We told you earlier this week that Apple would send for the first time one of its employees, a manager for the platform security team, Dallas De Atley, to speak at the Black Hat conference on iOS security. Unfortunately, while many hoped we would get an inside look at iOS security technologies, a wrap up of the event from The New York Times described the talk as “the equivalent of reading aloud a white paper, timed to a PowerPoint deck, before escaping out a side door.” According to several reports, most of what was covered came from a recently published white paper.
As for what Atley said:
“Our attitude is: security is architecture. It has to be built in from the very beginning,” Mr. De Atley said. In building the iPhone, he said, Apple took a bare-bones approach and sought to use the minimum number of components. Apple purposefully decided not to ship the phone with a shell, or support remote log-in access. “There’s an entire set of attack vectors we don’t have to fundamentally worry about on iOS,” he said.
Mr. De Atley highlighted a number of “sandboxing” technologies Apple had in place. “The goal is to physically isolate and separate processes from each other so that if one has a flaw, it can’t easily wreak havoc on the rest of the system.”
As examples, he noted that all third-party apps were stored in their own container on users’ devices. User data is kept partitioned from the device’s operating system so that any updates to the system do not affect the user’s personal data. He added that every single file created on the iPhone gets its own encryption key and is wrapped in the user’s passcode.