9. IOS - Control Questions Flashcards
● How does secure boot work in iOS?
○ Secure boot chain:
■ Read only Boot Rom (hardware root of trust, Apple Root CA key)
■ LLB: Low Level Bootloader
■ iBoot
■ iOS Kernel
○ Lowest levels of software are not tampered with
○ iOS runs only on validated Apple devices
○ Secure Enclave coprocessor: separate secure boot
○ If load fails: recovery or DFU mode
● What is the purpose of the Secure Enclave coprocessor?
○ Secure Enclave
■ A7 or later: security coprocessor
■ Hardware random number generator
■ Isolated communication with the application processor
■ Uses only encrypted memory (ephemeral key is derived from the UID of the Secure Enclave)
● How is user data security and privacy solved?
○ Dedicated AES 256 engine in the DMA path
○ Key: UID of the engine fused during fabrication, not available through any API or JTAG
○ Data is cryptographically tied to the device: if the memory chip is switched, decryption will fail
○ System random number generator
■ Timing during boot
■ Interrupt timings after boot
○ Secure Enclave
■ True hardware random: multiple ring oscillators
○ All cryptographic modules in iOS: FIPS 140-2 Level 1
○ File Data Protection
■ Per-file keys: 256 bit AES keys
■ File system key: generated at iOS install, constant for all files
■
○ Data Protection classes
■ Complete Protection
■ Protected Unless Open
■ Protected Until First User Authentication
■ No Protection
● What are the basic measures of Application security in iOS?
○ Signed, Verified and Sandboxed applications
○ Code signing
■ All executable code must be signed with Apple-issued certificate
■ Extends the concept of chain of trust
■ Prevents the load of external code or self-modifying code
■ Apps can be traced back to developers
■ In-house app development with Provisioning Profiles (enterprise apps)
■ Code signature checks at runtime as well
○ Runtime process security
■ Third party apps are sandboxed
■ Unique random home directory for every app (assigned at install)
■ Access to any other information is only possible through iOS services
■ OS partition is read-only
■ Majority of iOS, as well as third party apps run as non-privileged user
● Runtime process security
○ Apps on writable AND executable memory pages are controlled tighter: Apple-only dynamic code-signing entitlement
■ Only for Safari JIT JavaScript complier
○ ARM’s Execute Never (XN) protection on pages
○ Custom keyboards
■ Enabled by the user for the entire system
■ Any text field, except: Passcode, secure text
■ Restricted sandbox: no network access
■ Default sandbox can be requested
● How does secure communication through iMessage work?
○ Two-step verification
○ iMessage
■ End-to-end encryption
■ Apple doesn’t log messages or attachments
■ Signaling through Apple Push Notification (APN) service
■ Messages are deleted from APNs when delivered
■ Messages for offline devices are queued for up to 7 days
● What are the device control options in iOS?
○ Passcode protection
■ Protected against brute-force attacks
○ Remote wipe
■ Instant remote wipe
● Discards the block storage encryption key from Effaceable Storage, rendering all data unreadable
■ Users can also wipe devices in their possession using the Settings app
○ Find My iPhone and Activation Lock
■ The device can’t be reactivated without entering the owner’s Apple ID
