In today’s world, many of us use iOS devices and we are completely aware of how this system has evolved with its releases over a period of time. Many of the iOS users are not aware about how much efforts Apple has put in to make their data secure and accessible at the same time. So in this post we are going to have a look at few key features of iOS that are being used daily by the iOS users and Apple’s strategy on safeguarding them.
The readers of this post should be acquainted with the key terms of Apple’s ecosystem that we are going to use in this post like touch ID or passcode, readers who already have an iOS device should not have any issues as they’re already familiar with such key terms, also basic knowledge of encryption will be an added bonus.
Touch ID: Touch ID is Apple’s way of unlocking the device using biometric technology; the reason why they invented this so that the user does not have to go through the pain of entering their 4-digit passcode (phone’s security lock code to unlock the phone). The user can now place his thumb on the home button of the iPhone and his device will get unlocked. Touch ID is available from iPhone 5S onwards.
You need to add your fingerprint in the iOS device to use Touch ID, if you’re getting worried that Apple may store it somewhere in its cloud then you’re wrong, Apple does nothing like that.
iOS device does not save your fingerprint with itself, what it does is it stores a mathematical representation of it in the iOS device chip with an advanced security architecture called the Secure Enclave (also known as the Trust Zone) which is the same architecture mechanism used to save your passcode. The secure enclave makes sure that your fingerprint representation is secured by using its world-class secure and save algorithms.
The fingerprint data is encrypted using a key only known to the secure enclave and is used only by the secure enclave to verify your fingerprint.
When one touches the home button the Touch ID sensor gets activated and takes a high definition snap of your fingerprint, this data is transferred to the chip via a peripheral interface bus and is forwarded to secure enclave for decryption. If the unique characteristic of the snap match with the one already stored in your device you’re authenticated and your iOS device will be unlocked. Once processing and analysis is completed the fingerprint snap is discarded and is not stored in any of the Apple services.
You can even use Touch ID to make purchases in various Apple digital media stores, developers can use Touch ID in their application using the LocalAuthentication.Framework.
Passcode: In general passcodes are like the lock screen passwords which act as security gatekeepers of your iOS devices. Passcode accept 4-digit password to unlock the device. This 4-digit password is set by the user using the setting screen of iOS device.
The advantage of having a passcode is when an unauthorized person tries to attempt your 4 digit password by entering random guesses several times, the device identifies that incorrect codes are tapped in and it then adds in longer pauses between the attempts to enter the passcode.
Example: If a user is trying to access my iOS device which is passcode protected it will try to guess my passcode 4 digit number and enter any 4 digit number as per his guess, the iOS device will identify that a wrong passcode is entered and after several attempts it will ask the user to enter the passcode after 1 minute and will increase this time interval every time a wrong passcode is entered.
The total limit to enter an incorrect passcode is 10 tries after that the iOS locks up the device for good or depending upon your security setting wipes out the data.
When you turn on Passcode you turn on another layer of security called as data protection which creates a new encryption key used to encode certain files marked critical by the OS like the keychain (explained below) for example.
In any encryption mechanism you need a key to encrypt your data, in the iOS the user entered passcode is that key and this key is never stored in the Apple chipset or the secure enclave, in this way even Apple is not aware of your passcode as it’s not physically stored in the device.
Since passcode is not stored in the device the only way, which your device data can be hacked (if ever fallen into the wrong hands), is by using brute force attack, i.e. the hacker will try every 4 digit combination till it finds the right one. In coming iOS 9 release Apple will ask iOS device users to enter 6 digit passcode rather than 4 making it all the more difficult for the hackers to crack it because a 4 digit code can be cracked easily but a 6 digit code is even more difficult to crack.
Keychain data protection: The iOS keychain provides a secure way to store user sensitive data and private keys for your application; hence from the development standpoint, any sensitive data has to be stored in the iOS keychain rather than storing it in plist (property list) or NSUserDeafult.
Keychain items can also be used to share data between two applications provided same developer makes the application, iOS stores data in keychain using AES-256 encryption technique.
Apple provides its own keychainWrapper class to developers, which helps us in storing any sensitive data in the iOS keychain during development.
File Data protection: Every file in iOS is encrypted using the data protection method, when a file is created, the data protection creates a 256-bit key (known as per-file key) and gives it to the iOS device AES engine which uses the key to encrypt the file.
The per file key is wrapped with the class keys which determine under what circumstances the files should be accessible, once the per-file key is wrapped its then stored in the file’s metadata. The file’s metadata in the iOS file system is also encrypted using a random key, this random key is created when the iOS is first installed or when a user wipes the device that can also be termed as the file system key.
When the iOS system requires to open a file, file’s metadata is decrypted using the file system key of iOS, this decryption reveals the wrapped per-file key, which is then unwrapped using the class key which was earlier used to wrap it, and is then sent to the hardware AES engine that finally decrypts the file.
The above topic is just a summary on how Apple has plans to keep the user data safe, the iOS system is so smart that it starts for the encryption when your OS boots up and checks if everything is secure. Hope this post has helped you in understanding few security concepts of the popularly used iOS system.