Apple Platform Security
- Welcome
- Intro to Apple platform security
-
- System security overview
- Signed system volume security
- Secure software updates
- Rapid Security Responses
- Operating system integrity
- BlastDoor for Messages and IDS
- Lockdown Mode security
- System security for watchOS
- Random number generation
- Apple Security Research Device
-
- Services security overview
-
- Apple Pay security overview
- Apple Pay component security
- How Apple Pay keeps users’ purchases protected
- Payment authorization with Apple Pay
- Paying with cards using Apple Pay
- Contactless passes in Apple Pay
- Rendering cards unusable with Apple Pay
- Apple Card security
- Apple Cash security
- Tap to Pay on iPhone
- Secure Apple Messages for Business
- FaceTime security
- Glossary
- Document revision history
- Copyright
Activating data connections securely
On iPhone and iPad devices and Mac computers, if no data connection has been established recently, users must use Face ID, Touch ID, or a passcode to activate data connections through a Thunderbolt, USB, Lightning, Smart Connector, or—in macOS 13.3 or later—the SD Extended Capacity “SDXC” cards interface. This limits the attack surface against physically connected devices such as malicious chargers while still enabling usage of other accessories within reasonable time constraints. If more than an hour has passed since the iPhone or iPad has locked or since an accessory’s data connection has been terminated, the device won’t allow any new data connections to be established until the device is unlocked. During this hour period, only data connections from accessories that have been previously connected to the device while in an unlocked state will be allowed. These accessories are remembered for 30 days after the last time they were connected. Attempts by an unknown accessory to open a data connection during this period will disable all accessory data connections over those connections until the device is unlocked again. This hour period:
Helps ensure that frequent users of connections to a Mac or PC, to accessories, or wired to CarPlay won’t need to enter their passcodes every time they attach their device
Is necessary because the accessory ecosystem doesn’t provide a cryptographically reliable way to identify accessories before establishing a data connection
In addition, if it’s been more than 3 days since a data connection has been established with an accessory, the device will disallow new data connections immediately after it locks. This is to increase protection for users that don’t often make use of such accessories. These data connections are also disabled whenever the device is in a state where it requires a passcode to reenable biometric authentication.
The user can choose to reenable always-on data connections in Settings (setting up some assistive devices does this automatically).