Apple Platform Security
- Welcome
- Intro to Apple platform security
-
- Encryption and Data Protection overview
- Passcodes and passwords
-
- Data Protection overview
- Data Protection
- Data Protection classes
- Keybags for Data Protection
- Protecting keys in alternative boot modes
- Protecting user data in the face of attack
- Sealed Key Protection (SKP)
- Activating data connections securely in iOS and iPadOS
- Role of Apple File System
- Keychain data protection
- Digital signing and encryption
-
- Services security overview
-
- Apple Pay security overview
- Apple Pay component security
- How Apple Pay keeps users’ purchases protected
- Payment authorisation with Apple Pay
- Paying with cards using Apple Pay
- Contactless passes in Apple Pay
- Rendering cards unusable with Apple Pay
- Apple Card security
- Apple Cash security
- Tap to Pay on iPhone
- Secure Apple Messages for Business
- FaceTime security
- Glossary
- Document revision history
- Copyright
Encryption and Data Protection overview
The secure boot chain, system security and app security capabilities all help to verify that only trusted code and apps run on a device. Apple devices have additional encryption features to safeguard user data even when other parts of the security infrastructure have been compromised (for example, if a device is lost or is running untrusted code). All these features benefit both users and IT administrators, protecting personal and corporate information and providing methods for instant and complete remote wipe in the case of device theft or loss.
iOS and iPadOS devices use a file encryption methodology called Data Protection, whereas the data on an Intel-based Mac is protected with a volume encryption technology called FileVault. A Mac with Apple silicon uses a hybrid model that supports Data Protection, with two caveats: The lowest protection level (Class D) isn’t supported, and the default level (Class C) uses a volume key and acts just like the FileVault on an Intel-based Mac. In all cases, key management hierarchies are rooted in the dedicated silicon of the Secure Enclave, and a dedicated AES Engine supports line-speed encryption and helps ensure that long-lived encryption keys aren’t exposed to the kernel operating system or CPU (where they might be compromised). (An Intel-based Mac with a T1 or lacking a Secure Enclave doesn’t use dedicated silicon to protect its FileVault encryption keys.)
Besides using Data Protection and FileVault to help prevent unauthorised access to data, Apple uses operating system kernels to enforce protection and security. The kernel uses access controls to sandbox apps (which restricts what data an app can access) and a mechanism called a Data Vault (which rather than restricting the calls an app can make, restricts access to the data of an app from all other requesting apps).