Submitted by matt_eaton
on Sun, 02/18/2018 - 01:17 PM
In an effort to always keep myself informed and up to date with the latest network security enhancements for iOS and macOS I downloaded and read through the Apple White Paper, entitled iOS Security Guide, January 2018. This security guide itemizes all of the latest security standards and enhancements Apple has put out for development and info security teams to reference when making decisions about how to design their applications. Reading through this document I can recognize many notable sections, but the section that peaks my interest the most, and the reason I wanted to write this article, is to discuss my thoughts on the network security section. Specifically, topics such as App Transport Security, VPN, and Wi-Fi and Wi-Fi Password Sharing. So let's jump right in!
OS Level and App Transport Security
My first take-away is that Apple has designed the iOS operating system with a goal in mind to reduce networking points of attack on the kernel and to user data. This means that the os-partition that contains the Darwin Core and other iOS components is specifically stripped down and does not contain certain networking modules that need to be guarded against that may be found on a BSD, macOS, or a Linux image. For example, when loading up macOS you will find Apache and ssh modules right out of the box. These elements have been removed from iOS, this reducing the attack surface area.
In a recent article I mentioned that Apple was providing a preview of TLS 1.3 on their platform. Since TLS 1.3 is still in draft I would imagine it cannot be fully adopted by iOS yet and this may explain why the 1.3 Draft was not mentioned at all in the section that lists supported versions of TLS. One thing that was mentioned is that CFNetwork and one of it's upstream counterparts, WebKit, no longer support SSLv3 connections to prevent a user from exposing themselves to a possible Poodle attacks or any other vulnerabilities with that have been exposed with SSLv3.
One last notable item that was mentioned is that servers that iOS applications connect to are required to supported TLS 1.2 using the SHA-2 family of certificates with a 2048-bit RSA key. Thus enforcing stricter requirements for App Transport Security when using APIs like URLSession to open a network connection. For example the following example below would need to adhere to there App Transport requirements:
let url = "https://my.url/api/v1/get/articles" let urlConfiguration = URLSessionConfiguration.default guard let requestURL = URL(string: url) else { print("Handle URL optional issue here") return } var urlRequest = URLRequest(url: requestURL) urlRequest.httpMethod = "GET" let urlSession = URLSession(configuration: urlConfiguration) let dataTask = urlSession.dataTask(with: urlRequest, completionHandler: { (data, response, error) in ... }) dataTask.resume()
VPN
Having investigated and troubleshot iOS VPNs many times throughout my career I find the support for SSL VPNs very interesting. Not specifically for any network security reasons, but for the potential overhead that utilizing a 3rd party VPN can incur on the final connection speed. For example, utilizing a SSL 3rd party VPN means that the os has to recognize every time a secure connection needs to be opened. Once the os recognizes this, the 3rd party VPN provider needs to call down to the kernel to open the connection on behave of the application so that packets securely can be routed through this connection when the developer application needs access private network resources on the other end.
The other side to that coin is that a connection can be opened at the os level using the native iOS VPN and that the developer application can route packets through this connection saving the overhead of using the 3rd party app to open that connection on behalf of the developer. Not a bad option but when dealing with many SSL connections a lot of TLS overhead can be incurred by making this round trip from the os, to the 3rd party VPN, and to the kernel to open the connection.
Wi-Fi and Wi-Fi Password Sharing
One very interesting takeaway that I observed while reading through the Wi-Fi section was that the device hardware must have been updated a few years back for the iPhone 6 and iPad Air 2 to get new Wi-Fi Antennas. The reason I say this is because starting at these devices there is support for unicast and multicast frame protection. Another very cool feature in the iPhone 6 and later is that it will never broadcast the name of a hidden Wi-Fi network when the iPhone is looking to connect to it. Thus reducing the risk of other devices that may be listening in from picking this hidden network as well.
Wi-Fi password sharing is another interesting feature I noticed and something that was very interesting because I had never known until now how Apple's devices shared Wi-Fi passwords with one another. I was aware that the distribution mechanism was a PAN Bluetooth connection, but I was unaware how the devices communicated for this information. For example, if I purchase a new Apple Watch and run through the setup I will be asked to have my phone present during the setup. The first reason I am assuming is for various configuration reasons, but now I know too that my Apple Watch is asking my iPhone for the encrypted Wi-Fi passwords to known networks the iPhone hold on to. As described in the white paper, my Watch will recognize that it needs the password to a network and open up a Bluetooth advertisement for any Apple devices (my iPhone) that may be listening to get the password. Very interesting.
In Summary ⌛️
In summary I think Apple has a lot on their plate when it comes to networking and network security. I think that these network security requirements are spelled out in this white paper without going into full detail on what Apple is exactly up against. In a nutshell, I think that Apple's user base has grown so large and now requires so many forms of legacy, device, and secure integration that they must address a wide range of protocol and device support adequately run ecosystem. The specific items I listed out, App Transport, VPN, and Wi-Fi security are not only examples of interesting take ways by myself but, also nice examples of the diversity in Apple's ecosystem that require support. Will be interesting to see what other announcements are made at this year's WWDC. Looking forward to it.
Thank you for reading and as always, if you have any questions, comments, or concerns, please leave a comment and I will get back to you as soon as possible.
References:
iOS Security Guide—White Paper | January 2018
https://www.apple.com/business/docs/iOS_Security_Guide.pdf
iOS: Supported Bluetooth profiles
https://support.apple.com/en-us/HT204387
Member for
3 years 9 monthsLong time mobile team lead with a love for network engineering, security, IoT, oss, writing, wireless, and mobile. Avid runner and determined health nut living in the greater Chicagoland area.
Comments
887 Hellow!
Hellow my name is MartinRok. Very capable article! Thx :)