Question: Apple released a detailed technical document that revealed some security technical information built into iOS and App Store for the first time. What do you think of this document? Does this document indicate that Apple devices pose a great threat to the company's BYOD policy, or that iPhone and iPad manufacturers still have a long way to go to solve iOS security problems?
The iOS security guide is the first time Apple has publicly explained the security architecture behind iOS. For those who are not familiar with Apple products, iOS is an operating system running iPhone, iPad, and iPod. This document covers the iOS system architecture, encryption, data and network security, and device access information. Although much of this information has never been officially exposed, security experts have already decrypted most of the features mentioned in this document. However, the deployment of address space layout randomization ASLR is still very fresh for many people, apple explained in detail how the code signing process of iOS apps works.
ASLR is mainly used to prevent attackers from exploiting the Memory Corruption Vulnerability. Since the launch of Windows Vista, Microsoft has always advocated ASLR. We are very happy to know that Xcode will automatically compile third-party programs enabled with ASLR. This code signing process requires that all executable code be signed using the apple-authorized certificate, which enables apple to control which applications are allowed to run on iOS devices and, this plays a core role in Apple's security architecture. Apple will review all third-party applications in the App Store to ensure that they can operate as described and do not contain obvious vulnerabilities or other problems. Apple can know that identifiable individuals or enterprises have submitted applications because the applications have been signed during the review process.
Compared with the security issues in the Android environment, iOS is a rare bug. In the Android environment, malicious code has become a serious problem. However, the disadvantage of iOS is that, due to sandbox, API restrictions, and other Apple developer policies, it is difficult for us to create a security configuration monitoring application to capture the status of iOS systems. The openness of the Android operating system means that applications can easily access the security status of Android devices. IOS devices can only monitor what the device is doing, who it is communicating with, and what data is being transmitted from the outside through the network.
In the first sentence of the iOS Security Guide, it is pointed out that Apple regards security as its core when designing the iOS platform. Therefore, in terms of security, iOS is definitely better than many other mobile operating systems. This guide will help the security team better understand the internal structure of Apple mobile devices for a more detailed risk assessment. Any mobile device has risks, and I think the user creates most of the risks, not the device itself. National Security Agency (NSA) Security Configuration recommendations for Apple iOS can be used to enhance the security of devices connected to the enterprise network, but it is also important to ensure that users know how to securely use mobile devices.