Chapter 6 Security 56
Mandatory code signing
All apps from the App Store must be signed. The apps provided with Apple devices are signed
by Apple. Third-party apps are signed by the developer, using an Apple-issued certicate. This
ensures that apps haven’t been tampered with or altered. Runtime checks are made to ensure
that an app hasn’t become untrusted since it was last used.
You can control the use of custom in-house apps with a provisioning prole. Users must have the
provisioning prole installed to start the app. Provisioning proles can be installed over the air
via MDM. You can also restrict the use of an app to specic devices.
Secure authentication framework
iOS and OS X provide a secure, encrypted keychain for storing digital identities, user names,
and passwords. Keychain data is partitioned and protected with Access Control Lists (ACLs), so
credentials stored by third-party apps can’t be accessed by apps with a dierent identity unless
the user explicitly approves them. This provides the mechanism for securing authentication
credentials on Apple devices across a range of apps and services within your organization.
Common Crypto architecture
App developers can use encryption APIs to protect their app data. Data can be symmetrically
encrypted using proven methods such as AES, RC4, or 3DES. iOS devices and current Intel Mac
computers also provide hardware acceleration for AES encryption and SHA1 hashing, maximizing
app performance.
App data protection
Apps can also take advantage of the built-in hardware encryption on iOS devices to further
protect sensitive app data. Developers can designate specic les for data protection, instructing
the system to make the contents of the le cryptographically inaccessible to both the app and
any potential intruders when the device is locked.
App entitlements
By default, an iOS device app has very limited privileges. Developers must explicitly add
entitlements to use most features, such as iCloud, background processing, or shared keychains.
This ensures that apps can’t grant themselves data access they weren’t deployed with. iOS apps
must ask for explicit user permission before using many iOS features, such as GPS location, user
contacts, the camera, and stored photos.
Single Sign-On and Touch ID
Developers can take advantage of Single Sign-On and Touch ID to provide secure, seamless
authentication integration between dierent apps and permit authentication using Touch ID.
For more information, see Congure Single Sign-On and Touch ID.
100% resize factor
