Defending iOS Data: iOS Security and Data Protection
Before we delve into management options we need time to understand the iOS security and data protection models. These are the controls built into the platform – many utilized in the various enterprise options we will discuss in this series. We are focused on data but will also cover iOS security basics, as they play an important role in data security, and for those of you who aren’t familiar with the specifics. The short version is that iOS is quite secure – far more secure than a general-purpose computer. The downside is that Apple supports only limited third-party security management options. Note: We are only discussing iOS 5 or later (as of this writing 5.1 is the current version of the iOS operating system – for iPhone, iPad, and iPod touch). We do not recommend supporting previous versions of the OS. Device and OS Security No computing device is ever completely secure, but iOS has an excellent track record. There has never been any widespread remote attack or malware used against (non-jailbroken) iOS devices, although we have seen proof of concept attacks and plenty of reported vulnerabilities. This is thanks to a series of anti-exploitation features built into the OS, some of which are tied to the hardware. Devices may be vulnerable to local exploitation if the attacker has physical access (using the same techniques as jailbreakers). This is increasingly difficult on newer iOS devices (the iPhone 4S and iPad 2, and later), and basic precautions can protect data even if you lose physical control. Let’s quickly review the built-in security controls. Operating System Hardening Five key features of iOS are designed to minimize the chances of successful exploitation, even if there is an unpatched vulnerability on the device: Data Execution Protection (DEP): DEP is an operating system security feature that marks memory locations as non-executable, which is then enforced by the CPU itself. This reduces the opportunity for successful memory corruption attacks. Address Space Layout Randomization (ASLR): ASLR randomizes the memory locations of system components to make it extremely difficult for an attacker to complete exploitation and run their own code, even if they do find and take advantage of a vulnerability. Randomizing the locations of system components makes it difficult for attackers to know exactly where to hook their code, in order to take over the system. Code Signing: All applications on iOS must be cryptographically signed. Better yet, they must be signed using an official Apple digital certificate,or an official enterprise certificate installed on the device for custom enterprise applications – more on this later. This prevents unsigned code from running on the device, including exploit code. Apple only signs applications sold through the App Store, minimizing the danger of malicious apps. Sandboxing: All applications are highly compartmentalized from each other, with no central document/file store. Applications can’t influence each other’s behavior or access shared data unless both applications explicitly allow and support such communication. The App Store: For consumers, only applications distributed by Apple through the App Store can be installed on iOS. Enterprises can develop and distribute custom applications, but this uses a model similar to the App Store, and such applications only work on devices with the corresponding enterprise digital certificate installed. All App Store apps undergo code review by Apple – this isn’t perfect but dramatically reduces the chance of malicious applications ending up on a device. There are, of course, techniques to circumvent DEP and ASLR, but it is extremely difficult to circumvent a proper implementation of them working together. Throw in code signing and additional software and hardware security beyond the scope of our discussion, and iOS is very difficult to exploit. Again, it isn’t impossible, and we have seen exploits (especially local attacks such as tethered jailbreaks), but their rarity, in light of the popularity of these devices, makes clear that these security controls work well enough to thwart widespread attacks. Specifically, we have yet to see any malware spread among un-jailbroken iPhones or iPads. Security Features In addition to its inherent security controls, iOS also includes some basic security features that users can either configure themselves or employers can manage through policies: Device PIN or Passcode: The most basic security for any device, iOS supports either a simple 4-digit PIN or full (longer) alphanumeric passphrases. Either way, they tie into the data protection and device wipe features. Passcode Wipe: When a PIN or passphrase is set, if the code is entered incorrectly enough many times the device erases all user data (this is tied to encryption features discussed in the next section). Remote Wipe: iOS supports remote wipe commands via Find My iPhone and through Exchange ActiveSync. Of course the device must be accessible across the Internet to execute the wipe remotely. Geolocation: The device’s physical location can be tracked using location services, which are part of Find My iPhone and can be incorporated into third-party applications. VPN and on-demand VPN: Virtual private networks can be activated manually or automatically when the device accesses any network service. (Not all VPNs support on-demand connection and this is VPN-provider specific). Configuration Profiles: Many of the security features, especially those used in enterprise environments, can be managed using profiles installed on the device. These include options far beyond those available to consumers configuring iOS personally, such as restricting which applications and activities the user can access on the phone or tablet. These are the core features we will build on as we start discussing enterprise management options. But iOS also includes data protection features that are the cornerstone of most iOS data security strategies. Data Protection Although it was nearly impossible to protect data on early iPhones, modern devices use a combination of hardware and software to provide data security: Hardware Encryption: The iPhone 3GS and later, and all iPads, support built-in hardware encryption. All user data can be automatically encrypted in hardware at all times. This is used primarily for wiping the device, rather than to stop attacks. Rather than slowly erasing the entire flash storage, wiping works by immediately destroying the encryption key, which makes user data