolledbytheappdeveloper.
Italsoallowsthenativeappuseractivitytoberesumedinawebbrowser.
Topreventnativeappsfromclaimingtoresumewebsitesnotcontrolledbythedeveloper,theappmustdemonstratelegitimatecontroloverthewebdomainsitwantstoresume.
Controloverawebsitedomainisestablishedusingthemechanismforsharedwebcredentials.
Fordetails,seeAppaccesstosavedpasscodes.
Thesystemmustvalidateanapp'sdomainnamecontrolbeforetheappispermittedtoacceptuseractivityHandoff.
ThesourceofawebpageHandoffcanbeanybrowserthathasadoptedtheHandoffAPIs.
Whentheuserviewsawebpage,thesystemadvertisesthedomainnameofthewebpageintheencryptedHandoffadvertisementbytes.
Onlytheuser'sotherdevicescandecrypttheadvertisementbytes.
Onareceivingdevice,thesystemdetectsthataninstallednativeappacceptsHandofffromtheadvertiseddomainnameanddisplaysthatnativeappiconastheHandoffoption.
Whenlaunched,thenativeappreceivesthefullURLandthetitleofthewebpage.
Nootherinformationispassedfromthebrowsertothenativeapp.
107Intheoppositedirection,anativeappmayspecifyafallbackURLwhenaHandoffreceivingdevicedoesn'thavethesamenativeappinstalled.
Inthiscase,thesystemdisplaystheuser'sdefaultbrowserastheHandoffappoption(ifthatbrowserhasadoptedHandoffAPIs).
WhenHandoffisrequested,thebrowserislaunchedandgiventhefallbackURLprovidedbythesourceapp.
ThereisnorequirementthatthefallbackURLbelimitedtodomainnamescontrolledbythenativeappdeveloper.
HandoffoflargerdataInadditiontousingthebasicfeatureofHandoff,someappsmayelecttouseAPIsthatsupportsendinglargeramountsofdataoverApple-createdpeer-to-peerWi-Fitechnology(inasimilarfashiontoAirDrop).
Forexample,theMailappusestheseAPIstosupportHandoffofamaildraft,whichmayincludelargeattachments.
Whenanappusesthisfacility,theexchangebetweenthetwodevicesstartsoffjustasinHandoff.
However,afterreceivingtheinitialpayloadusingBluetoothLowEnergy(BLE),thereceivingdeviceinitiatesanewconnectionoverWi-Fi.
Thisconnectionisencrypted(withTLS),whichexchangestheiriCloudidentitycertificates.
Theidentityinthecertificatesisverifiedagainsttheuser'sidentity.
Furtherpayloaddataissentoverthisencryptedconnectionuntilthetransfercompletes.
UniversalClipboardUniversalClipboardleveragesHandofftosecurelytransferthecontentofauser'sclipboardacrossdevicessotheycancopyononedeviceandpasteonanother.
ContentisprotectedthesamewayasotherHandoffdataandissharedbydefaultwithUniversalClipboard,unlesstheappdeveloperchoosestodisallowsharing.
Appshaveaccesstoclipboarddataregardlessofwhethertheuserhaspastedtheclipboardintotheapp.
WithUniversalClipboard,thisdataaccessextendstoappsontheuser'sotherdevices(asestablishedbytheiriCloudsign-in).
iPhonecellularcallrelayWhenauser'sMac,iPad,iPodtouch,orHomePodisonthesameWi-FinetworkastheiriPhone,itcanmakeandreceivephonecallsusingthecellularconnectiononiPhone.
ConfigurationrequiresthedevicestobesignedintobothiCloudandFaceTimeusingthesameAppleIDaccount.
Whenanincomingcallarrives,allconfigureddevicesarenotifiedusingtheApplePushNotificationservice(APNs),witheachnotificationusingthesameend-to-endencryptionasiMessage.
DevicesthatareonthesamenetworkpresenttheincomingcallnotificationUI.
Uponansweringthecall,theaudioisseamlesslytransmittedfromtheuser'siPhoneusingasecurepeer-to-peerconnectionbetweenthetwodevices.
Whenacallisansweredononedevice,ringingofnearbyiCloud-paireddevicesisterminatedbybrieflyadvertisingusingBluetoothLowEnergy(BLE).
TheadvertisingbytesareencryptedusingthesamemethodasHandoffadvertisements.
OutgoingcallsarealsorelayedtoiPhoneusingAPNs,andaudioissimilarlytransmittedoverthesecurepeer-to-peerlinkbetweendevices.
UserscandisablephonecallrelayonadevicebyturningoffiPhoneCellularCallsinFaceTimesettings.
108iPhoneTextMessageForwardingTextMessageForwardingautomaticallysendsSMStextmessagesreceivedonaniPhonetoauser'senrollediPad,iPodtouch,orMac.
EachdevicemustbesignedintotheiMessageserviceusingthesameAppleIDaccount.
WhenTextMessageForwardingisturnedon,enrollmentisautomaticondeviceswithinauser'scircleoftrustiftwo-factorauthenticationisenabled.
Otherwise,enrollmentisverifiedoneachdevicebyenteringarandomsix-digitnumericcodegeneratedbyiPhone.
Afterdevicesarelinked,iPhoneencryptsandforwardsincomingSMStextmessagestoeachdevice,utilizingthemethodsdescribediniMessage.
RepliesaresentbacktoiPhoneusingthesamemethod,andtheniPhonesendsthereplyasatextmessageusingthecarrier'sSMStransmissionmechanism.
TextMessageForwardingcanbeturnedonoroffinMessagessettings.
InstantHotspotiOSandiPadOSdevicesthatsupportInstantHotspotuseBluetoothLowEnergy(BLE)todiscoverandcommunicatetoalldevicesthathavesignedintothesameindividualiCloudaccountoraccountsusedwithFamilySharing(iniOS13andiPadOS).
CompatibleMaccomputerswithOSX10.
10orlaterusethesametechnologytodiscoverandcommunicatewithInstantHotspotiOSandiPadOSdevices.
InitiallywhenauserentersWi-Fisettingsonadevice,itemitsaBLEadvertisementcontaininganidentifierthatalldevicessignedintothesameiCloudaccountagreeupon.
TheidentifierisgeneratedfromaDSID(DestinationSignalingIdentifier)that'stiedtotheiCloudaccountandrotatedperiodically.
WhenotherdevicessignedintothesameiCloudaccountareincloseproximityandsupportPersonalHotspot,theydetectthesignalandrespond,indicatingtheavailabilitytouseInstantHotspot.
Whenauserwhoisn'tpartofFamilySharingchoosesaniPhoneoriPadforPersonalHotspot,arequesttoturnonPersonalHotspotissenttothatdevice.
TherequestissentacrossalinkthatisencryptedusingBLEencryption,andtherequestisencryptedinafashionsimilartoiMessageencryption.
ThedevicethenrespondsacrossthesameBLElinkusingthesameper-messageencryptionwithPersonalHotspotconnectioninformation.
ForusersthatarepartofFamilySharing,PersonalHotspotconnectioninformationissecurelysharedusingamechanismsimilartothatusedbyHomeKitdevicestosyncinformation.
Specifically,theconnectionthatshareshotspotinformationbetweenusersissecuredwithanECDH(Curve25519)ephemeralkeythatisauthenticatedwiththeusers'respectivedevice-specificEd25519publickeys.
ThepublickeysusedarethosethathadpreviouslysyncedbetweenthemembersofFamilySharingusingIDSwhentheFamilySharewasestablished.
109NetworkSecurityNetworksecurityoverviewInadditiontothebuilt-insafeguardsAppleusestoprotectdatastoredonAppledevices,therearemanymeasuresorganizationscantaketokeepinformationsecureasittravelstoandfromadevice.
Allofthesesafeguardsandmeasuresfallundernetworksecurity.
Usersmustbeabletoaccesscorporatenetworksfromanywhereintheworld,soit'simportanttoensurethattheyareauthorizedandthattheirdataisprotectedduringtransmission.
Toaccomplishthesesecurityobjectives,iOS,iPadOS,andmacOSintegrateproventechnologiesandthelateststandardsforbothWi-Fiandcellulardatanetworkconnections.
That'swhyouroperatingsystemsuse—andprovidedeveloperaccessto—standardnetworkingprotocolsforauthenticated,authorized,andencryptedcommunications.
TLSnetworksecurityiOS,iPadOS,andmacOSsupportTransportLayerSecurity(TLSv1.
0,TLSv1.
1,TLSv1.
2,TLSv1.
3)andDatagramTransportLayerSecurity(DTLS).
TheTLSprotocolsupportsbothAES-128andAES-256,andprefersciphersuiteswithforwardsecrecy.
InternetappssuchasSafari,Calendar,andMailautomaticallyusethisprotocoltoenableanencryptedcommunicationchannelbetweenthedeviceandnetworkservices.
High-levelAPIs(suchasCFNetwork)makeiteasyfordeveloperstoadoptTLSintheirapps,whilelow-levelAPIs(Network.
framework)providefine-grainedcontrol.
CFNetworkdisallowsSSLv3,andappsthatuseWebKit(suchasSafari)areprohibitedfrommakinganSSLv3connection.
IniOS11orlaterandmacOS10.
13orlater,SHA-1certificatesarenolongerallowedforTLSconnectionsunlesstrustedbytheuser.
CertificateswithRSAkeysshorterthan2048bitsarealsodisallowed.
TheRC4symmetricciphersuiteisdeprecatediniOS10andmacOS10.
12.
Bydefault,TLSclientsorserversimplementedwithSecureTransportAPIsdon'thaveRC4ciphersuitesenabled,andareunabletoconnectwhenRC4istheonlyciphersuiteavailable.
Tobemoresecure,servicesorappsthatrequireRC4shouldbeupgradedtousemodern,secureciphersuites.
IniOS12.
1,certificatesissuedafterOctober15,2018,fromasystem-trustedrootcertificatemustbeloggedinatrustedCertificateTransparencylogtobeallowedforTLSconnections.
IniOS12.
2,TLS1.
3isenabledbydefaultforNetwork.
frameworkandNSURLSessionAPIs.
TLSclientsusingtheSecureTransportAPIscan'tuseTLS1.
3.
110AppTransportSecurityAppTransportSecurityprovidesdefaultconnectionrequirementssothatappsadheretobestpracticesforsecureconnectionswhenusingNSURLConnection,CFURL,orNSURLSessionAPIs.
Bydefault,AppTransportSecuritylimitscipherselectiontoincludeonlysuitesthatprovideforwardsecrecy,specificallyECDHE_ECDSA_AESandECDHE_RSA_AESinGCMorCBCmode.
Appsareabletodisabletheforwardsecrecyrequirementper-domain,inwhichcaseRSA_AESisaddedtothesetofavailableciphers.
ServersmustsupportTLSv1.
2andforwardsecrecy,andcertificatesmustbevalidandsignedusingSHA-256orstrongerwithaminimum2048-bitRSAkeyor256-bitellipticcurvekey.
Networkconnectionsthatdon'tmeettheserequirementswillfail,unlesstheappoverridesAppTransportSecurity.
Invalidcertificatesalwaysresultinahardfailureandnoconnection.
AppTransportSecurityisautomaticallyappliedtoappsthatarecompiledforiOS9orlaterandmacOS10.
11orlater.
CertificateValidityCheckingEvaluatingthetrustedstatusofaTLScertificateisperformedinaccordancewithestablishedindustrystandards,assetoutinRFC5280,andincorporatesemergingstandardssuchasRFC6962(CertificateTransparency).
IniOS11orlaterandmacOS10.
13orlater,Appledevicesareperiodicallyupdatedwithacurrentlistofrevokedandconstrainedcertificates.
Thelistisaggregatedfromcertificaterevocationlists(CRLs)whicharepublishedbyeachofthebuilt-inrootcertificateauthoritiestrustedbyApple,aswellastheirsubordinateCAissuers.
ThelistmayalsoincludeotherconstraintsatApple'sdiscretion.
ThisinformationisconsultedwheneveranetworkAPIfunctionisusedtomakeasecureconnection.
IftherearetoomanyrevokedcertificatesfromaCAtolistindividually,atrustevaluationmayinsteadrequirethatanonlinecertificatestatusresponse(OCSP)isneeded,andiftheresponseisnotavailable,thetrustevaluationwillfail.
VirtualPrivateNetworks(VPNs)SecurenetworkserviceslikevirtualprivatenetworkingtypicallyrequireminimalsetupandconfigurationtoworkwithiOS,iPadOS,andmacOSdevices.
ThesedevicesworkwithVPNserversthatsupportthefollowingprotocolsandauthenticationmethods:IKEv2/IPSecwithauthenticationbysharedsecret,RSACertificates,ECDSACertificates,EAP-MSCHAPv2,orEAP-TLSSSL-VPNusingtheappropriateclientappfromtheAppStoreL2TP/IPSecwithuserauthenticationbyMS-CHAPV2passwordandmachineauthenticationbysharedsecret(iOS,iPadOS,andmacOS)andRSASecurIDorCRYPTOCard(macOSonly)CiscoIPSecwithuserauthenticationbypassword,RSASecurIDorCRYPTOCard,andmachineauthenticationbysharedsecretandcertificates(macOSonly)111iOS,iPadOS,andmacOSsupportthefollowing:VPNOnDemand:Fornetworksthatusecertificate-basedauthentication.
ITpoliciesspecifywhichdomainsrequireaVPNconnectionbyusingaVPNconfigurationprofile.
PerAppVPN:ForfacilitatingVPNconnectionsonamuchmoregranularbasis.
Mobiledevicemanagement(MDM)solutionscanspecifyaconnectionforeachmanagedappandspecificdomainsinSafari.
Thishelpsensurethatsecuredataalwaysgoestoandfromthecorporatenetwork—andthatauser'spersonaldatadoesn't.
Always-onVPN:WhichcanbeconfiguredfordevicesmanagedthroughanMDMsolutionandsupervisedusingAppleConfigurator2,AppleSchoolManager,orAppleBusinessManager.
ThiseliminatestheneedforuserstoturnonVPNtoenableprotectionwhenconnectingtocellularandWi-Finetworks.
Always-onVPNgivesanorganizationfullcontroloverdevicetrafficbytunnelingallIPtrafficbacktotheorganization.
Thedefaulttunnelingprotocol,IKEv2,securestraffictransmissionwithdataencryption.
Theorganizationcanmonitorandfiltertraffictoandfromitsdevices,securedatawithinitsnetwork,andrestrictdeviceaccesstotheInternet.
Wi-FiSecurityProtocolsecurityAllAppleplatformssupportindustry-standardWi-Fiauthenticationandencryptionprotocols,toprovideauthenticatedaccessandconfidentialitywhenconnectingtothefollowingsecurewirelessnetworks:WPA2PersonalWPA2EnterpriseWPA2/WPA3TransitionalWPA3PersonalWPA3EnterpriseWPA3Enterprise192-bitsecurityWPA2andWPA3authenticateeachconnection,andprovide128-bitAESencryptiontoensureconfidentialityfordatasentovertheair.
ThisgrantsusersthehighestlevelofassurancethattheirdataremainsprotectedwhensendingandreceivingcommunicationsoveraWi-Finetworkconnection.
WPA3issupportedonthefollowing:iPhone7orlateriPad5thgenerationorlaterAppleTV4KorlaterAppleWatchseries3orlaterLate2013andnewerMaccomputerswith802.
11acorlater112NewerdevicessupportauthenticationwithWPA3Enterprise192-bitsecurity,includingsupportfor256-bitAESencryptionwhenconnectingtocompatiblewirelessaccesspoints(APs).
Thisprovidesevenstrongerconfidentialityprotectionsfortrafficsentovertheair.
WPA3Enterprise192-bitsecurityissupportedoniPhone11,iPhone11Pro,iPhone11ProMax,andneweriOSandiPadOSdevices.
Inadditiontoprotectingdatasentovertheair,AppleplatformsextendWPA2andWPA3levelprotectionstounicastandmulticastmanagementframesthroughtheProtectedManagementFrame(PMF)servicedefinedin802.
11w.
PMFsupportisavailableonthefollowing:iPhone6orlateriPadAir2orlaterAppleTV4thgenerationorlaterAppleWatchseries3orlaterLate2013andnewerMaccomputerswith802.
11acorlaterWithsupportfor802.
1X,AppledevicescanbeintegratedintoabroadrangeofRADIUSauthenticationenvironments.
802.
1XwirelessauthenticationmethodssupportedincludeEAP-TLS,EAP-TTLS,EAP-FAST,EAP-SIM,PEAPv0,andPEAPv1.
DeprecatedprotocolsAppleproductssupportthefollowingdeprecatedWi-Fiauthenticationandencryptionprotocols:WEPOpen,withboth40-bitand104-bitkeysWEPShared,withboth40-bitand104-bitkeysDynamicWEPTemporalKeyIntegrityProtocol(TKIP)WPAWPA/WPA2TransitionalTheseprotocolsarenolongerconsideredsecure,andtheiruseisstronglydiscouragedforcompatibility,reliability,performance,andsecurityreasons.
Theyaresupportedforbackwardcompatibilitypurposesonlyandmayberemovedinfuturesoftwareversions.
AllWi-FiimplementationsarestronglyurgedtomigratetoWPA3PersonalorWPA3Enterprise,toprovidethemostrobust,secure,andcompatibleWi-Ficonnectionspossible.
113Wi-FiprivacyMACaddressrandomizationAppleplatformsusearandomizedMediaAccessControl(MAC)addresswhenperformingWi-FiscanswhennotassociatedwithaWi-Finetwork.
ThesescanscanbeperformedtofindandconnecttoaknownWi-FinetworkortoassistLocationServicesforappsthatusegeofences,suchaslocation-basedremindersorfixingalocationinAppleMaps.
NotethatWi-FiscansthathappenwhiletryingtoconnecttoapreferredWi-Finetworkaren'trandomized.
AppleplatformsalsousearandomizedMACaddresswhenconductingenhancedPreferredNetworkOffload(ePNO)scanswhenadeviceisn'tassociatedwithaWi-Finetworkoritsprocessorisasleep.
ePNOscansarerunwhenadeviceusesLocationServicesforappsthatusegeofences,suchaslocation-basedremindersthatdeterminewhetherthedeviceisnearaspecificlocation.
Becauseadevice'sMACaddressnowchangeswhendisconnectedfromaWi-Finetwork,itcan'tbeusedtopersistentlytrackadevicebypassiveobserversofWi-Fitraffic,evenwhenthedeviceisconnectedtoacellularnetwork.
ApplehasinformedWi-FimanufacturersthatiOSandiPadOSWi-FiscansusearandomizedMACaddress,andthatneitherApplenormanufacturerscanpredicttheserandomizedMACaddresses.
Wi-FiMACaddressrandomizationsupportisavailableoniPhone5orlater.
Wi-FiframesequencenumberrandomizationWi-Fiframesincludeasequencenumber,whichisusedbythelow-level802.
11protocoltoenableefficientandreliableWi-Ficommunications.
Becausethesesequencenumbersincrementoneachtransmittedframe,theycouldbeusedtocorrelateinformationtransmittedduringWi-Fiscans,withotherframestransmittedbythesamedevice.
Toguardagainstthis,AppledevicesrandomizethesequencenumberswheneveraMACaddressischangedtoanewrandomizedaddress.
Thisincludesrandomizingthesequencenumbersforeachnewscanrequestthatisinitiatedwhilethedeviceisunassociated.
Thisrandomizationissupportedonthefollowingdevices:iPhone7orlateriPad5thgenerationorlaterAppleTV4KorlaterAppleWatchseries3orlateriMacPro(Retina5K,27-inch,2017)orlaterMacBookPro(13-inch,2018)orlaterMacBookPro(15-inch,2018)orlaterMacBookAir(Retina,13-inch,2018)orlaterMacmini(2018)orlateriMac(Retina4K,21.
5-inch,2019)orlateriMac(Retina5K,27-inch,2019)orlaterMacPro(2019)orlater114Wi-FiconnectionsandhiddennetworksConnectionsApplegeneratesrandomizedMACaddressesforthePeer-to-PeerWi-FiconnectionsthatareusedforAirDropandAirPlay.
RandomizedaddressesarealsousedforPersonalHotspotoniOSandiPadOS(withaSIMcard)andInternetSharingonmacOS.
Newrandomaddressesaregeneratedwheneverthesenetworkinterfacesarestarted,anduniqueaddressesareindependentlygeneratedforeachinterfaceasneeded.
HiddennetworksWi-Finetworksareidentifiedbytheirnetworkname,knownasaServiceSetIdentifier(SSID).
SomeWi-FinetworksareconfiguredtohidetheirSSID,whichresultsinthewirelessaccesspointnotbroadcastingthenetwork'sname.
Theseareknownashiddennetworks.
iPhone6sorlaterautomaticallydetectswhenanetworkishidden.
Ifanetworkishidden,theiOSoriPadOSdevicesendsaprobewiththeSSIDincludedintherequest—nototherwise.
Thispreventsthedevicefrombroadcastingthenameofpreviouslyhiddennetworksauserwasconnectedto,therebyfurtherensuringprivacy.
Tomitigatetheprivacyproblemsposedbyhiddennetworks,iPhone6sorlaterautomaticallydetectswhenanetworkishidden.
Ifthenetworkisnothidden,theiOSoriPadOSdevicewon'tsendaprobewiththeSSIDincludedintherequest.
Thispreventsthedevicefrombroadcastingthenameofnon-hiddenknownnetworks,andhenceensuresthatitdoesn'trevealthatit'slookingforthosenetworks.
PlatformprotectionsAppleoperatingsystemsprotectthedevicefromvulnerabilitiesinnetworkprocessorfirmware,networkcontrollersincludingWi-Fihavelimitedaccesstoapplicationprocessormemory.
WhenUSBorSDIOisusedtointerfacewiththenetworkprocessor,thenetworkprocessorcan'tinitiateDirectMemoryAccess(DMA)transactionstotheapplicationprocessor.
WhenPCIeisused,eachnetworkprocessorisonitsownisolatedPCIebus.
AnIOMMUoneachPCIebusfurtherlimitsthenetworkprocessor'sDMAaccesstoonlymemoryandresourcescontainingitsnetworkpacketsandcontrolstructures.
115BluetoothsecurityTherearetwotypesofBluetoothinAppledevices,BluetoothClassicandBluetoothLowEnergy(BLE).
TheBluetoothsecuritymodelforbothversionsincludesthefollowingdistinctsecurityfeatures:Pairing:TheprocessforcreatingoneormoresharedsecretkeysBonding:TheactofstoringthekeyscreatedduringpairingforuseinsubsequentconnectionstoformatrusteddevicepairAuthentication:VerifyingthatthetwodeviceshavethesamekeysEncryption:MessageconfidentialityMessageintegrity:ProtectionagainstmessageforgeriesSecureSimplePairing:Protectionagainstpassiveeavesdroppingandprotectionagainstman-in-the-middle(MITM)attacksBluetoothversion4.
1addedtheSecureConnectionsfeaturetotheBR/EDRphysicaltransport.
ThesecurityfeaturesforeachtypeofBluetootharelistedbelow:SupportBluetoothClassicBluetoothLowEnergyPairingP-256ellipticcurveFIPS-approvedalgorithms(AES-CMACandP-256ellipticcurve)BondingPairinginformationisstoredinasecurelocationoniOS,iPadOS,macOS,tvOS,andwatchOSdevicesPairinginformationisstoredinasecurelocationoniOS,iPadOS,macOS,tvOS,andwatchOSdevicesAuthenticationFIPS-approvedalgorithms(HMAC-SHA-256andAES-CTR)FIPS-approvedalgorithmsEncryptionAES-CCMcryptographyperformedintheControllerAES-CCMcryptographyperformedintheControllerMessageintegrityAES-CCMisusedformessageintegrityAES-CCMisusedformessageintegritySecureSimplePairing:ProtectionagainstpassiveeavesdroppingEllipticCurveDiffie-HellmanExchange(ECDHE)EllipticCurveDiffie-HellmanExchange(ECDHE)SecureSimplePairing:Protectionagainstman-in-the-middle(MITM)attacksTwouserassistednumericmethods:numericalcomparisonorpasskeyentryTwouserassistednumericmethods:numericalcomparisonorpasskeyentryPairingsrequireauserresponse,includingallnon-MITMpairingmodesBluetooth4.
1orlateriMacLate2015orlaterMacBookProEarly2015orlateriOS9orlateriPadOS13.
1orlatermacOS10.
12orlatertvOS9orlaterwatchOS2.
0orlater116SupportBluetoothClassicBluetoothLowEnergyBluetooth4.
2orlateriPhone6orlateriOS9orlateriPadOS13.
1orlatermacOS10.
12orlatertvOS9orlaterwatchOS2.
0orlaterBluetoothLowEnergyprivacyTohelpsecureuserprivacy,BLEincludesthefollowingtwofeatures,addressrandomizationandcross-transportkeyderivation.
AddressrandomizationisafeaturethatreducestheabilitytotrackaBLEdeviceoveraperiodoftimebychangingtheBluetoothdeviceaddressonafrequentbasis.
Foradeviceusingtheprivacyfeaturetoreconnecttoknowndevices,thedeviceaddress,referredtoastheprivateaddress,mustberesolvablebytheotherdevice.
Theprivateaddressisgeneratedusingthedevice'sresolvingidentitykey(IRK)exchangedduringthepairingprocedure.
iOS13andiPadOS13.
1havetheabilitytoderivelinkkeysacrosstransports.
Forexample,alinkkeygeneratedwithBLEcanbeusedtoderiveaBluetoothClassiclinkkey.
Inaddition,AppleaddedBluetoothClassictoBLEsupportfordevicesthatsupporttheSecuredConnectionsfeaturethatwasintroducedinBluetoothCoreSpecification4.
1(seeBluetoothCoreSpecification5.
1).
UltraWidebandtechnologyThenewAppledesignedU1chipusesUltraWidebandtechnologyforspatialawareness—allowingiPhone11,iPhone11Pro,andiPhone11ProMaxtopreciselylocateotherU1equippedAppledevices.
UltraWidebandtechnologyusesthesametechnologytorandomizedatafoundinothersupportedAppledevices:MACaddressrandomizationasothersupportedAppledevicesWi-Fiframesequencenumberrandomization117Singlesign-onSinglesign-oniOSandiPadOSsupportauthenticationtoenterprisenetworksthroughSinglesign-on(SSO).
SSOworkswithKerberos-basednetworkstoauthenticateuserstoservicestheyareauthorizedtoaccess.
SSOcanbeusedforarangeofnetworkactivities,fromsecureSafarisessionstothird-partyapps.
Certificate-basedauthentication(suchasPKINIT)isalsosupported.
macOSsupportsauthenticationtoenterprisenetworksusingKerberos.
AppscanuseKerberostoauthenticateuserstoservicesthey'reauthorizedtoaccess.
Kerberoscanalsobeusedforarangeofnetworkactivities,fromsecureSafarisessionsandnetworkfilesystemauthenticationtothird-partyapps.
Certificate-basedauthentication(PKINIT)issupported,althoughappadoptionofadeveloperAPIisrequired.
iOS,iPadOS,andmacOSSSOuseSPNEGOtokensandtheHTTPNegotiateprotocoltoworkwithKerberos-basedauthenticationgatewaysandWindowsIntegratedAuthenticationsystemsthatsupportKerberostickets.
SSOsupportisbasedontheopensourceHeimdalproject.
ThefollowingencryptiontypesaresupportediniOS,iPadOS,andmacOS:AES-128-CTS-HMAC-SHA1-96AES-256-CTS-HMAC-SHA1-96DES3-CBC-SHA1ARCFOUR-HMAC-MD5SafarisupportsSSO,andthird-partyappsthatusestandardiOSandiPadOSnetworkingAPIscanalsobeconfiguredtouseit.
ToconfigureSSO,iOSandiPadOSsupportaconfigurationprofilepayloadthatallowsmobiledevicemanagement(MDM)solutionstopushdownthenecessarysettings.
Thisincludessettingtheuserprincipalname(thatis,theActiveDirectoryuseraccount)andKerberosrealmsettings,aswellasconfiguringwhichappsandSafariwebURLsshouldbeallowedtouseSSO.
ToconfigureKerberosinmacOS,acquireticketswithTicketViewer,logintoaWindowsActiveDirectorydomain,orusethekinitcommand-linetool.
ExtensibleSinglesign-onAppdeveloperscanprovidetheirownsinglesign-onimplementationsusingSSOextensions.
SSOextensionsareinvokedwhenanativeorwebappneedstousesomeidentityproviderforuserauthentication.
Developerscanprovidetwotypesofextensions:thosethatredirecttoHTTPSandthosethatuseachallenge/responsemechanismsuchasKerberos.
ThisallowsOpenID,OAuth,SAML2andKerberosauthenticationschemestobesupportedbyExtensibleSinglesign-on.
118TouseaSinglesign-onextension,anappcaneitherusetheAuthenticationServicesAPIorcanrelyontheURLinterceptionmechanismofferedbytheoperatingsystem.
WebKitandCFNetworkprovideaninterceptionlayerthatenablesaseamlesssupportofSinglesign-onforanynativeorWebKitapp.
ForaSinglesign-onextensiontobeinvoked,aconfigurationprovidedbyanadministratorhastobeinstalledthoughamobiledevicemanagement(MDM)profile.
Inaddition,redirecttypeextensionsmustusetheAssociatedDomainspayloadtoprovethattheidentityservertheysupportisawareoftheirexistence.
TheonlyextensionprovidedwiththeoperatingsystemistheKerberosSSOextension.
AirDropsecurityAppledevicesthatsupportAirDropuseBluetoothLowEnergy(BLE)andApple-createdpeer-to-peerWi-Fitechnologytosendfilesandinformationtonearbydevices,includingAirDrop-capableiOSdevicesrunningiOS7orlaterandMaccomputersrunningOSX10.
11orlater.
TheWi-FiradioisusedtocommunicatedirectlybetweendeviceswithoutusinganyInternetconnectionorwirelessaccesspoint(AP).
InmacOS,thisconnectionisencryptedwithTLS.
AirDropissettosharewithContactsOnlybydefault.
UserscanalsochoosetouseAirDroptosharewitheveryone,orturnoffthefeatureentirely.
OrganizationscanrestricttheuseofAirDropfordevicesorappsbeingmanagedbyusingamobiledevicemanagement(MDM)solution.
AirDropoperationAirDropusesiCloudservicestohelpusersauthenticate.
WhenausersignsintoiCloud,a2048-bitRSAidentityisstoredonthedevice,andwhentheuserenablesAirDrop,anAirDropshortidentityhashiscreatedbasedontheemailaddressesandphonenumbersassociatedwiththeuser'sAppleID.
WhenauserchoosesAirDropasthemethodforsharinganitem,thesendingdeviceemitsanAirDropsignaloverBLEthatincludestheuser'sAirDropshortidentityhash.
OtherAppledevicesthatareawake,incloseproximity,andhaveAirDropturnedon,detectthesignalandrespondusingpeer-to-peerWi-Fi,sothatthesendingdevicecandiscovertheidentityofanyrespondingdevices.
InContactsOnlymode,thereceivedAirDropshortidentityhashiscomparedwithhashesofpeopleinthereceivingdevice'sContactsapp.
Ifamatchisfound,thereceivingdevicerespondsoverpeer-to-peerWi-Fiwithitsidentityinformation.
Ifthereisnomatch,thedevicedoesnotrespond.
InEveryonemode,thesameoverallprocessisused.
However,thereceivingdevicerespondsevenifthereisnomatchinthedevice'sContactsapp.
ThesendingdevicetheninitiatesanAirDropconnectionusingpeer-to-peerWi-Fi,usingthisconnectiontosendalongidentityhashtothereceivingdevice.
Ifthelongidentityhashmatchesthehashofaknownpersoninthereceiver'sContacts,thenthereceiverrespondswithitslongidentityhashes.
119Ifthehashesareverified,therecipient'sfirstnameandphoto(ifpresentinContacts)aredisplayedinthesender'sAirDropsharesheet.
IniOSandiPadOS,theyareshowninthe"People"or"Devices"section.
Devicesthataren'tverifiedorauthenticatedaredisplayedinthesender'sAirDropsharesheetwithasilhouetteiconandthedevice'sname,asdefinedinSettings>General>About>Name.
IniOSandiPadOS,theyareplacedinthe"OtherPeople"sectionoftheAirDropsharesheet.
Thesendingusermaythenselectwhomtheywanttosharewith.
Uponuserselection,thesendingdeviceinitiatesanencrypted(TLS)connectionwiththereceivingdevice,whichexchangestheiriCloudidentitycertificates.
Theidentityinthecertificatesisverifiedagainsteachuser'sContactsapp.
Ifthecertificatesareverified,thereceivinguserisaskedtoaccepttheincomingtransferfromtheidentifieduserordevice.
Ifmultiplerecipientshavebeenselected,thisprocessisrepeatedforeachdestination.
Wi-FipasswordsharingiOSandiPadOSdevicesthatsupportWi-FipasswordsharinguseamechanismsimilartoAirDroptosendaWi-Fipasswordfromonedevicetoanother.
WhenauserselectsaWi-Finetwork(requestor)andispromptedfortheWi-Fipassword,theAppledevicestartsaBluetoothLowEnergy(BLE)advertisementindicatingthatitwantstheWi-Fipassword.
OtherAppledevicesthatareawake,incloseproximity,andhavethepasswordfortheselectedWi-FinetworkconnectusingBLEtotherequestingdevice.
ThedevicethathastheWi-Fipassword(grantor)requirestheContactinformationoftherequestor,andtherequestormustprovetheiridentityusingasimilarmechanismtoAirDrop.
Afteridentityisproven,thegrantorsendstherequestorthepasscodewhichcanbeusedtojointhenetwork.
OrganizationscanrestricttheuseofWi-Fipasswordsharingfordevicesorappsbeingmanagedthroughamobiledevicemanagement(MDM)solution.
FirewallinmacOSmacOSincludesabuilt-infirewalltoprotecttheMacfromnetworkaccessanddenial-of-serviceattacks.
ItcanbeconfiguredintheSecurity&PrivacypreferencepaneofSystemPreferencesandsupportsthefollowingconfigurations:Blockallincomingconnections,regardlessofappAutomaticallyallowbuilt-insoftwaretoreceiveincomingconnectionsAutomaticallyallowdownloadedandsignedsoftwaretoreceiveincomingconnectionsAddordenyaccessbasedonuser-specifiedappsPreventtheMacfromrespondingtoICMPprobingandportscanrequests120DeveloperKitsDeveloperkitsoverviewAppleprovidesanumberofframeworkstoenablethird-partydeveloperstoextendAppleservices.
Theseframeworksarebuiltwithusersecurityandprivacyattheircore:HomeKitHealthKitCloudKitSiriKitDriverKitReplayKitCameraandARKitHomeKitHomeKitidentityHomeKitprovidesahomeautomationinfrastructurethatusesiCloudandiOS,iPadOS,andmacOSsecuritytoprotectandsynchronizeprivatedatawithoutexposingittoApple.
HomeKitidentityandsecurityarebasedonEd25519public-privatekeypairs.
AnEd25519keypairisgeneratedontheiOS,iPadOS,andmacOSdeviceforeachuserforHomeKit,whichbecomestheirHomeKitidentity.
It'susedtoauthenticatecommunicationbetweeniOS,iPadOS,andmacOSdevices,andbetweeniOS,iPadOS,andmacOSdevicesandaccessories.
Thekeys—storedinKeychainandareincludedonlyinencryptedKeychainbackups—aresynchronizedbetweendevicesusingiCloudKeychain,whereavailable.
HomePodandAppleTVreceivekeysusingtap-to-setuporthesetupmodedescribedbelow.
KeysaresharedfromaniPhonetoapairedAppleWatchusingAppleIdentityService(IDS).
121CommunicationwithHomeKitaccessoriesHomeKitaccessoriesgeneratetheirownEd25519keypairforuseincommunicatingwithiOS,iPadOS,andmacOSdevices.
Iftheaccessoryisrestoredtofactorysettings,anewkeypairisgenerated.
ToestablisharelationshipbetweenaniOS,iPadOS,andmacOSdeviceandaHomeKitaccessory,keysareexchangedusingSecureRemotePassword(3072-bit)protocolutilizinganeight-digitcodeprovidedbytheaccessory'smanufacturer,enteredontheiOS,iPadOSdevicebytheuser,andthenencryptedusingCHACHA20-POLY1305AEADwithHKDF-SHA-512derivedkeys.
Theaccessory'sMFicertificationisalsoverifiedduringsetup.
AccessorieswithoutanMFichipcanbuildinsupportforsoftwareauthenticationoniOS11.
3orlater.
WhentheiOS,iPadOS,andmacOSdeviceandtheHomeKitaccessorycommunicateduringuse,eachauthenticatestheotherusingthekeysexchangedintheaboveprocess.
EachsessionisestablishedusingtheStation-to-StationprotocolandisencryptedwithHKDF-SHA-512derivedkeysbasedonper-sessionCurve25519keys.
ThisappliestobothIP-basedandBluetoothLowEnergy(BLE)accessories.
ForBLEdevicesthatsupportbroadcastnotifications,theaccessoryisprovisionedwithabroadcastencryptionkeybyapairediOS,iPadOS,andmacOSdeviceoverasecuresession.
Thiskeyisusedtoencryptthedataaboutstatechangesontheaccessory,whicharenotifiedusingtheBLEadvertisements.
ThebroadcastencryptionkeyisanHKDF-SHA-512derivedkey,andthedataisencryptedusingCHACHA20-POLY1305AuthenticatedEncryptionwithAssociatedData(AEAD)algorithm.
ThebroadcastencryptionkeyisperiodicallychangedbytheiOS,iPadOS,andmacOSdeviceandsynchronizedtootherdevicesusingiCloudasdescribedinDatasynchronizationbetweendevicesandusers.
HomeKitlocaldatastorageHomeKitstoresdataaboutthehomes,accessories,scenes,andusersonauser'siOS,iPadOS,andmacOSdevice.
Thisstoreddataisencryptedusingkeysderivedfromtheuser'sHomeKitidentitykeys,plusarandomnonce.
Additionally,HomeKitdataisstoredusingDataProtectionclassProtectedUntilFirstUserAuthentication.
HomeKitdataisonlybackedupinencryptedbackups,so,forexample,unencryptediTunesbackupsdon'tcontainHomeKitdata.
DatasynchronizationbetweendevicesandusersHomeKitdatacanbesynchronizedbetweenauser'siOS,iPadOS,andmacOSdevicesusingiCloudandiCloudKeychain.
TheHomeKitdataisencryptedduringthesynchronizationusingkeysderivedfromtheuser'sHomeKitidentityandrandomnonce.
Thisdataishandledasanopaqueblobduringsynchronization.
ThemostrecentblobisstorediniCloudtoenablesynchronization,butitisn'tusedforanyotherpurpose.
Becauseit'sencryptedusingkeysthatareavailableonlyontheuser'siOS,iPadOS,andmacOSdevices,itscontentsareinaccessibleduringtransmissionandiCloudstorage.
122HomeKitdataisalsosynchronizedbetweenmultipleusersofthesamehome.
ThisprocessusesauthenticationandencryptionthatisthesameasthatusedbetweenaniOS,iPadOS,andmacOSdeviceandaHomeKitaccessory.
TheauthenticationisbasedonEd25519publickeysthatareexchangedbetweenthedeviceswhenauserisaddedtoahome.
Afteranewuserisaddedtoahome,allfurthercommunicationisauthenticatedandencryptedusingStation-to-Stationprotocolandper-sessionkeys.
TheuserwhoinitiallycreatedthehomeinHomeKitoranotheruserwitheditingpermissionscanaddnewusers.
Theowner'sdeviceconfigurestheaccessorieswiththepublickeyofthenewusersothattheaccessorycanauthenticateandacceptcommandsfromthenewuser.
Whenauserwitheditingpermissionsaddsanewuser,theprocessisdelegatedtoahomehubtocompletetheoperation.
TheprocesstoprovisionAppleTVforusewithHomeKitisperformedautomaticallywhentheusersignsintoiCloud.
TheiCloudaccountneedstohavetwo-factorauthenticationenabled.
AppleTVandtheowner'sdeviceexchangetemporaryEd25519publickeysoveriCloud.
Whentheowner'sdeviceandAppleTVareonthesamelocalnetwork,thetemporarykeysareusedtosecureaconnectionoverthelocalnetworkusingStation-to-Stationprotocolandper-sessionkeys.
ThisprocessusesauthenticationandencryptionthatisthesameasthatusedbetweenaniOS,iPadOS,andmacOSdeviceandaHomeKitaccessory.
Overthissecurelocalconnection,theowner'sdevicetransferstheuser'sEd25519public-privatekeypairstoAppleTV.
ThesekeysarethenusedtosecurethecommunicationbetweenAppleTVandtheHomeKitaccessoriesandalsobetweenAppleTVandotheriOS,iPadOS,andmacOSdevicesthatarepartoftheHomeKithome.
Ifauserdoesn'thavemultipledevicesanddoesn'tgrantadditionalusersaccesstotheirhome,noHomeKitdataissynchronizedtoiCloud.
HomedataandappsAccesstohomedatabyappsiscontrolledbytheuser'sPrivacysettings.
Usersareaskedtograntaccesswhenappsrequesthomedata,similartoContacts,Photos,andotheriOS,iPadOS,andmacOSdatasources.
Iftheuserapproves,appshaveaccesstothenamesofrooms,namesofaccessories,andwhichroomeachaccessoryisin,andotherinformationasdetailedintheHomeKitdeveloperdocumentationat:https://developer.
apple.
com/homekit/.
HomeKitandSiriSiricanbeusedtoqueryandcontrolaccessories,andtoactivatescenes.
MinimalinformationabouttheconfigurationofthehomeisprovidedanonymouslytoSiri,toprovidenamesofrooms,accessories,andscenesthatarenecessaryforcommandrecognition.
AudiosenttoSirimaydenotespecificaccessoriesorcommands,butsuchSiridataisn'tassociatedwithotherApplefeaturessuchasHomeKit.
123HomeKitIPcamerasIPcamerasinHomeKitsendvideoandaudiostreamsdirectlytotheiOS,iPadOS,andmacOSdeviceonthelocalnetworkaccessingthestream.
ThestreamsareencryptedusingrandomlygeneratedkeysontheiOS,iPadOS,andmacOSdeviceandtheIPcamera,whichareexchangedoverthesecureHomeKitsessiontothecamera.
WhenaniOS,iPadOS,ormacOSdeviceisn'tonthelocalnetwork,theencryptedstreamsarerelayedthroughthehomehubtothedevice.
Thehomehubdoesn'tdecryptthestreamsandfunctionsonlyasarelaybetweentheiOS,iPadOS,andmacOSdeviceandtheIPcamera.
WhenanappdisplaystheHomeKitIPcameravideoviewtotheuser,HomeKitisrenderingthevideoframessecurelyfromaseparatesystemprocesssotheappisunabletoaccessorstorethevideostream.
Inaddition,appsaren'tpermittedtocapturescreenshotsfromthisstream.
HomeKitsecurevideoHomeKitprovidesanend-to-endsecureandprivatemechanismtorecord,analyze,andviewclipsfromHomeKitIPcameraswithoutexposingthatvideocontenttoAppleoranythirdparty.
WhenmotionisdetectedbytheIPcamera,videoclipsaresentdirectlytoanAppledeviceactingasahomehub,usingadedicatedlocalnetworkconnectionbetweenthathomehubandtheIPcamera.
Thelocalnetworkconnectionisencryptedwithaper-sessionHKDF-SHA-512derivedkey-pairthatisnegotiatedovertheHomeKitsessionbetweenhomehubandIPcamera.
HomeKitdecryptstheaudioandvideostreamsonthehomehubandanalyzesthevideoframeslocallyforanysignificantevent.
Ifasignificanteventisdetected,HomeKitencryptsthevideoclipusingAES-256-GCMwitharandomlygeneratedAES-256key.
HomeKitalsogeneratesposterframesforeachclipandtheseposterframesareencryptedusingthesameAES-256key.
TheencryptedposterframeandaudioandvideodataareuploadedtoiCloudservers.
TherelatedmetadataforeachclipincludingtheencryptionkeyareuploadedtoCloudKitusingiCloudend-to-endencryption.
WhentheHomeappisusedtoviewtheclipsforacamera,thedataisdownloadedfromiCloudandthekeystodecryptthestreamsareunwrappedlocallyusingiCloudend-to-enddecryption.
TheencryptedvideocontentisstreamedfromtheserversanddecryptedlocallyontheiOSdevicebeforedisplayingitintheviewer.
Eachvideoclipsessionmaybebrokendownintosub-sectionswitheachsub-sectionencryptingthecontentstreamwithitsownuniquekey.
HomeKitroutersRoutersthatsupportHomeKitallowtheusertoimprovethesecurityoftheirhomenetworkbymanagingtheWi-FiaccessthatHomeKitaccessorieshavetotheirlocalnetworkandtotheInternet.
TheyalsosupportPPSKauthentication,soaccessoriescanbeaddedtotheWi-Finetworkusingakeythatisspecifictotheaccessoryandcanberevokedwhenneeded.
ThisimprovessecuritybynotexposingthemainWi-Fipasswordtoaccessories,aswellasallowingtheroutertosecurelyidentifyanaccessoryevenifitweretochangeitsMACaddress.
124UsingtheHomeapp,ausercanconfigureaccessrestrictionsforgroupsofaccessoriesasfollows:Norestriction:AllowunrestrictedaccesstotheInternetandthelocalnetwork.
Automatic:Thisisthedefaultsetting.
AllowaccesstotheInternetandthelocalnetworkbasedonalistofInternetsitesandlocalportsprovidedtoApplebytheaccessorymanufacturer.
Thislistincludesallsitesandportsneededbytheaccessoryinordertofunctionproperly.
(NoRestrictionisinplaceuntilsuchalistisavailable.
)RestricttoHome:NoaccesstotheInternetorthelocalnetworkexceptfortheconnectionsrequiredbyHomeKittodiscoverandcontroltheaccessoryfromthelocalnetwork(includingfromtheHomehubtosupportremotecontrol).
APPSKisastrong,accessory-specificWPA2Personalpass-phrasethatisautomaticallygeneratedbyHomeKit,andrevokedifandwhentheaccessoryislaterremovedfromtheHome.
APPSKisusedwhenanaccessoryisaddedtotheWi-FinetworkbyHomeKitinaHomethathasbeenconfiguredwithaHomeKitrouter.
(AccessoriesthatwereaddedtotheWi-Fipriortoaddingtherouterretaintheirexistingcredentials.
)Asanadditionalsecuritymeasure,theusermusttoconfiguretheHomeKitrouterusingtheroutermanufacturer'sapp,sothattheappcanvalidatethattheuserhasaccesstotherouterandisallowedtoaddittotheHomeapp.
iCloudremoteaccessforHomeKitaccessoriesSomelegacyHomeKitaccessoriesstillrequiretheabilitytoconnectdirectlywithiCloudtoenableiOS,iPadOS,andmacOSdevicestocontroltheaccessoryremotelywhenBluetoothorWi-Ficommunicationisn'tavailable.
Remoteaccessviaahomehub(suchasHomePod,AppleTV,oriPad)ispreferentiallyusedwheneverpossible.
iCloudremoteaccessisstillsupportedforlegacydevices,andhasbeencarefullydesignedsothataccessoriescanbecontrolledandsendnotificationswithoutrevealingtoApplewhattheaccessoriesare,orwhatcommandsandnotificationsarebeingsent.
HomeKitdoesn'tsendinformationaboutthehomeoveriCloudremoteaccess.
WhenausersendsacommandusingiCloudremoteaccess,theaccessoryandiOS,iPadOS,andmacOSdevicearemutuallyauthenticatedanddataisencryptedusingthesameproceduredescribedforlocalconnections.
ThecontentsofthecommunicationsareencryptedandnotvisibletoApple.
TheaddressingthroughiCloudisbasedontheiCloudidentifiersregisteredduringthesetupprocess.
AccessoriesthatsupportiCloudremoteaccessareprovisionedduringtheaccessory'ssetupprocess.
TheprovisioningprocessbeginswiththeusersigningintoiCloud.
Next,theiOS,andiPadOSdeviceaskstheaccessorytosignachallengeusingtheAppleAuthenticationCoprocessorthat'sbuiltintoallBuiltforHomeKitaccessories.
Theaccessoryalsogeneratesprime256v1ellipticcurvekeys,andthepublickeyissenttotheiOS,andiPadOSdevicealongwiththesignedchallengeandtheX.
509certificateoftheauthenticationcoprocessor.
TheseareusedtorequestacertificatefortheaccessoryfromtheiCloudprovisioningserver.
Thecertificateisstoredbytheaccessory,butitdoesn'tcontainanyidentifyinginformationabouttheaccessory,otherthanithasbeengrantedaccesstoHomeKitiCloudremoteaccess.
TheiOS,andiPadOSdevicethatisconductingtheprovisioningalsosendsabagtotheaccessory,whichcontainstheURLsandotherinformationneededtoconnecttotheiCloudremoteaccessserver.
Thisinformationisn'tspecifictoanyuseroraccessory.
125EachaccessoryregistersalistofalloweduserswiththeiCloudremoteaccessserver.
Theseusershavebeengrantedtheabilitytocontroltheaccessorybytheuserwhoaddedtheaccessorytothehome.
UsersaregrantedanidentifierbytheiCloudserverandcanbemappedtoaniCloudaccountforthepurposeofdeliveringnotificationmessagesandresponsesfromtheaccessories.
Similarly,accessorieshaveiCloud-issuedidentifiers,buttheseidentifiersareopaqueanddon'trevealanyinformationabouttheaccessoryitself.
WhenanaccessoryconnectstotheHomeKitiCloudremoteaccessserver,itpresentsitscertificateandapass.
ThepassisobtainedfromadifferentiCloudserver,anditisn'tuniqueforeachaccessory.
Whenanaccessoryrequestsapass,itincludesitsmanufacturer,model,andfirmwareversioninitsrequest.
Nouser-identifyingorhome-identifyinginformationissentinthisrequest.
Tohelpprotectprivacy,connectiontothepassserverisn'tauthenticated.
AccessoriesconnecttotheiCloudremoteaccessserverusingHTTP/2,securedusingTLSv1.
2withAES-128-GCMandSHA-256.
TheaccessorykeepsitsconnectiontotheiCloudremoteaccessserveropensothatitcanreceiveincomingmessagesandsendresponsesandoutgoingnotificationstoiOS,iPadOS,andmacOSdevices.
HomeKitTVRemoteaccessoriesThird-partyHomeKitTVRemoteaccessoriesprovideHumanInterfaceDesign(HID)eventsandSiriaudiotoanassociatedAppleTVaddedusingtheHomeapp.
TheHIDeventsaresentoverthesecuresessionbetweenAppleTVandtheRemote.
ASiri-capableTVRemotesendsaudiodatatoAppleTVwhentheuserexplicitlyactivatesthemicrophoneontheRemoteusingadedicatedSiributton.
TheaudioframesaresentdirectlytotheAppleTVusingadedicatedlocalnetworkconnectionbetweenAppleTVandtheRemote.
Thelocalnetworkconnectionisencryptedwithaper-sessionHKDF-SHA-512derivedkey-pairthatisnegotiatedovertheHomeKitsessionbetweenAppleTVandTVRemote.
HomeKitdecryptstheaudioframesonAppleTVandforwardsthemtotheSiriapp,wheretheyaretreatedwiththesameprivacyprotectionsasallSiriaudioinput.
AppleTVprofilesforHomeKithomesWhenauserofaHomeKithomeaddtheirprofiletotheownerofthehome'sAppleTV,itgivesthatuseraccesstotheirTVshows,music,andpodcasts.
SettingsforeachuserregardingtheirprofileuseontheAppleTVaresharedtotheowner'siCloudaccountusingiCloudend-to-endencryption.
Thedataisownedbyeachuserandissharedasread-onlytotheowner.
EachuserofthehomecanchangethesevaluesfromtheHomeappandtheAppleTVoftheownerusesthesesettings.
Whenasettingisturnedon,theiTunesaccountoftheuserismadeavailableontheAppleTV.
Whenasettingisturnedoff,allaccountanddatapertainingtothatuserisdeletedontheAppleTV.
TheinitialCloudKitshareisinitiatedbytheuser'sdeviceandthetokentoestablishthesecureCloudKitshareissentoverthesamesecurechannelthatisusedtosynchronizedatabetweenusersofthehome.
126HealthKitHealthKitoverviewHealthKitstoresandaggregatesdatafromhealthandfitnessappsandhealthcareinstitutions.
HealthKitalsoworksdirectlywithhealthandfitnessdevices,suchascompatibleBluetoothLowEnergy(BLE)heartratemonitorsandthemotioncoprocessorbuiltintomanyiOSdevices.
AllHealthKitinteractionwithhealthandfitnessapps,healthcareinstitutions,andhealthandfitnessdevicesrequirepermissionoftheuser.
ThisdataisstoredinDataProtectionclassProtectedUnlessOpen.
Accesstothedataisrelinquished10minutesafterthedevicelocks,anddatabecomesaccessiblethenexttimeuserenterstheirpasscodeorusesTouchIDorFaceIDtounlockthedevice.
HealthKitalsoaggregatesmanagementdata,suchasaccesspermissionsforapps,namesofdevicesconnectedtoHealthKit,andschedulinginformationusedtolaunchappswhennewdataisavailable.
ThisdataisstoredinDataProtectionclassProtectedUntilFirstUserAuthentication.
Temporaryjournalfilesstorehealthrecordsthataregeneratedwhenthedeviceislocked,suchaswhentheuserisexercising.
ThesearestoredinDataProtectionclassProtectedUnlessOpen.
Whenthedeviceisunlocked,thetemporaryjournalfilesareimportedintotheprimaryhealthdatabases,thendeletedwhenthemergeiscompleted.
HealthdatacanbestorediniCloud.
End-to-endencryptionforHealthdatarequiresiOS12orlaterandtwo-factorauthentication.
Otherwise,theuser'sdataisstillencryptedinstorageandtransmissionbutisn'tencryptedend-to-end.
Aftertheuserturnsontwo-factorauthenticationandupdatetoiOS12orlater,theuser'sHealthdataismigratedtoend-to-endencryption.
IftheuserbacksuptheirdeviceusingiTunes(inmacOS10.
14orearlier)ortheFinder(macOS10.
15orlater),Healthdataisstoredonlyifthebackupisencrypted.
ClinicalhealthrecordsandHealthdataintegrityClinicalhealthrecordsUserscansignintosupportedhealthsystemswithintheHealthapptoobtainacopyoftheirclinicalhealthrecords.
Whenconnectingausertoahealthsystem,theuserauthenticatesusingOAuth2clientcredentials.
Afterconnecting,clinicalhealthrecorddataisdownloadeddirectlyfromthehealthinstitutionusingaTLSv1.
3protectedconnection.
Oncedownloaded,clinicalhealthrecordsaresecurelystoredalongsideotherHealthdata.
127HealthdataintegrityDatastoredinthedatabaseincludesmetadatatotracktheprovenanceofeachdatarecord.
Thismetadataincludesanappidentifierthatidentifieswhichappstoredtherecord.
Additionally,anoptionalmetadataitemcancontainadigitallysignedcopyoftherecord.
Thisisintendedtoprovidedataintegrityforrecordsgeneratedbyatrusteddevice.
TheformatusedforthedigitalsignatureistheCryptographicMessageSyntax(CMS)specifiedinRFC5652.
Healthdataaccessbythird-partyappsAccesstotheHealthKitAPIiscontrolledwithentitlements,andappsmustconformtorestrictionsabouthowthedataisused.
Forexample,appsaren'tallowedtousehealthdataforadvertising.
Appsarealsorequiredtoprovideuserswithaprivacypolicythatdetailsitsuseofhealthdata.
Accesstohealthdatabyappsiscontrolledbytheuser'sPrivacysettings.
Usersareaskedtograntaccesswhenappsrequestaccesstohealthdata,similartoContacts,Photos,andotheriOSdatasources.
However,withhealthdata,appsaregrantedseparateaccessforreadingandwritingdata,aswellasseparateaccessforeachtypeofhealthdata.
Userscanview,andrevoke,permissionsthey'vegrantedforaccessinghealthdataunderSettings>Health>DataAccess&Devices.
Ifgrantedpermissiontowritedata,appscanalsoreadthedatatheywrite.
Ifgrantedthepermissiontoreaddata,theycanreaddatawrittenbyallsources.
However,appscan'tdetermineaccessgrantedtootherapps.
Inaddition,appscan'tconclusivelytelliftheyhavebeengrantedreadaccesstohealthdata.
Whenanappdoesn'thavereadaccess,allqueriesreturnnodata—thesameresponseasanemptydatabasewouldreturn.
Thispreventsappsfrominferringtheuser'shealthstatusbylearningwhichtypesofdatatheuseristracking.
MedicalIDforusersTheHealthappgivesuserstheoptionoffillingoutaMedicalIDformwithinformationthatcouldbeimportantduringamedicalemergency.
Theinformationisenteredorupdatedmanuallyandisn'tsynchronizedwiththeinformationinthehealthdatabases.
TheMedicalIDinformationisviewedbytappingtheEmergencybuttonontheLockscreen.
TheinformationisstoredonthedeviceusingDataProtectionclassNoProtectionsothatit'saccessiblewithouthavingtoenterthedevicepasscode.
MedicalIDisanoptionalfeaturethatenablesuserstodecidehowtobalancebothsafetyandprivacyconcerns.
ThisdataisbackedupiniCloudBackupandisn'tsyncedbetweendevicesusingCloudKit.
128CloudKitCloudKitallowsappdeveloperstostorekey-valuedata,structureddata,andassetsiniCloud.
AccesstoCloudKitiscontrolledusingappentitlements.
CloudKitsupportsbothpublicandprivatedatabases.
Publicdatabasesareusedbyallcopiesoftheapp,typicallyforgeneralassets,andaren'tencrypted.
Privatedatabasesstoretheuser'sdata.
AswithiCloudDrive,CloudKitusesaccount-basedkeystoprotecttheinformationstoredintheuser'sprivatedatabaseand,similartootheriCloudservices,filesarechunked,encrypted,andstoredusingthird-partyservices.
CloudKitusesahierarchyofkeys,similartoDataProtection.
Theper-filekeysarewrappedbyCloudKitRecordkeys.
TheRecordkeys,inturn,areprotectedbyazone-widekey,whichisprotectedbytheuser'sCloudKitServiceKey.
TheCloudKitServiceKeyisstoredintheuser'siCloudaccountandisavailableonlyaftertheuserhasauthenticatedwithiCloud.
CloudKitend-to-endencryption.
SiriKitSiriusestheappextensionsystemtocommunicatewiththird-partyapps.
Sirionthedevicecanaccesstheuser'scontactinformationandthedevice'scurrentlocation.
Butbeforeitprovidesprotecteddatatoanapp,Siricheckstheapp'suser-controlledaccesspermissions.
Accordingtothosepermissions,Siripassesonlytherelevantfragmentoftheoriginaluserutterancetotheappextension.
Forexample,ifanappdoesnothaveaccesstocontactinformation,Siriwon'tresolvearelationshipinauserrequestsuchas"Paymymother10dollarsusingPaymentApp.
"Inthiscase,theappwouldseeonlytheliteralterm"mymother.
"However,iftheuserhasgrantedtheappaccesstocontactinformation,theappwouldreceiveresolvedinformationabouttheuser'smother.
Ifarelationshipisreferencedinthebodyportionofamessage—forexample,"TellmymotheronMessageAppthatmybrotherisawesome"—Siridoesnotresolve"mybrother"regardlessoftheapp'spermissions.
129SiriKit-enabledappscansendapp-specificoruser-specificvocabularytoSiri,suchasthenamesoftheuser'scontacts.
ThisinformationallowsSiri'sspeechrecognitionandnaturallanguageunderstandingtorecognizevocabularyforthatapp,andisassociatedwitharandomidentifier.
Thecustominformationremainsavailableaslongastheidentifierisinuse,oruntiltheuserdisablestheapp'sSiriintegrationinSettings,oruntiltheSiriKit-enabledappisuninstalled.
Foranutterancelike"Getmearidetomymom'shomeusingRideShareApp,"therequestrequireslocationdatafromtheuser'scontacts.
Forthatrequestonly,Siriprovidestherequiredinformationtotheapp'sextension,regardlessoftheuserpermissionsettingsforlocationorcontactinformationfortheapp.
DriverKitmacOS10.
15usessystemextensionstohelpdevelopersmaintainextensionsinsidetheirappratherthanrequiringkernelextensions("kexts").
ThismakesforeasierinstallationandincreasesthestabilityandsecurityofmacOS.
DriverKitistheframeworkthatallowsdeveloperstocreatedevicedriversthattheuserinstallsontheirMac.
DriversbuiltwithDriverKitruninuserspace,ratherthanaskernelextensions,forimprovedsystemsecurityandstability.
Theusersimplydownloadstheapp(installersaren'tnecessarywhenusingsystemextensionsorDriverKit)andtheextensionisenabledonlywhenrequired.
Thesereplacekextsformanyusecases,whichrequireadministratorprivilegestoinstallin/System/Libraryor/Library.
ITadministratorswhousedevicedrivers,cloudstoragesolutions,networking,andsecurityappsthatrequirekernelextensionsareencouragedtomovetonewerversionsthatarebuiltonsystemextensions.
ThesenewerversionsgreatlyreducethepossibilityofkernelpanicsontheMacaswellasreducetheattacksurface.
Thesenewextensionsrunintheuserspace,won'trequirespecialprivilegesrequiredforinstallation,andareautomaticallyremovedwhenthebundlingappismovedtotheTrash.
TheDriverKitframeworkprovidesC++classesforIOservices,devicematching,memorydescriptors,anddispatchqueues.
ItalsodefinesIO-appropriatetypesfornumbers,collections,strings,andothercommontypes.
Theuserusesthesewithfamily-specificdriverframeworkslikeUSBDriverKitandHIDDriverKit.
130ReplayKitReplayKitmovierecordingReplayKitisaframeworkthatallowsdeveloperstoaddrecordingandlivebroadcastingcapabilitiestotheirapps.
Inaddition,itallowsuserstoannotatetheirrecordingsandbroadcastsusingthedevice'sfront-facingcameraandmicrophone.
MovierecordingThereareseverallayersofsecuritybuiltintorecordingamovie:Permissionsdialog:Beforerecordingstarts,ReplayKitpresentsauserconsentalertrequestingthattheuseracknowledgetheirintenttorecordthescreen,themicrophone,andthefront-facingcamera.
Thisalertispresentedonceperappprocess,andit'spresentedagainiftheappisleftinthebackgroundforlongerthan8minutes.
Screenandaudiocapture:Screenandaudiocaptureoccursoutoftheapp'sprocessinReplayKit'sdaemonreplayd.
Thisensurestherecordedcontentisneveraccessibletotheappprocess.
In-appscreenandaudiocapture:Thisallowsanapptogetvideoandsamplebuffers,whichisguardedbythepermissionsdialogue.
Moviecreationandstorage:Themoviefileiswrittentoadirectorythat'sonlyaccessibletoReplayKit'ssubsystemsandisneveraccessibletoanyapps.
Thispreventsrecordingsbeingusedbythirdpartieswithouttheuser'sconsent.
End-userpreviewandsharing:TheuserhastheabilitytopreviewandsharethemoviewithUIvendedbyReplayKit.
TheUIispresentedout-of-processthroughtheiOSExtensioninfrastructureandhasaccesstothegeneratedmoviefile.
ReplayKitbroadcastingThereareseverallayersofsecuritybuiltintorecordingamovie:Screenandaudiocapture:Thescreenandaudiocapturemechanismduringbroadcastingisidenticaltomovierecordingandoccursinreplayd.
Broadcastextensions:Forthird-partyservicestoparticipateinReplayKitbroadcasting,they'rerequiredtocreatetwonewextensionsthatareconfiguredwiththecom.
apple.
broadcast-servicesendpoint:AUIextensionthatallowstheusertosetuptheirbroadcastAnuploadextensionthathandlesuploadingvideoandaudiodatatotheservice'sback-endservers131Thearchitectureensuresthathostingappshavenoprivilegestothebroadcastedvideoandaudiocontents–onlyReplayKitandthethird-partybroadcastextensionshaveaccess.
Broadcastpicker:Withthebroadcastpicker,usersinitiatesystembroadcastsdirectlyfromtheirappusingthesamesystem-definedUIthat'saccessibleusingControlCenter.
TheUIisimplementedusingtheUIRemoteViewControllerSPIandisanextensionthatliveswithintheReplayKitframework.
Itisout-of-processfromthehostingapp.
Uploadextension:Theuploadextensionthatthird-partybroadcastservicesimplementtohandlevideoandaudiocontentduringbroadcastingusesrawunencodedsamplebuffers.
Duringthismodeofhandling,videoandaudiodataisserializedandpassedtothethird-partyuploadextensioninrealtimethroughadirectXPCconnection.
VideodataisencodedbyextractingtheIOSurfaceobjectfromthevideosamplebuffer,encodingitsecurelyasanXPCobject,sendingitoverthroughXPCtothethird-partyextension,anddecodingitsecurelybackintoanIOSurfaceobject.
CameraandARKitAppledesignedcameraswithprivacyinmind,andthird-partyappsmustobtaintheuser'sconsentbeforeaccessingCamera.
IniOSandiPadOS,whenausergrantsanappaccesstotheirCamera,thatappcanaccessreal-timeimagesfromthefrontandrearcameras.
Appsaren'tallowedtousethecamerawithouttransparencythatthecameraisinuse.
Photosandvideostakenwiththecameramaycontainotherinformation,suchaswhereandwhentheyweretaken,thedepthoffield,andovercapture.
Iftheuserdoesn'twantphotosandvideostakenwiththeCameraapptoincludelocation,theycancontrolthisatanytimebygoingtoSettings>Privacy>LocationServices>Camera.
Iftheuserdoesn'twantphotosandvideotoincludelocationwhenshared,theycanturnlocationoffintheOptionsmenuinthesharesheet.
Tobetterpositiontheuser'sARexperience,appsthatuseARKitcanuseworld-orface-trackinginformationfromtheothercamera.
Worldtrackingusesalgorithmsontheuser'sdevicetoprocessinformationfromthesesensorstodeterminetheirpositionrelativetoaphysicalspace.
WorldtrackingenablesfeaturessuchasOpticalHeadinginMaps.
132SecureDeviceManagementSecuredevicemanagementoverviewiOS,iPadOS,macOS,andtvOSsupportflexiblesecuritypoliciesandconfigurationsthatareeasytoenforceandmanage.
Throughthem,organizationscanprotectcorporateinformationandensurethatemployeesmeetenterpriserequirements,eveniftheyareusingdevicesthey'veprovidedthemselves—forexample,aspartofa"bringyourowndevice"(BYOD)program.
Organizationscanuseresourcessuchaspasswordprotection,configurationprofiles,remotewipe,andthird-partymobiledevicemanagement(MDM)solutionstomanagefleetsofdevicesandhelpkeepcorporatedatasecure,evenwhenemployeesaccessthisdataontheirpersonaldevices.
WithiOS13,iPadOS13.
1,andmacOS10.
15,AppledevicessupportanewuserenrollmentoptionspecificallydesignedforBYODprograms.
Userenrollmentsprovidemoreautonomyforusersontheirowndevices,whileincreasingthesecurityofenterprisedatabystoringitonaseparate,cryptographicallyprotectedAPFSvolume.
Thisprovidesabetterbalanceofsecurity,privacy,anduserexperienceforBYODprograms.
PairingmodeliOSandiPadOSuseapairingmodeltocontrolaccesstoadevicefromahostcomputer.
Pairingestablishesatrustrelationshipbetweenthedeviceanditsconnectedhost,signifiedbypublickeyexchange.
iOSandiPadOSalsousethissignoftrusttoenableadditionalfunctionalitywiththeconnectedhost,suchasdatasynchronization.
IniOS9orlater,services:Thatrequirepairingcan'tbestarteduntilafterthedevicehasbeenunlockedbytheuserWon'tstartunlessthedevicehasbeenrecentlyunlockedMay(suchasphotosyncing)requirethedevicetobeunlockedtobegin133Thepairingprocessrequirestheusertounlockthedeviceandacceptthepairingrequestfromthehost.
IniOS9orlater,theuserisalsorequiredtoentertheirpasscode,afterwhichthehostanddeviceexchangeandsave2048-bitRSApublickeys.
Thehostisthengivena256-bitkeythatcanunlockanescrowkeybagstoredonthedevice.
TheexchangedkeysareusedtostartanencryptedSSLsession,whichthedevicerequiresbeforeitsendsprotecteddatatothehostorstartsaservice(iTunesorFindersyncing,filetransfers,Xcodedevelopment,andsoon).
Tousethisencryptedsessionforallcommunication,thedevicerequiresconnectionsfromahostoverWi-Fi,soitmusthavebeenpreviouslypairedoverUSB.
Pairingalsoenablesseveraldiagnosticcapabilities.
IniOS9,ifapairingrecordhasn'tbeenusedformorethansixmonths,itexpires.
IniOS11orlater,thistimeframeisshortenedto30days.
Certainservices,includingcom.
apple.
pcapd,arerestrictedtoworkonlyoverUSB.
Additionally,thecom.
apple.
file_relayservicerequiresanApple-signedconfigurationprofiletobeinstalled.
IniOS11orlater,AppleTVcanusetheSecureRemotePasswordprotocoltowirelesslyestablishapairingrelationship.
AusercanclearthelistoftrustedhostswiththeResetNetworkSettingsorResetLocation&Privacyoptions.
PasscodeandpasswordsettingsmanagementBydefault,theuser'spasscodecanbedefinedasanumericPIN.
IniOSandiPadOSdeviceswithTouchIDorFaceID,theminimumpasscodelengthisfourdigits.
Becauselongerandmorecomplexpasscodesarehardertoguessorattack,theyarerecommended.
Administratorscanenforcecomplexpasscoderequirementsandotherpoliciesusingmobiledevicemanagement(MDM)orMicrosoftExchangeActiveSync,orbyrequiringuserstomanuallyinstallconfigurationprofiles.
AnadministratorpasswordisneededforthemacOSpasscodepolicypayloadinstallation.
Somepasscodepoliciesare:AllowsimplevalueRequirealphanumericvalueMinimumpasscodeandpasswordlengthMinimumnumberofcomplexcharactersMaximumpasscodeandpasswordagePasscodeandpasswordhistoryAuto-locktimeoutGraceperiodfordevicelockMaximumnumberoffailedattemptsAllowTouchIDorFaceID134ConfigurationenforcementAconfigurationprofileisanXMLfilethatallowsanadministratortodistributeconfigurationinformationtoiOS,iPadOS,macOS,andtvOSdevices.
IniOS,iPadOS,andtvOS,mostsettingsthataredefinedbyaninstalledconfigurationprofilecan'tbechangedbytheuser.
Iftheuserdeletesaconfigurationprofile,allthesettingsdefinedbytheprofilearealsoremoved.
Inthismanner,administratorscanenforcesettingsbytyingpoliciestoWi-Fianddataaccess.
Forexample,aconfigurationprofilethatprovidesanemailconfigurationcanalsospecifyadevicepasscodepolicy.
Userswon'tbeabletoaccessmailunlesstheirpasscodemeetstheadministrator'srequirements.
ProfilesettingsAconfigurationprofilecontainsanumberofsettingsinspecificpayloadsthatcanbespecified,including(butnotlimitedto):PasscodeandpasswordpoliciesRestrictionsondevicefeatures(forexample,disablingthecamera)Wi-FisettingsVPNsettingsAccountsettingsLDAPdirectoryservicesettingsCalDAVcalendarservicesettingsCredentialsandkeysSoftwareupdatesProfilesigningandencryptionConfigurationprofilescanbesignedtovalidatetheiroriginandencryptedtoensuretheirintegrityandprotecttheircontents.
ConfigurationprofilesforiOSandiPadOSareencryptedusingtheCryptographicMessageSyntax(CMS)specifiedinRFC3852,supporting3DESandAES-128.
ProfileinstallationUserscaninstallconfigurationprofilesdirectlyontheirdevicesusingAppleConfigurator2,ortheycanbedownloadedusingSafari,sentattachedtoamailmessage,transferredusingAirDroportheFilesapponiOSandiPadOS,orsentovertheairusingamobiledevicemanagement(MDM)solution.
WhenausersetsupadeviceinAppleSchoolManagerorAppleBusinessManager,thedevicedownloadsandinstallsaprofileforMDMenrollment.
135ProfileremovalRemovingconfigurationprofilesdependonhowtheywereinstalled.
Thefollowingsequenceindicateshowaconfigurationprofilecanberemoved:1.
Allprofilescanberemovedbywipingthedeviceofalldata.
2.
IftheprofileisassignedtothedeviceusingAppleSchoolManagerorAppleBusinessManager,itcanberemovedbytheMDMsolutionand,optionally,bytheuser.
3.
IftheprofileisinstalledbyanMDMsolution,itcanberemovedbythatspecificMDMsolutionorbytheuserunenrollingfromMDMbyremovingtheenrollmentconfigurationprofile.
4.
IftheprofileisinstalledonasuperviseddeviceusingAppleConfigurator2,thatsupervisinginstanceofAppleConfigurator2canremovetheprofile.
5.
IftheprofileisinstalledonasuperviseddevicemanuallyorusingAppleConfigurator2andtheprofilehasaremovalpasswordpayload,theusermustentertheremovalpasswordtoremovetheprofile.
6.
Allotherprofilescanberemovedbytheuser.
Anaccountinstalledbyaconfigurationprofilecanberemovedbyremovingtheprofile.
AMicrosoftExchangeActiveSyncaccount,includingoneinstalledusingaconfigurationprofile,canberemovedbytheMicrosoftExchangeServerbyissuingtheaccount-onlyremotewipecommand.
Onsuperviseddevices,configurationprofilescanalsobelockedtoadevicetocompletelypreventtheirremoval,ortoallowremovalonlywithapasscode.
SincemanyenterpriseusersowntheiriOSandiPadOSdevices,configurationprofilesthatbindadevicetoanMDMsolutioncanberemoved—butdoingsoalsoremovesallmanagedconfigurationinformation,data,andapps.
Mobiledevicemanagement(MDM)Appleoperatingsystemssupportmobiledevicemanagement(MDM),whichalloworganizationstosecurelyconfigureandmanagescaledAppledevicedeployments.
MDMcapabilitiesarebuiltonexistingOStechnologies,suchasconfigurationprofiles,over-the-airenrollment,andtheApplePushNotificationservice(APNs).
Forexample,APNsisusedtowakethedevicesoitcancommunicatedirectlywithitsMDMsolutionoverasecuredconnection.
NoconfidentialorproprietaryinformationistransmittedwithAPNs.
UsingMDM,ITdepartmentscanenrollAppledevicesinanenterpriseenvironment,wirelesslyconfigureandupdatesettings,monitorcompliancewithcorporatepolicies,managesoftwareupdatepolicies,andevenremotelywipeorlockmanageddevices.
InadditiontothetraditionaldeviceenrollmentssupportedbyiOS,iPadOS,macOS,andtvOS,anewenrollmenttypehasbeenaddediniOS13,iPadOS13.
1,andmacOS10.
15—UserEnrollment.
UserenrollmentsareMDMenrollmentsspecificallytargeting"bringyourowndevice"(BYOD)deploymentswherethedeviceispersonallyownedbutusedinamanagedenvironment.
UserenrollmentsgranttheMDMsolutionlimitedprivilegesthanunsuperviseddeviceenrollments,andprovidecryptographicseparationofuserandcorporatedata.
136EnrollmenttypesUserEnrollment:UserEnrollmentisdesignedfordevicesownedbytheuserandisintegratedwithManagedAppleIDstoestablishauseridentityonthedevice.
ManagedAppleIDsarepartoftheUserEnrollmentprofile,andtheusermustsuccessfullyauthenticateinorderforenrollmenttobecompleted.
ManagedAppleIDscanbeusedalongsideapersonalAppleIDthattheuserhasalreadysignedinwith,andthetwodon'tinteractwitheachother.
DeviceEnrollment:DeviceEnrollmentallowsorganizationstomanuallyenrolldevicesandmanagemanydifferentaspectsofdeviceuse,includingtheabilitytoerasethedevice.
IfauserremovestheMDMprofile,allsettingsandappsthatarebeingmanagedbytheMDMsolutionareremoved.
AutomatedDeviceEnrollment:AutomatedDeviceEnrollmentletsorganizationsconfigureandmanageAppledevicesfromthemomentthedevicesareremovedfromthebox(knownaszero-touchdeployment).
Thesedevicesbecomesupervised,andtheMDMprofilecan'tberemovedbytheuser.
AutomatedDeviceEnrollmentisdesignedfordevicesownedbytheorganization.
AutomatedDeviceEnrollmentOrganizationscanautomaticallyenrolliOS,iPadOS,macOS,andtvOSdevicesinmobiledevicemanagement(MDM)withouthavingtophysicallytouchorpreparethedevicesbeforeusersgetthem.
Afterenrollinginoneoftheservices,administratorssignintotheservicewebsiteandlinktheprogramtotheirMDMsolution.
ThedevicestheypurchasedcanthenbeassignedtousersthroughMDM.
Duringthedeviceconfigurationprocess,securityofsensitivedatacanbeincreasedbyensuringappropriatesecuritymeasuresareinplace.
Forexample:HaveusersauthenticateaspartoftheinitialsetupflowintheAppledevice'sSetupAssistantduringactivationProvideapreliminaryconfigurationwithlimitedaccessandrequireadditionaldeviceconfigurationtoaccesssensitivedataAfterauserhasbeenassigned,anyMDM-specifiedconfigurations,restrictions,orcontrolsareautomaticallyinstalled.
AllcommunicationsbetweendevicesandAppleserversareencryptedintransitthroughHTTPS(TLS).
ThesetupprocessforuserscanbefurthersimplifiedbyremovingspecificstepsintheSetupAssistantfordevices,sousersareupandrunningquickly.
AdministratorscanalsocontrolwhetherornottheusercanremovetheMDMprofilefromthedeviceandensurethatdevicerestrictionsareinplacethroughoutthelifecycleofthedevice.
Afterthedeviceisunboxedandactivated,itcanenrollintheorganization'sMDMsolution—andallmanagementsettings,apps,andbooksareinstalledasdefinedbytheMDMadministrator.
137AppleSchoolManagerandAppleBusinessManagerAppleSchoolManagerandAppleBusinessManagerareservicesforITadministratorstodeployAppledevicesthatanorganizationhaspurchaseddirectlyfromAppleorthroughparticipatingAppleAuthorizedResellersandCarriers.
Whenusedwithamobiledevicemanagement(MDM)solution,administrators,employees,staff,andteacherscanconfiguredevicesettingsandbuyanddistributeappsandbooks.
AppleSchoolManagerintegrateswithStudentInformationSystems(SISs),SFTP,andMicrosoftAzureADusingfederatedauthentication,soadministratorscanquicklycreateaccountswithschoolrostersandclasses.
DeviceswithiOS11orlaterandtvOS10.
2orlatercanalsobeaddedtoAppleSchoolManagerandAppleBusinessManagerafterthetimeofpurchaseusingAppleConfigurator2.
AppleInc.
maintainscertificationsincompliancewiththeISO/IEC27001and27018standardstoenableApplecustomerstoaddresstheirregulatoryandcontractualobligations.
ThesecertificationsprovideourcustomerswithanindependentattestationoverApple'sInformationSecurityandPrivacypracticesforin-scopesystems.
Formoreinformation,seetheAppleSupportarticleAppleInternetServicesCertifications.
Note:TolearnwhetheranAppleprogramisavailableinaspecificcountryorregion,seetheAppleSupportarticleAvailabilityofAppleprogramsforeducationandbusiness.
AppleConfigurator2AppleConfigurator2featuresaflexible,secure,device-centricdesignthatenablesanadministratortoquicklyandeasilyconfigureoneordozensofiOS,iPadOS,andtvOSdevicesconnectedtoaMacthroughUSBbeforehandingthemouttousers.
WithAppleConfigurator2,anadministratorcanupdatesoftware,installappsandconfigurationprofiles,renameandchangewallpaperondevices,exportdeviceinformationanddocuments,andmuchmore.
AdministratorscanalsochoosetoaddiOS,iPadOS,andtvOSdevicestoAppleSchoolManagerorAppleBusinessManagerusingAppleConfigurator2,evenifthedevicesweren'tpurchaseddirectlyfromApple,anAppleAuthorizedReseller,oranauthorizedcellularcarrier.
Whentheadministratorsetsupadevicethathasbeenmanuallyenrolled,itbehaveslikeanyotherenrolleddevice,withmandatorysupervisionandmobiledevicemanagement(MDM)enrollment.
Fordevicesthatweren'tpurchaseddirectly,theuserhasa30-dayprovisionalperiodtoremovethedevicefromenrollment,supervision,andMDM.
The30-dayprovisionalperiodbeginsafterthedeviceisactivated.
138DevicesupervisionDuringdevicesetup,anorganizationcanconfigurethatdevicetobesupervised.
Supervisiondenotesthatthedeviceisownedbytheorganization,whichprovidesadditionalcontroloveritsconfigurationandrestrictions.
WithAppleSchoolManagerorAppleBusinessManager,supervisioncanbewirelesslyenabledonthedeviceaspartofthemobiledevicemanagement(MDM)enrollmentprocessforiOS,iPadOS,macOS,andtvOSdevices,orenabledmanuallyusingAppleConfigurator2foriOS,iPadOS,andtvOSdevices.
IniOS,iPadOS,andtvOS,supervisingadevicerequiresthedevicetobeerased.
Thefollowingdevicescanbesupervised:iPhone,iPad,andiPodtouchwithiOS5orlaterAppleTVwithtvOS10.
2orlaterThefollowingdevicesaresupervisedautomaticallywhenenrolledinAppleSchoolManagerorAppleBusinessManager:iOSdeviceswithiOS13orlateriPadwithiPadOS13.
1orlaterAppleTVwithtvOS13orlaterMaccomputerswithmacOS10.
15orlaterDevicerestrictionsRestrictionscanbeenabled—orinsomecases,disabled—byadministratorstopreventusersfromaccessingaspecificapp,service,orfunctionofthedevice.
Restrictionsaresenttodevicesinarestrictionspayload,whichispartofaconfigurationprofile.
RestrictionscanbeappliedtoiOS,iPadOS,macOS,andtvOSdevices.
CertainrestrictionsonaniPhonemaybemirroredonapairedAppleWatch.
ActivationLockManagingActivationLockletsanorganizationbenefitfromitstheft-deterrentfunctionalitywhilesimultaneouslyprovidingthemtheabilitytoremoveActivationLockfromdevicestheirorganizationowns.
ActivationLockmanagementcanbeusedoniPhone,iPad,iPodtouch,andMaccomputersthatappearinAppleSchoolManagerorAppleBusinessManagerandareenrolledinamobiledevicemanagement(MDM)solution.
Dependingonthedevice,anorganizationcanchoosetoenableorallowActivationLock.
EnablingActivationLockmeanstheMDMsolution(nottheuser)contactsAppleserverstolockorunlockthedevice.
Incontrast,allowingActivationLockletsuserslockdevicestheorganizationownswiththeiriCloudaccount.
139EnableordisableActivationLockoniPhone,iPad,andiPodtouchActivationLockcanbeenabledbyanMDMsolutionatanytimefordevicesinAppleSchoolManagerorAppleBusinessManagerwithoutusersbeingabletodisableitorrequiringuserstoenableFindMyontheirdevice.
ThisisespeciallyhelpfulforuserswithManagedAppleIDsfromAppleSchoolManagerorAppleBusinessManager,becauseManagedAppleIDscan'tusetheFindMyservice.
Onceenabled,MDMisusedtoremotelyremovethedevicefromActivationLockwhendesired,or,iftheorganizationhasphysicalpossessionofthedevicetheycan:EntertheMDMActivationLockbypasscodeontheActivationLockscreen.
EntertheusernameandpasswordoftheDeviceManagerfromAppleSchoolManagerorAppleBusinessManagerwhocreatedthedeviceenrollmenttokenthatlinkstheMDMsolutiontoAppleSchoolManagerorAppleBusinessManager.
AllowActivationLockoniPhone,iPad,iPodtouch,andMacOrganizationscanuseanMDMsolutiontoallowActivationLockonasuperviseddevice.
Thisletsthembenefitfromitstheft-deterrentfunctionality,whilestilllettingthembypassthefeatureifauserisunabletoauthenticatewiththeirAppleIDforanyreason,includingifthey'velefttheorganization.
SinceActivationLockisdisallowedbydefaultonsuperviseddevices,theMDMsolutioncanstoreabypasscodewhenActivationLockisenabled.
ThisbypasscodecanbeusedtoclearActivationLockautomaticallywhenthedeviceneedstobeerasedandassignedtoanewuser.
TheMDMsolutioncanretrieveabypasscodeandallowtheusertoenableActivationLockonthedevicebasedonthefollowing:IfFindMyisturnedonwhentheMDMsolutionallowsActivationLock,ActivationLockisenabledatthattime.
IfFindMyisturnedoffwhentheMDMsolutionallowsActivationLock,ActivationLockisenabledthenexttimetheuseractivatesFindMy.
IniOSandiPadOS,thebypasscodesareavailableforupto15daysafterthedeviceisfirstsupervised,oruntilanMDMsolutionhasobtained—andthencleared—thecodeexplicitly.
IfanMDMsolutionhasn'tretrievedthebypasscodewithin15days,thatbypasscodeisunretrievable.
Note:OnMaccomputersrunningmacOS10.
15,ActivationLockcan'tbeenabledusingMDM,buttheusercanbepreventedfromenablingActivationLockwhentheyenableFindMy.
IfMaccomputerswithanAppleT2SecurityChipareusinguser-approvedMDMandareupgradedtomacOS10.
15,ActivationLockisalsodisallowedbydefault.
ManagingActivationLockoninstallations(notupgrades)ofmacOS10.
15requirethedevicetobeaddedtoAppleSchoolManagerorAppleBusinessManagerandenrolledinMDM.
140BypasscodesandrecoverykeysThebypasscodesandrecoverykeysthattheMDMsolutionusestomanageActivationLockarecrucialtotheabilitytoclearActivationLock.
Thesebypasscodesandrecoverykeysshouldbesecuredandbackedupregularly.
IfachangeinMDMvendorsismade,itiscriticaltokeepacopyofbypasscodesandrecoverykeysortoclearActivationLockforallenrolleddevices.
LostMode,remotewipe,andremotelockLostModeIfasupervisediOSoriPadOSdevicewithiOS9orlaterislostorstolen,anMDMadministratorcanremotelyenableLostModeonthatdevice.
WhenLostModeisenabled,thecurrentuserisloggedoutandthedevicecan'tbeunlocked.
Thescreendisplaysamessagethatcanbecustomizedbytheadministrator,suchasdisplayingaphonenumbertocallifthedeviceisfound.
WhenthedeviceisputintoLostMode,theadministratorcanrequestthedevicetosenditscurrentlocationand,optionally,playasound.
WhenanadministratorturnsoffLostMode,whichistheonlywaythemodecanbeexited,theuserisinformedofthisactionthroughamessageontheLockscreenoranalertontheHomescreen.
Remotewipe,andremotelockiOS,iPadOS,andmacOSdevicescanbeerasedremotelybyanadministratororuser(instantremotewipeisavailableonlyiftheMachasFileVaultenabled).
InstantremotewipeisachievedbysecurelydiscardingthemediakeyfromEffaceableStorage,renderingalldataunreadable.
Aremotewipecommandcanbeinitiatedbymobiledevicemanagement(MDM),MicrosoftExchangeActiveSync,oriCloud.
OnaMac,thecomputersendsanacknowledgmentandperformsthewipe.
Witharemotelock,MDMrequiresthatasix-digitpasscodebeappliedtotheMac,renderinganyuserlockedoutuntilthispasscodeistypedin.
WhenaremotewipecommandistriggeredbyMDMoriCloud,thedevicesendsanacknowledgmentandperformsthewipe.
ForremotewipethroughMicrosoftExchangeActiveSync,thedevicechecksinwiththeMicrosoftExchangeServerbeforeperformingthewipe.
Remotewipeisnotpossibleintwosituations:WithUserEnrollmentUsingMicrosoftExchangeActiveSyncwhentheaccountthatwasinstalledwithUserEnrollmentUserscanalsowipeiOSandiPadOSdevicesintheirpossessionusingtheSettingsapp.
Andasmentioned,devicescanbesettoautomaticallywipeafteraseriesoffailedpasscodeattempts.
141SharediPadSharediPadoverviewSharediPadisamultiusermodeforuseiniPaddeployments.
ItallowsuserstoshareaniPadwhilemaintainingseparationofdocumentsanddataforeachuser.
Eachusergetstheirownprivate,reservedstoragelocation,whichisimplementedasanAPFSvolumeprotectedbytheuser'scredential.
SharediPadrequirestheuseofaManagedAppleIDthatisissuedandownedbytheorganizationandenablesausertosignintoanyorganizationallyowneddevicethatisconfiguredforusebymultipleusers.
Userdataispartitionedintoseparatedirectories,eachintheirowndataprotectiondomainsandprotectedbybothUNIXpermissionsandsandboxing.
IniPadOS13.
4orlater,userscanalsosignintoatemporarysession.
Whentheusersignsoutofatemporarysession,theirAPFSvolumeisdeleted,anditsreservedspaceisreturnedtothesystem.
SignintoSharediPadBothnativeandfederatedManagedAppleIDsaresupportedwhensigningintoSharediPad.
Whenusingafederatedaccountforthefirsttime,theuserisredirectedtotheIdentityProvider's(IdP)sign-inportal.
Afterauthenticated,ashort-livedaccesstokenisissuedforthebackingManagedAppleIDs—andtheloginprocessproceedssimilarlytothenativeManagedAppleIDssign-inprocess.
Oncesignedin,SetupAssistantonSharediPadpromptstheusertoestablishapasscode(credential)usedtosecurethelocaldataonthedeviceandtoauthenticatetotheloginscreeninthefuture.
Likeasingle-userdevice,wheretheuserwouldsigninoncetotheirManagedAppleIDusingtheirfederatedaccountandthenunlocktheirdevicewiththeirpasscode,onSharediPadtheusersignsinonceusingtheirfederatedaccountandfromthenonusestheirestablishedpasscode.
Whenausersignsinwithoutfederatedauthentication,theManagedAppleIDisauthenticatedwithAppleIdentityService(IDS)usingtheSRPprotocol.
Ifauthenticationissuccessful,ashort-livedaccesstokenspecifictothedeviceisgranted.
Iftheuserhasusedthedevicebefore,theyalreadyhavealocaluseraccount,whichisunlockedusingthesamecredential.
Iftheuserhasn'tusedthedevicebeforeorisusingthetemporarysessionfeature,SharediPadprovisionsanewUNIXuserID,anAPFSvolumetostoretheuser'spersonaldata,andalocalkeychain.
Becausestorageisallocated(reserved)fortheuseratthetimetheAPFSvolumeiscreated,theremaybeinsufficientspacetocreateanewvolume.
Insuchanevent,thesystemwillidentifyanexistinguserwhosedatahasfinishedsyncingtothecloudandevictthatuserfromthedeviceinordertoallowthenewusertosignin.
Intheunlikelyeventthatallexistingusershaven'tcompleteduploadingtheirclouddata,thenewusersigninfails.
Tosignin,thenewuserwillneedtowaitforoneuser'sdatatofinishsyncing,orhaveanadministratorforciblydeleteanexistinguseraccount,therebyriskingdataloss.
142Ifthedeviceisn'tconnectedtotheInternet(forexample,iftheuserhasnoWi-Fiaccesspoint),authenticationcanoccuragainstthelocalaccountforalimitednumberofdays.
Inthatsituation,onlyuserswithpreviouslyexistinglocalaccountsoratemporarysessioncansignin.
Afterthetimelimithasexpired,usersarerequiredtoauthenticateonline,evenifalocalaccountalreadyexists.
Afterauser'slocalaccounthasbeenunlockedorcreated,ifit'sremotelyauthenticated,theshort-livedtokenissuedbyApple'sserversisconvertedtoaniCloudtokenthatpermitssigningintoiCloud.
Next,theusers'settingsarerestoredandtheirdocumentsanddataaresyncedfromiCloud.
Whileausersessionisactiveandthedeviceremainsonline,documentsanddataarestoredoniCloudastheyarecreatedormodified.
Inaddition,abackgroundsyncingmechanismensuresthatchangesarepushedtoiCloud,ortootherwebservicesusingNSURLSessionbackgroundsessions,aftertheusersignsout.
Afterbackgroundsyncingforthatuseriscomplete,theuser'sAPFSvolumeisunmountedandcan'tbemountedagainwithouttheusersigningbackin.
TemporarysessionsdonotsyncdatawithiCloud,andalthoughatemporarysessioncansignintoathird-partysyncingservicesuchasBoxorGoogleDrive,thereisnofacilitytocontinuesyncingdatawhenthetemporarysessionends.
SignoutofSharediPadWhenausersignsoutofSharediPad,thatuser'skeybagisimmediatelylockedandallappsareshutdown.
Toacceleratethecaseofanewusersigningin,iPadOSdeferssomeordinarysign-outactionstemporarilyandpresentsaloginwindowtothenewuser.
Ifausersignsinduringthistime(approximately30seconds),SharediPadperformsthedeferredcleanupaspartofsigningintothenewuseraccount.
However,ifSharediPadremainsidle,ittriggersthedeferredcleanup.
Duringthecleanupphase,LoginWindowisrestartedasifanothersign-outhadoccurred.
Whenatemporarysessionisended,SharediPadperformsthefulllogoutsequenceanddeletesthetemporarysession'sAPFSvolumeimmediately.
143ScreenTimeScreenTimeisafeature—iniOS12orlater,iPadOS,andmacOS10.
15orlater,andsomefeaturesofwatchOS—thatletsauserunderstandandcontroltheirownappandwebusage,orthatoftheirchildren.
WhileScreenTimeisnotanewsystemsecurityfeature,it'simportanttounderstandhowScreenTimeprotectsthesecurityandprivacyofthedatagatheredandsharedbetweendevices.
InScreenTime,therearetwotypesofusers:adultsandchildren.
FeatureSupportedOSViewusagedataiOSiPadOSmacOSEnforceadditionalrestrictionsiOSiPadOSmacOSSetwebusagelimitsiOSiPadOSmacOSSetapplimitsiOSiPadOSmacOSwatchOSConfigureDowntimeiOSiPadOSmacOSwatchOSForausermanagingtheirowndeviceusage,ScreenTimecontrolsandusagedatacanbesyncedacrossdevicesassociatedtothesameiCloudaccountusingCloudKitend-to-endencryption.
Thisrequiresthattheuser'saccounthastwo-factorauthenticationenabled(synchronizationisoffbydefault).
ScreenTimereplacestheRestrictionsfeaturefoundinpreviousversionsofiOS.
IniOS13,iPadOS13.
1,andmacOS10.
15,ScreenTimeusersandmanagedchildrenautomaticallysharetheirusageacrossdevicesiftheiriCloudaccounthastwo-factorauthenticationenabled.
WhenauserclearsSafarihistoryordeletesanapp,thecorrespondingusagedataisremovedfromthedeviceandallsynchronizeddevices.
144ParentsandScreenTimeParentscanalsouseScreenTimeiniOS,iPadOS,andmacOSdevicestounderstandandcontroltheirchildren'susage.
Iftheparentisafamilyorganizer(iniCloudFamilySharing),theycanviewusagedataandmanageScreenTimesettingsfortheirchildren.
ChildrenareinformedwhentheirparentsturnonScreenTime,andcanmonitortheirownusageaswell.
WhenparentsturnonScreenTimefortheirchildren,theparentssetapasscodesotheirchildrencan'tmakechanges.
Oncetheyare18yearsold(dependingoncountryorregion),childrencanturnthismonitoringoff.
Usagedataandconfigurationsettingsaretransferredbetweentheparentsandchildsdevicesusingtheend-to-endencryptedAppleIdentityService(IDS)protocol.
EncrypteddatamaybebrieflystoredonIDSserversuntilit'sreadbythereceivingdevice(forexample,assoonastheiPhone,iPad,oriPodtouchisturnedon,ifitwasoff).
Thisdataisn'treadablebyApple.
ScreenTimeanalyticsIftheuserturnsonShareiPhone&WatchAnalytics,onlythefollowinganonymizeddataiscollectedsothatApplecanbetterunderstandhowScreenTimeisbeingused:WasScreenTimeturnedonduringSetupAssistantorlaterinSettingsChangeinCategoryusageaftercreatingalimitforit(within90days)IsScreenTimeturnedonIsDowntimeenabledNumberoftimesthe"Askformore"querywasusedNumberofapplimitsNumberoftimesusersviewedusageintheScreenTimesettings,perusertypeandperviewtype(local,remote,widget)Howmanytimesdousersignorealimit,perusertypeHowmanytimesusersdeletealimit,perusertypeNospecificapporwebusagedataisgatheredbyApple.
WhenauserseesalistofappsinScreenTimeusageinformation,theappiconsarepulleddirectlyfromtheAppStore,whichdoesn'tretainanydatafromtheserequests.
145ApplesecurityandprivacycertificationsApplesecurityandprivacycertificationsoverviewApplemaintainsindependentcertificationsandattestationsoveritshardware,software(includingoperatingsystemsandapps),andservicestoprovidecustomerswithanindependentreviewofApple'ssecurityandprivacypractices.
ForquestionsaboutAppleSecurityandPrivacyCertifications,contactsecurity-certifications@apple.
com.
HardwarecertificationsForinformationonpubliccertificationsrelatedtohardwareandassociatedfirmwarecomponentssee:ProductsecuritycertificationsfortheAppleT2SecurityChipProductsecuritycertificationstheSecureEnclaveProcessorSoftwarecertificationsForinformationonpubliccertificationsrelatedtoAppleoperatingsystemssee:ProductsecuritycertificationsforiOSProductsecuritycertificationsforiPadOSProductsecuritycertificationsformacOSProductsecuritycertificationsfortvOSProductsecuritycertificationsforwatchOSServicescertificationsForinformationonpubliccertificationsrelatedtoApple'sInternetservicessee:AppleInternetServicesCertifications146ApplesecurityassuranceApplepursuesacomprehensiveapproachwithsecuritycertificationstoprovidecustomerswiththeappropriateassuranceforallAppleplatforms.
However,notalltechnicalareashavegloballyaccepted,comprehensivesecuritycertificationstandards.
Forseveralcertificationsthatarewelldefinedandgloballyaccepted,ApplepursuesandachievesannualcertificationsinalignmentwitheachmajorOSrelease.
Forcoverageinunderrepresentedareas,Applehasactivelyengagedinthedevelopmentofemergingsecuritystandards.
Themissionistodrivegloballyaccepted,comprehensivesecuritycertificationcoverageacrossApplehardware,software,andservices.
HardwareandsoftwarecertificationsandvalidationsWithcomprehensivedevelopmentandmanagementofthewholeplatformfromsiliconthroughtheoperatingsystem,servicesandapps,Applestartswithcertificationbuildingblocksthatapplybroadlyacrossmultipleplatformswhereappropriate.
OnesuchbuildingblockisthevalidationofcorecryptousedforallsoftwareandhardwarecryptographicmoduledeploymentswithinAppledevelopedoperatingsystems.
AsecondsuchbuildingblockisthecertificationoftheSecureEnclaveProcessor,whichisnowembeddedinmanyAppledevices.
AthirdisthecertificationoftheSecureElementfoundinalliPhonesandMaccomputerswithTouchID.
Thesehardwarecertificationbuildingblocksformafoundationforbroaderplatformsecuritycertifications.
CryptographicModuleValidationsFIPS140-2/3(ISO/IEC19790)ThecryptographicmodulesinAppleoperatingsystemshavebeenrepeatedlyvalidatedbytheCryptographicModuleValidationProgram(CMVP)asbeingconformantwithU.
S.
FederalInformationProcessingStandards(FIPS)140-2followingeachmajorreleaseoftheoperatingsystemssince2012.
Aftereachmajorrelease,ApplesubmitsallmodulestotheCMVPforfullcryptographicvalidation.
ThesevalidatedmodulesprovidecryptographicoperationsforAppleprovidedservicesandareavailableforthird-partyappstouse.
AppleachievesSecurityLevel1eachyearforthesoftwarebasedmodules:"CoreCryptoModuleonIntel"andthe"CoreCryptoKernelModuleonIntel"formacOS,"CoreCryptoModuleonARM"and"CoreCryptoKernelModuleonARM"foriOS,iPadOS,tvOS,watchOSandthefirmwareontheembeddedAppleT2SecurityChipinaMac.
In2019,AppleachievedFIPSSecurityLevel2fortheembeddedhardwaremoduleidentifiedas"AppleSecureEnclaveProcessor(SEP)SecureKeyStore(SKS)CryptographicModule"enablinggovernmentapproveduseofSEPgeneratedandmanagedkeys.
ApplewillcontinuetopursuehigherlevelsforthehardwaremodulewitheachsuccessivemajorOSreleaseasappropriate.
FIPS140-3wasapprovedbytheU.
S.
DepartmentofCommercein2019.
ThemostnotablechangeinthisversionofthestandardistheuseofISO/IECstandards,ISO/IEC19790:2015andtheassociatedtestingstandardISO/IEC24759:2017.
TheCMVPhasinitiatedatransitionprogramandhaveindicatedthatstartingin2020,cryptographicmoduleswillbegintobevalidatedusingFIPS140-3asabasis.
ApplecryptographicmoduleswillaimtomeetandtransitiontotheFIPS140-3standardassoonaspracticable.
147Forcryptographicmodulescurrentlyinthetestingandvalidationprocesses,theCMVPmaintainstwoseparateliststhatmaycontaininformationaboutproposedvalidations.
Forcryptographicmodulesundertestingwithanaccreditedlaboratory,theImplementationUnderTestListmaylistthemodule.
OncesubmittedbythelaboratoryforvalidationbytheCMVP,thecryptographicmodulemayappearintheModulesinProcessList.
LooktothesetwoprocesslistsfirstifenquiringabouttheirvalidationstatussoonafteramajorOSrelease.
ProductCertifications(CommonCriteriaISO/IEC15408)CommonCriteria(ISO/IEC15408)isastandardthatisusedbymanyorganizationsasabasisforperformingsecurityevaluationsofITproducts.
ForcertificationsthatmaybemutuallyrecognizedundertheinternationalCommonCriteriaRecognitionArrangement(CCRA)seetheCommonCriteriaPortal.
TheCommonCriteriastandardmayalsobeusedoutsidetheCCRAbynationalandprivatevalidationschemes.
Thegoal,asstatedbytheCommonCriteriacommunity,isforaninternationallyapprovedsetofsecuritystandardstoprovideaclearandreliableevaluationofthesecuritycapabilitiesofInformationTechnologyproducts.
Byprovidinganindependentassessmentofaproduct'sabilitytomeetsecuritystandards,CommonCriteriaCertificationgivescustomersmoreconfidenceinthesecurityofInformationTechnologyproductsandleadstomoreinformeddecisions.
ThroughtheCommonCriteriaRecognitionArrangement(CCRA),membercountriesandregionshaveagreedtorecognizethecertificationofInformationTechnologyproductswiththesamelevelofconfidence.
MembershipalongwiththedepthandbreadthofProtectionProfiles(PPs)continuestogrowonayearlybasistoaddressemergingtechnology.
ThisagreementpermitsaproductdevelopertopursueasinglecertificationunderanyoneoftheAuthorizingSchemes.
PreviousPPshavebeenarchivedandarebeingreplacedwiththedevelopmentoftargetedProtectionProfilesfocusingonspecificsolutionsandenvironments.
InaconcertedefforttoensurecontinuedmutualrecognitionacrossallCCRAmembers,theInternationalTechnicalCommunity(iTC)continuestodriveallfuturePPdevelopmentandupdatestowardsCollaborativeProtectionProfiles(cPP)whicharedevelopedfromthestartwithinvolvementfrommultipleschemes.
ThedocumentexpressingthesecurityrequirementsevaluatedforanITproductiscalleda"SecurityTarget"(ST);andtogainthestatedassurance,thedevicemustbeconfiguredasdescribedintheguidancedocumentassociatedwiththeevaluation.
TheassuranceobtainedbyusingtheCommonCriteriastandardsisexpressedusingsecurityassurancerequirementsthatcanbespecifiedinaProtectionProfile(PP)oranST.
EvaluationAssuranceLevels(EAL)grouptogethercommonlyusedsetsofsecurityassurancerequirementsandmaybespecifiedinPPsandSTstosupportcomparability.
148ApplebeganpursuingcertificationsunderthisnewCommonCriteriarestructurewithselectedPPsstartinginearly2015.
Since2015,ApplehasachievedCommonCriteria(ISO/IEC15408)certificationsforeachmajoriOSreleaseandhasexpandedcoveragetoincludeassuranceprovidedbynewProtectionProfiles(PPs).
Theseincludethefollowing:iOSandiPadOSonmobiledevices(iPhoneandiPad)MobileDeviceCertificationMobileDeviceFundamentalProtectionProfile(PlatformCertification)PP-ModuleforMDMAgent(MDMManagementofthePlatform)FunctionalPackageforTLS(AllTLScommunicationfromandtothePlatform)PP-ModuleforVPNClient(Always-onVPNusingIKEv2forIPSEC)ExtendedPackageforWirelessLANClients(AuthenticatedandEncryptedWirelessAccess)AppCertificationApplicationSoftware(Contacts)ExtendedPackageforWebBrowsers(Safaribrowser)Applehastakenanactiverolewithinthetechnicalcommunitiesfocusedonevaluatingmobilesecuritytechnologies.
TheseincludetheinternationalTechnicalCommunities(iTC)responsiblefordevelopingandupdatingcollaborativeProtectionProfiles(cPPs).
ApplecontinuestoevaluateandpursuecertificationsagainstPPsandcPPsavailabletodayandunderdevelopment.
AppleplatformcertificationsfortheNorthAmericamarketaregenerallyperformedwiththeNationalInformationAssurancePartnership(NIAP)whomaintainalistofprojectscurrentlyinevaluationbutnotyetcertified.
Inadditiontothegeneralplatformcertificateslisted,otherCCcertificateshavebeenissuedinordertodemonstratespecificsecurityrequirementsforsomemarkets.
ServicesCertificationsAppleInc.
maintainscertificationsincompliancewithstandardssuchasISO/IEC27001and27018toenableApplecustomerstoaddresstheirregulatoryandcontractualobligations.
ThesecertificationsprovideourcustomerswithanindependentattestationoverAppleInformationSecurityandPrivacypracticesforin-scopesystems.
AppleInternetServicesCertifications149GlossaryTermDefinitionAddressSpaceLayoutRandomization(ASLR)AtechniqueemployedbyiOStomakethesuccessfulexploitationbyasoftwarebugmuchmoredifficult.
Byensuringmemoryaddressesandoffsetsareunpredictable,exploitcodecan'thardcodethesevalues.
IniOS5orlater,thepositionofallsystemappsandlibrariesarealsorandomized,alongwithallthird-partyappscompiledasposition-independentexecutables.
AESAdvancedEncryptionStandard.
AEScryptoengineAdedicatedhardwarecomponentthatimplementsAES.
AES-XTSAmodeofAESdefinedinIEEE1619-2007meanttoworkforencryptingstoragemedia.
APFSAppleFileSystem.
AppleIdentityService(IDS)Apple'sdirectoryofiMessagepublickeys,APNsaddresses,andphonenumbersandemailaddressesthatareusedtolookupthekeysanddeviceaddresses.
ApplePushNotificationservice(APNs)AworldwideserviceprovidedbyApplethatdeliverspushnotificationstoiOSandiPadOSdevices.
AppleSecurityBountyArewardgivenbyAppletoresearcherswhoreportavulnerabilitythataffectsthelatestshippingoperatingsystemsand,whererelevant,thelatesthardware.
BootCampBootCampsupportstheinstallationofMicrosoftWindowsonaMac.
BootProgressRegister(BPR)AsetofSoChardwareflagsthatsoftwarecanusetotrackthebootmodesthedevicehasentered,suchasDFUmodeandRecoverymode.
OnceaBootProgressRegisterflagisset,itcan'tbecleared.
Thisallowslatersoftwaretogetatrustedindicatorofthestateofthesystem.
BootROMTheveryfirstcodeexecutedbyadevice'sprocessorwhenitfirstboots.
Asanintegralpartoftheprocessor,itcan'tbealteredbyeitherAppleoranattacker.
CKRecordAdictionaryofkey-valuepairsthatcontaindatasavedtoorfetchedfromCloudKit.
150TermDefinitionDataProtectionFileandKeychainprotectionmechanismforiOS.
ItcanalsorefertotheAPIsthatappsusetoprotectfilesandKeychainitems.
DataVaultAmechanism—enforcedbythekernel—toprotectagainstunauthorizedaccesstodataregardlessofwhethertherequestingappisitselfsandboxed.
DeviceFirmwareUpgrade(DFU)modeAmodeinwhichadevice'sBootROMcodewaitstoberecoveredoverUSB.
ThescreenisblackwheninDFUmode,butuponconnectingtoacomputerrunningiTunes,thefollowingpromptispresented:"iTuneshasdetectedan(iPad,iPhone,oriPodtouch)inRecoverymode.
Theusermustrestorethis(iPad,iPhone,oriPodtouch)beforeitcanbeusedwithiTunes.
"DMADirectmemoryaccessenableshardwaresubsystemstoaccessmainmemory.
EllipticCurveDiffie-HellmanExchange(ECDHE)EllipticCurveDiffie-HellmanExchangewithephemeralkeys.
ECDHEallowstwopartiestoagreeonasecretkeyinawaythatpreventsthekeyfrombeingdiscoveredbyaneavesdropperwatchingthemessagesbetweenthetwoparties.
ECDSAAdigitalsignaturealgorithmbasedonellipticcurvecryptography.
EffaceableStorageAdedicatedareaofNANDstorage,usedtostorecryptographickeys,thatcanbeaddresseddirectlyandwipedsecurely.
Whileitdoesn'tprovideprotectionifanattackerhasphysicalpossessionofadevice,keysheldinEffaceableStoragecanbeusedaspartofakeyhierarchytofacilitatefastwipeandforwardsecurity.
eSPIEnhancedSerialPeripheralInterfacebusforsynchronousserialcommunication.
ExclusiveChipIdentification(ECID)A64-bitidentifierthat'suniquetotheprocessorineachiOSdevice.
Whenacallisansweredononedevice,ringingofnearbyiCloud-paireddevicesisterminatedbybrieflyadvertisingthroughBluetoothLowEnergy(BLE)4.
0.
TheadvertisingbytesareencryptedusingthesamemethodasHandoffadvertisements.
Usedaspartofthepersonalizationprocess,it'snotconsideredasecret.
FilesystemkeyThekeythatencryptseachfile'smetadata,includingitsclasskey.
ThisiskeptinEffaceableStoragetofacilitatefastwipe,ratherthanconfidentiality.
GroupID(GID)LiketheUID,butcommontoeveryprocessorinaclass.
Hardwaresecuritymodule(HSM)Aspecializedtamper-resistantcomputerthatsafeguardsandmanagesdigitalkeys.
iBootCodethatloadsXNU,aspartofthesecurebootchain.
DependingontheSoCgeneration,iBootmaybeloadedbyLLBordirectlybythebootROM.
Integratedcircuit(IC)Alsoknownasamicrochip.
JointTestActionGroup(JTAG)Standardhardwaredebuggingtoolusedbyprogrammersandcircuitdevelopers.
151TermDefinitionKeybagAdatastructureusedtostoreacollectionofclasskeys.
Eachtype(user,device,system,backup,escrow,oriCloudBackup)hasthesameformat.
Aheadercontaining:Version(settofouriniOS12orlater),Type(system,backup,escrow,oriCloudBackup),KeybagUUID,anHMACifthekeybagissigned,andthemethodusedforwrappingtheclasskeys—tanglingwiththeUIDorPBKDF2,alongwiththesaltanditerationcount.
Alistofclasskeys:KeyUUID,Class(whichfileorKeychainDataProtectionclass),wrappingtype(UID-derivedkeyonly;UID-derivedkeyandpasscode-derivedkey),wrappedclasskey,andapublickeyforasymmetricclassesKeychainTheinfrastructureandasetofAPIsusedbyiOSandthird-partyappstostoreandretrievepasswords,keys,andothersensitivecredentials.
KeywrappingEncryptingonekeywithanother.
iOSusesNISTAESkeywrapping,inaccordancewithRFC3394.
Low-LevelBootloader(LLB)OnMaccomputerswithatwo-stagebootarchitecture,codethat'sinvokedbytheBootROM,andinturnloadsiBoot,aspartofthesecurebootchain.
MediakeyPartoftheencryptionkeyhierarchythathelpsprovideforasecureandinstantwipe.
OniOS,iPadOS,tvOS,andwatchOS,themediakeywrapsthemetadataonthedatavolume(andthuswithoutitaccesstoallper-filekeysisimpossible,renderingfilesprotectedwithDataProtectioninaccessible).
OnmacOS,themediakeywrapsthekeyingmaterial,allmetadata,anddataontheFileVaultprotectedvolume.
Ineithercasewipeofthemediakeyrendersencrypteddatainaccessible.
MemorycontrollerThesubsystemintheSoCthatcontrolstheinterfacebetweentheSoCanditsmainmemory.
Mobiledevicemanagement(MDM)Aservicethatletstheuserremotelymanageenrolleddevices.
Onceadeviceisenrolled,theusercanusetheMDMserviceoverthenetworktoconfiguresettingsandperformothertasksonthedevicewithoutuserinteraction.
NANDNonvolatileflashmemory.
Per-filekeyThe256-bitkeyusedtoencryptafileonthefilesystemusingAES128-XTS,wherethe256-bitissplittoprovideboththe128-bittweakkeyandthe128-bitcipherkey.
Theper-filekeyiswrappedbyaclasskeyandisstoredinthefilesmetadata.
ProvisioningprofileAplistsignedbyApplethatcontainsasetofentitiesandentitlementsallowingappstobeinstalledandtestedonaniOSdevice.
AdevelopmentProvisioningProfileliststhedevicesthatadeveloperhaschosenforadhocdistribution,andadistributionProvisioningProfilecontainstheappIDofanenterprise-developedapp.
152TermDefinitionRecoverymodeRecoverymodeisusedtorestoreaniOSdeviceorAppleTVifiTunes(foriOSdevices-only)doesn'trecognizetheuser'sdeviceorsaysit'sinRecoverymode,thescreenisstuckontheApplelogoforseveralminuteswithnoprogressbar,ortheconnecttoiTunesscreenappears.
RidgeflowanglemappingAmathematicalrepresentationofthedirectionandwidthoftheridgesextractedfromaportionofafingerprint.
SoftwareseedbitsDedicatedbitsintheSecureEnclaveAESenginethatgetappendedtotheUIDwhengeneratingkeysfromtheUID.
Eachsoftwareseedbithasacorrespondinglockbit.
TheSecureEnclaveBootROMandOScanindependentlychangethevalueofeachsoftwareseedbitaslongasthecorrespondinglockbithasn'tbeenset.
Oncethelockbitisset,neitherthesoftwareseedbitnorthelockbitcanbemodified.
ThesoftwareseedbitsandtheirlocksareresetwhentheSecureEnclavereboots.
SSDcontrollerHardwaresubsystemthatmanagesthestoragemedia(solid-statedrive).
SystemCoprocessorIntegrityProtection(SCIP)SystemcoprocessorsareCPUsonthesameSoCastheapplicationprocessor.
SystemonChip(SoC)Anintegratedcircuit(IC)thatincorporatesmultiplecomponentsintoasinglechip.
Theapplicationprocessor,SecureEnclaveandothercoprocessorsarecomponentsoftheSoC.
SystemSoftwareAuthorizationCombinescryptographickeysbuiltintohardwarewithanonlineservicetoensurethatonlylegitimatesoftwarefromApple,appropriatetosupporteddevices,issuppliedandinstalledatupgradetime.
TanglingTheprocessbywhichauser'spasscodeisturnedintoacryptographickeyandstrengthenedwiththedevice'sUID.
Thisensuresthatabrute-forceattackmustbeperformedonagivendevice,andthusisratelimitedandcan'tbeperformedinparallel.
ThetanglingalgorithmisPBKDF2,whichusesAESkeyedwiththedeviceUIDasthepseudorandomfunction(PRF)foreachiteration.
T2DFUmodeDeviceFirmwareUpgrademodefortheAppleT2SecurityChip.
UEFIfirmwareUnifiedExtensibleFirmwareInterface,areplacementtechnologyforBIOStoconnectfirmwaretotheoperatingsystemofacomputer.
UniformResourceIdentifier(URI)Astringofcharactersthatidentifiesaweb-basedresource.
153TermDefinitionUniqueID(UID)A256-bitAESkeythat'sburnedintoeachprocessoratmanufacture.
Itcan'tbereadbyfirmwareorsoftware,andisusedonlybytheprocessor'shardwareAESengine.
Toobtaintheactualkey,anattackerwouldhavetomountahighlysophisticatedandexpensivephysicalattackagainsttheprocessor'ssilicon.
TheUIDisn'trelatedtoanyotheridentifieronthedeviceincluding,butnotlimitedto,theUDID.
XNUThekernelattheheartoftheiOSandmacOSoperatingsystems.
It'sassumedtobetrusted,andenforcessecuritymeasuressuchascodesigning,sandboxing,entitlementchecking,andASLR.
154DocumentRevisionHistoryDateSummaryApril2020Updatedfor:iOS13.
4iPadOS13.
4macOS10.
15.
4tvOS13.
4watchOS6.
2Updates:iPadmicrophonedisconnectaddedtoHardwaremicrophonedisconnectinMacandiPad.
DataVaultsaddedtoHowAppleprotectsusers'personalinformation.
UpdatestoUsingBootstrapToken,Usersetup,Organizationsetup,andCommand-linetools.
MalwareRemovalTooladditionsinProtectingagainstmalware.
UpdatestoSharediPadoverview,SignintoSharediPad,andSignoutofSharediPad.
NewApplesecurityandprivacycertificationsoverviewtopic.
UpdatestoApplesecurityandprivacycertificationsoverviewandApplesecurityassurance.
December2019MergedtheiOSSecurityGuide,macOSSecurityOverview,andtheAppleT2SecurityChipOverviewUpdatedfor:iOS13.
3iPadOS13.
3macOS10.
15.
2tvOS13.
3watchOS6.
1.
1PrivacyControls,SiriandSiriSuggestions,andSafariIntelligentTrackingPreventionhavebeenremoved.
Seehttps://www.
apple.
com/privacy/forthelatestonthosefeatures.
May2019UpdatedforiOS12.
3SupportforTLS1.
3ReviseddescriptionofAirDropsecurityDFUmodeandRecoverymodePasscoderequirementsforaccessoryconnections155DateSummaryNovember2018UpdatedforiOS12.
1GroupFaceTimeSeptember2018UpdatedforiOS12SecureEnclaveOSIntegrityProtectionExpressCardwithpowerreserveDFUmodeandRecoverymodeHomeKitTVRemoteaccessoriesContactlesspassesStudentIDcardsSiriSuggestionsShortcutsinSiriShortcutsappUserpasswordmanagementScreenTimeSecurityCertificationsandprogramsJuly2018UpdatedforiOS11.
4BiometricpoliciesHomeKitApplePayBusinessChatMessagesiniCloudAppleBusinessManagerDecember2017UpdatedforiOS11.
2ApplePayCashOctober2017UpdatedforiOS11.
1SecurityCertificationsandprogramsTouchID/FaceIDSharedNotesCloudKitend-to-endencryptionTLSupdateApplePay,PayingwithApplePayonthewebSiriSuggestionsSharediPadJuly2017UpdatedforiOS10.
3SecureEnclaveFileDataProtectionKeybagsSecurityCertificationsandprogramsSiriKitHealthKitNetworkSecurityBluetoothSharediPadLostModeActivationLockPrivacyControls156DateSummaryMarch2017UpdatedforiOS10SystemSecurityDataProtectionclassesSecurityCertificationsandprogramsHomeKit,ReplayKit,SiriKitAppleWatchWi-Fi,VPNSinglesign-onApplePay,PayingwithApplePayonthewebCredit,debit,andprepaidcardprovisioningSafariSuggestionsMay2016UpdatedforiOS9.
3ManagedAppleIDTwo-factorauthenticationforAppleIDKeybagsSecurityCertificationsLostMode,ActivationLockSecureNotesAppleSchoolManagerSharediPadSeptember2015UpdatedforiOS9AppleWatchActivationLockPasscodepoliciesTouchIDAPIsupportDataProtectiononA8usesAES-XTSKeybagsforunattendedsoftwareupdateCertificationupdatesEnterpriseapptrustmodelDataProtectionforSafaribookmarksAppTransportSecurityVPNspecificationsiCloudRemoteAccessforHomeKitApplePayRewardscards,ApplePaycardissuer'sappSpotlighton-deviceindexingiOSPairingModelAppleConfigurator2Restrictions157AppleInc.
2020AppleInc.
Allrightsreserved.
Apple,theApplelogo,AirDrop,AirPlay,AppleMusic,ApplePay,AppleTV,AppleWatch,CarPlay,FaceID,FaceTime,FileVault,Finder,FireWire,Handoff,iMac,iMacPro,iMessage,iPad,iPadAir,iPhone,iPod,iPodtouch,iTunes,iTunesU,Keychain,Lightning,Mac,MacBook,MacBookAir,MacBookPro,macOS,Objective-C,OSX,QuickType,Safari,Siri,SiriRemote,Spotlight,TouchID,TrueDepth,watchOS,andXcodearetrademarksofAppleInc.
,registeredintheU.
S.
andothercountries.
AppleBooks,AppleWallet,HealthKit,HomeKit,HomePod,iPadOS,SiriKit,andtvOSaretrademarksofAppleInc.
AppleCare,AppStore,CloudKit,iCloud,iCloudDrive,iCloudKeychain,andiTunesStoreareservicemarksofAppleInc.
,registeredintheU.
S.
andothercountries.
IOSisatrademarkorregisteredtrademarkofCiscointheU.
S.
andothercountriesandisusedunderlicense.
TheBluetoothwordmarkandlogosareregisteredtrademarksownedbyBluetoothSIG,Inc.
andanyuseofsuchmarksbyAppleisunderlicense.
JavaisaregisteredtrademarkofOracleand/oritsaffiliates.
UNIXisaregisteredtrademarkofTheOpenGroup.
Otherproductandcompanynamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
Productspecificationsaresubjecttochangewithoutnotice.
AppleOneAppleParkWayCupertino,CA95014apple.
com028-00205