Here’s all the new stuff in Apple’s latest security document

Hey guess what? Apple has a new security whitepaper! Apple only releases these things once every few years, and they represent the public’s only window into how iPhones and other Apple products secure the massive amounts of data entrusted to them.

Even though Apple hasn’t released a security whitepaper since September 2015 (or since iOS 9, if you prefer to measure time in software updates), there’s not much earth-shattering new information in the latest edition, which covers iOS 10.

This is probably a good sign for users — the fact that Apple isn’t making many changes to the basic security structure of the iPhone likely means that Apple hasn’t uncovered any major flaws in its product. The company puts significant resources into testing its own security and invites outside researchers to do the same through its bug bounty program.

But Apple has rolled out plenty of new features and products in the last few years, and the security whitepaper reflects that. Here are some of the biggest new developments:

Touch ID opened to developers

When Apple first debuted Touch ID, it used customers’ fingerprints solely for unlocking iPhones and approving purchases in Apple-controlled environments like iTunes and iBooks. But starting in iOS 9, Apple opened up Touch ID to support biometric-approved logins for third-party app developers. The whitepaper gives us a small update on the encryption key generation and storage that makes this possible:

With iOS 9 or later, developers can:
• Generate and use ECC keys inside Secure Enclave. These keys can be protected by Touch ID. Operations with these keys are always done inside Secure Enclave after Secure Enclave authorizes the use. Apps can access these keys using Keychain through SecKey. SecKeys are just references to the Secure Enclave keys and the keys never leave Secure Enclave.

By generating the codes on a one-time basis, Apple is able to offer access to Touch ID confirmations without re-using keys that could get stolen or leaked. This is similar in philosophy to the way that Apple Pay generates one-time transaction codes without transmitting your actual credit card number.

HomeKit won’t let your smart house spy on you

In the dystopian future our current reality, your smart TV might spy on you or let someone else spy on you. Or your digital assistant might testify against you. Apple wants to avoid these scenarios with Apple TV and the rest of the HomeKit-enabled devices that make up its smart home offerings.

Apple offered details about how HomeKit securely communicates with a user’s iPhone and the devices in his house while keeping his information private, even from Apple, in its last whitepaper, but there’s one new tidbit about how it secures Apple TVs. Apple makes an effort to keep hackers away from your Apple TV by requiring two-factor authentication on iCloud accounts in order to provision the TVs:

The process to provision Apple TV for use with HomeKit is performed automatically when the user signs in to iCloud. The iCloud account needs to have two-factor authentication enabled. Apple TV and the owner’s device exchange temporary Ed25519 public keys over iCloud. When the owner’s device and Apple TV are on the same local network, the temporary keys are used to secure a connection over the local network using Station-to-Station protocol and per-session keys. This process uses authentication and encryption that is the same as that used between an iOS device and a HomeKit accessory. Over this secure local connection, the owner’s device transfers the user’s Ed25519 public-private key pairs to Apple TV. These keys are then used to secure the communication between Apple TV and the HomeKit accessories and also between Apple TV and other iOS devices that are part of the HomeKit home.

Siri’s still clunky with third-party apps (but it’s for your own good)

After more than seven years on the market, Siri is pretty good at answering your questions — as long as those answers are contained within Apple apps. Siri can tell you the weather or schedule reminders, but she runs into trouble if you ask her to Venmo some cash to a family member.

The security whitepaper explains why: Apple is trying to follow the privacy rules users set in place for apps and not violate them with Siri requests:

Although Siri has access to iOS contacts and the device’s current location, Siri checks the permission to access iOS-protected user data of the app containing the Extension to see if the app has access before providing that information to it. Siri passes only the relevant fragment of the original user query text to the extension. For example, if the app doesn’t have access to iOS contacts, Siri won’t resolve a relationship in a user request such as “Pay my mother $10 using PaymentApp.” In this case, the Extension’s app would only see “mother” through the raw utterance fragment being passed to it. However, if the app does have iOS contacts access, it would receive the iOS Contact information for the user’s mother.

New possibilities (and privacy) for live streaming

iOS 10 expands a developer tool called ReplayKit, which makes it possible to live stream or record video from the iPhone’s screen. Naturally, Apple’s added privacy notifications to let customers know when their screens are being recorded and make sure they consent to the recording.

Originally impossible, recording and playback of iOS screens had been a popular feature available to jailbroken iPhones before it was added to iOS. Unsurprisingly, Apple has applied a logical but highly restricted scope to how the feature can be accessed.

Apple also ensures that users don’t lose control of their recordings: “The movie file is written to a directory that’s only accessible to ReplayKit’s subsystems and is never accessible to any apps. This prevents recordings being used by third parties without the user’s consent,” the paper explains.

Start a payment on the computer, finish on your phone

Apple Pay is available for web transactions in iOS 10 and most of the security architecture is what you’d expect for a web-based payments system. Apple requires websites to register and have their domain verified by Apple, and sites need to serve their content over an encrypted HTTPS connection.

But there is one cool feature that’s new here — you can start a transaction on your laptop and finish it with your iPhone or Apple Watch. This transaction hand-off requires some interesting security wrangling that allows your credit card information to remain securely on your phone or watch:

In the case of Mac to iPhone or Apple Watch handoff, Apple Pay uses the end-to-end encrypted IDS protocol to transmit payment related information between the user’s Mac and the authorizing device. IDS uses the user’s device keys to perform encryption so no other device can decrypt this information, and the keys aren’t available to Apple. Device discovery for Apple Pay handoff contains the type and unique identifier of the user’s credit cards along with some metadata. The device-specific account number of the user’s card isn’t shared and it continues to remain stored securely on the user’s iPhone or Apple Watch. Apple also securely transfers the user’s recently used contact, shipping, and billing addresses over iCloud Keychain.

About that bug bounty…

Apple was a bit slow to adopt a bug bounty, finally introducing one last year. The program, which offers financial rewards to researchers who find security flaws in Apple software or hardware, was invitation-only at first, but Apple said it would slowly expand the list of invitees.

The bounty program gets a nod in the new whitepaper, which notes that hackers can participate even if they haven’t received an invite. “In order to be eligible for an Apple Security Bounty, researchers are required to provide a clear report and working proof of concept. The vulnerability must affect the latest shipping iOS and where relevant the latest hardware. The exact payment amount will be determined after review by Apple,” the paper explains.

There are a few other tweaks (helpfully highlighted on GitHub), but that’s everything major in this update.