Apple Releases Guide To iOS Security

Apple has introduced a guide to iOS security, which was posted to sometime in late May, but is just now being noticed outside the Apple developer community. The publication is notable because it’s the first time Apple has published a comprehensive guide intended for an I.T. audience. (Apple’s developer-friendly documentation on security matters is easy to spot, however).

The new guide includes four sections dedicated to topics like system architecture, encryption and data protection, network security, and device access.

In reading the introduction, it’s clear that the guide’s intention is to better help corporate I.T. understand the security environment with iOS devices, including iPhones, iPod Touches, and iPads. It’s important that these details are documented in language I.T. understands as more and more businesses allow personal devices on their network and implement their own BYOD (bring your own device) programs.

To this point, the report begins:

“Apple designed the iOS platform with security at its core. Keeping information secure on mobile devices is critical for any user, whether they’re accessing corporate or customer information or storing personal photos, banking information, and addresses….

For organizations considering the security of iOS devices, it is helpful to understand how the built-in security features work together to provide a secure mobile computing platform.”

While some may imagine the guide to be an example of Apple’s increasing openness (on matters not related to new products, that is…), much of the information contained in the guide is not new at this point in time. It has simply been repackaged for a different audience.

However, detailed in the guide are things like how the code-signing process works and ASLR (address space layout randomization) works in iOS, which had previously been outed by security researchers prior to Apple’s reveal.

Another I.T.-friendly tidbit includes a list of items which administrators can restrict using configuration profiles within their Mobile Device Management solution. For example, Siri (as IBM recently did), plus FaceTime, the camera, screen capture, app installs, in-app purchases, Game Center, YouTube, pop-ups, cookies and more. Users may have more freedom of choice in terms of devices they use for work than in years past, but corporate I.T. is now adapting so it can deliver the same level of protection it once did it the BES/BlackBerry era…or, as an end user might tell you – the same level of lockdown. (What, no YouTube at work? No fair.)

The full guide is available here. (PDF)