According to internal time stamps in the document, which is simply titled “iOS Security”, Apple quietly created it late last week. The document isn’t a hardening guide, along the lines of what the Defence Signals Directorate (DSD) has developed (PDF), but rather an outline of all the security-related features that iOS possesses, covering much of the Security Introduction document that the company had released in March.
One reason that Apple may not have seen it necessary to recommend any further security precautions is that it may see the operating system as secure enough.
It states in the document:
The combination of required code signing, sandboxing and entitlements in apps provides solid protection against viruses, malware and other exploits that compromise the security of other platforms. The App Store submission process works to further protect users from these risks by reviewing every app before it’s made available for sale.
The document goes on to say that concerned businesses should take a look and determine if they’ve really looked at using all of iOS’ security features:
Businesses are encouraged to review their IT and security policies to ensure they are taking full advantage of the layers of security technology and features offered by the iOS platform.
These features include built-in support for mobile device management, configuration enforcement, file data protection and application signing. The document also goes into some depth over the security features that are in place, including how it prevents the brute-force guessing of passcodes, the device being compromised during the boot-up process or memory being changed through buffer overflow exploits.
The document will certainly educate businesses on what the devices are capable of doing, from a security standpoint. But the fact that Apple has previously cooperated with DSD to develop a hardening guide for government use is indicative that there are further steps and recommendations users could consider to secure the operating system. The lack of hardening recommendations remains consistent with the company’s previous silence on security matters.
The last Apple-issued hardening guide was released about two years ago, with the much more comprehensive Mac OS X Security Configuration guide for 10.6 Snow Leopard. Since that time, the company has released 10.7 Lion and announced 10.8 Mountain Lion, without any associated security configuration guides.
What this most recent document does show, however, is that Apple is definitely considering corporate users when it comes to security, contrary to the belief held by many that Apple has created its devices only for the consumer market.
After all, the document states that “Apple is committed to incorporating proven encryption methods and creating modern mobile-centric privacy and security technologies, to ensure that iOS devices can be used with confidence in any personal or corporate environment”.