Apple Platform Security
- Welcome
- Intro to Apple platform security
-
- Encryption and Data Protection overview
- Passcodes and passwords
-
- Data Protection overview
- Data Protection
- Data Protection classes
- Keybags for Data Protection
- Protecting keys in alternate boot modes
- Protecting user data in the face of attack
- Sealed Key Protection (SKP)
- Activating data connections securely in iOS and iPadOS
- Role of Apple File System
- Keychain data protection
- Digital signing and encryption
-
- Services security overview
-
- Apple Pay security overview
- Apple Pay component security
- How Apple Pay keeps users’ purchases protected
- Payment authorization with Apple Pay
- Paying with cards using Apple Pay
- Contactless passes in Apple Pay
- Rendering cards unusable with Apple Pay
- Apple Card security
- Apple Cash security
- Tap to Pay on iPhone
- Secure Apple Messages for Business
- FaceTime security
- Glossary
- Document revision history
- Copyright
Protecting user data in the face of attack
Attackers attempting to extract user data often try a number of techniques: extracting the encrypted data to another medium for brute-force attack, manipulating the operating system version, or otherwise changing or weakening the security policy of the device to facilitate attack. Attacking data on a device often requires communicating with the device using physical interfaces like Lightning or USB. Apple devices include features to help prevent such attacks.
Apple devices support a technology called Sealed Key Protection (SKP) that’s designed to ensure that cryptographic material is rendered unavailable off device, or that’s used if manipulations are made to operating system versions or security settings without appropriate user authorization. This feature is not provided by the Secure Enclave; instead, it’s supported by hardware registers that exist at a lower layer in order to provide an additional layer of protection to the keys necessary to decrypt user data independent of the Secure Enclave.
Note: SKP is available only on devices with an Apple-designed SoC.
Feature | A10 | A11, S3 | A12, S4 | A13, S5 | A14, A15, S6, S7, M1 Family |
|---|---|---|---|---|---|
Sealed Key Protection |
|
|
|
|
|
iPhone and iPad can also be configured to only activate data connections in conditions more likely to indicate the device is still under the physical control of the authorized owner.