Apple security guru lays out iPad, iPhone crypto architecture at Black Hat

A top Apple security guru Thursday presented an in-depth view into the security architecture for iOS, the basis of iPhones and iPad tablets, underscoring the complex certificate-based encryption framework Apple has adopted.

Our attitude is security is an architecture, said Apple platform security manager Dallas De Atley, adding, Its not something you sprinkle over your code when its done.

MORE BLACK HAT: Which do you trust less with your data, the U.S. government or Google?

SLIDESHOW: Quirkiest Black Hat security conference moments

In a description of how secure boot processes work, De Atley pointed out that firmware in each iOS device is digitally signed by Apple as part of the manufacturing process. But thats just the start of a certificate encryption-based system Apple uses to try and prevent its products from becoming exploited if vulnerabilities are discovered and need to be remedied. Encryption is also embedded to enable users to take advantage of classes of encryption on their devices, according to De Atley.

By hitting a lock button, users can ensure their mail messages are encrypted at rest on the device, said De Attley. Files can also be automatically encrypted and not opened until a user enters a passcode.

The encryption classes include Complete Protection, where a passcode is required to decrypt; Protected with First Unlock, which De Atley said works like full-disk encryption on the desktop; and lastly, simply No Protection from the encryption mechanism if thats whats desired.

He said Apple has made additional efforts, including entangling the passcode with the devices unique identifier to try and deter attackers from making brute-force attacks. Other safeguards include enabling the device to automatically wipe after 10 failed attempts to enter a passcode.

The cryptography for this is fairly complicated, said DeAtley about the iOS design, which also includes the concept of a keybag that lives on the device all the time for maintaining Class keys.

Apple has built encryption based on the 256-bit Advanced Encryption standard and the Secure Hash Algorithm into its processors. De Atley said neither Apple nor the manufacturers know the unique identifier, a safeguard he says makes sure the user has maximum protection. Apple maintains a global key as a top control point.

Basically, as is already known, apps from the Apple App Store will not run on users iOS devices unless theyre signed by Apple. Third-party developers can be issued a public-key certificate from Apple to make apps that run on Apple iOS. To build enterprise apps, developers can enroll in the iOS Developer Enterprise program. Each will find they receive an Enterprise Provisioning profile that is installed on devices they use. This provisioning profile expires annually, said De Atley.

The end result keeps Apple firmly in control over whats going on in apps running on its devices, a fact that enterprises may find beneficial or not.

Apples DeAtley said the iOS architecture fosters the concept of a unique group of encryption-based controls for every device, and entitlement, which defines a crypto-determined way to decide what applications are allowed to access on each device, based on dynamic code-signing.

It all adds up to mean software running on devices is all known to come from a particular location, he said.

For erasing data, Apple devices dont actually erase it but instead render it unobtainable because the necessary encryption key is erased. With whats called Effaceable Storage, when the user triggers the function remotely, the keys are erased with the storage.

 All this crypto processing can make performance and battery demands on a device, which is why Apple makes use of what it calls a suspended state for applications. Applications are suspended by default, until the user hits another button, De Atley said. It helps performance and battery life.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:






Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts