Apple Platform Security
-
Welcome
-
Intro to Apple platform security
-
-
System security overview
-
Secure software updates
-
Operating system integrity
-
-
Additional macOS system security capabilities
-
Signed system volume security
-
System Integrity Protection
-
Trust caches
-
Peripheral processor security
-
Rosetta 2 on a Mac with Apple silicon
-
Direct memory access protections
-
Kernel extensions
-
Option ROM security
-
UEFI firmware security in an Intel-based Mac
-
-
System security for watchOS
-
Random number generation
-
Apple Security Research Device
-
-
-
Encryption and Data Protection overview
-
Passcodes and passwords
-
-
Data Protection overview
-
Data Protection
-
Data Protection classes
-
Keybags for Data Protection
-
Protecting keys in alternate boot modes
-
Protecting user data in the face of attack
-
Sealed Key Protection (SKP)
-
Activating data connections securely in iOS and iPadOS
-
Role of Apple File System
-
Keychain data protection
-
-
Digital signing and encryption
-
-
-
Services security overview
-
-
Apple Pay security overview
-
Apple Pay component security
-
Secure Element and NFC controller
-
Payment authorization with Apple Pay
-
Paying with cards using Apple Pay
-
Contactless passes in Apple Pay
-
Rendering cards unusable with Apple Pay
-
Apple Cash security
-
Apple Card security
-
Adding transit and student ID cards to Wallet
-
-
Business Chat security
-
FaceTime security
-
Apple car keys security
-
-
Glossary
-
Document revision history
-
Copyright
Protecting user data in the face of attack
Attackers attempting to extract user data often try a number of techniques: extracting the encrypted data to another medium for brute-force attack, manipulating the operating system version, or otherwise changing or weakening the security policy of the device to facilitate attack. Attacking data on a device often requires communicating with the device using physical interfaces like Lightning or USB. Apple devices include features to help prevent such attacks.
Apple devices support a technology called Sealed Key Protection (SKP) that works to ensure cryptographic material is rendered unavailable off device, or if manipulations are made to operating system version or security settings without appropriate user authorization. This feature is not provided by the Secure Enclave, instead it is supported by hardware registers that exist at a lower layer in order to provide an additional layer of protection to the keys necessary to decrypt user data independent of the Secure Enclave.
Note: SKP is available only on devices with an Apple-designed SoC.
Feature | A10 | A11, S3 | A12, S4 | A13, S5 | A14, M1, S6 |
|---|---|---|---|---|---|
Sealed Key Protection |
|
|
|
|
|
iPhone and iPad can also be configured to only activate data connections in conditions more likely to indicate the device is still under the physical control of the authorized owner.