Home MacOS Apple publishes in-depth M1, Mac, and iOS security guide

Apple publishes in-depth M1, Mac, and iOS security guide

333
8

Apple has published its annual Apple Platform Security Guide, which includes updated details concerning the security of all its platforms, including the new M1 and A14 chips inside Apple Silicon Macs and current iPhones, respectively.

The first look inside M1 Mac security

The extensive 196-page report explains how Apple continues to develop its core security models along the premise of mutually distrusting security domains. The idea here is that each element in the security chain is independent, gathers little user information, and is built with a zero-trust model that helps boost security resilience.

The report explores hardware, biometrics, system, app, network, and services security. It also explains how Apple’s security models protect encryption and data and looks at secure device management tools.

For most Apple users, particularly in the enterprise, it’s what the guide reveals concerning the M1 chips and the security of Macs running them that may be of most interest, as the guide provides the deepest dive yet on this topic.

It confirms that Macs running the M1 chip now support the same degree of robust security you find in iOS devices, which means things like Kernel Integrity Protection, Fast Permission Restrictions (which help mitigate web-based or runtime attacks), System Coprocessor Integrity Protection, and Pointer Authentication Codes.

You also get a series of data protections and a built-in Secure Enclave.

All of these are designed to help prevent common attacks, such as those that target memory or use javascript on the web. Apple claims its protections will mitigate against successful attacks of this nature: “Even if attacker code somehow executes, the damage it can do is dramatically reduced,” the report says.

Apple Silicon Boot modes

The guide provides a deeper look into how M1 Macs boot, including information on boot processes and modes, (described as “very like” those of an iPhone or iPad) and start-up disk security policy controls. The latter explains:

“Unlike security policies on an Intel-based Mac, security policies on a Mac with Apple silicon are for each installed operating system. This means that multiple installed macOS instances with different versions and security policies are supported on the same machine.”

The guide explains how to access the available Boot modes for Macs running Apple Silicon.

  • macOS, the standard mode, launches when you switch on your Mac.
  • recoveryOS: From shutdown, press and hold the power button to access this.
  • Fallback recovery OS: From shutdown, double press and hold the power button. This launches a second copy of recoveryOS.
  • Safe mode: From shutdown, press and hold the power button to access recovery mode and then hold Shift while selecting the start-up volume.

A slight change in biometrics

Another change in the A14/M1 processor is in how the Secure Neural Engine used for Face ID works. This function was formerly integrated in the Secure Enclave, but now becomes a secure mode in the Neural Engine on the processor. A dedicated hardware security controller switches between Application Processor and Secure Enclave tasks, resetting the Neural Engine state on each transition to keep Face ID data secure.

The report also works to explain that Face and Touch ID are layers atop passcode-based protection, not a replacement. That is why you must enter your passcode to erase or update your systems, change passcode settings, to unlock the Security pane on a Mac, or when you haven’t unlocked your device for over 48 hours and at other times.

The report once again concedes that the probability a random person in the population could unlock a user’s device is 1 in 50,000 with Touch ID or 1 in 1 million with Face ID, noting that this probability rises in proportion to the number of fingerprints you enroll.

What is Sealed Key Protection?

One security feature enterprises may want to explore closely is called Sealed Key Protection. This is only available on Apple’s chips and aims to mitigate against attacks in which encrypted data is extracted from the device for brute force attacks, or attacks are made against the OS and/or its security policies.

The idea is that user data is rendered unavailable off the device in the absence of appropriate user authorization.

This may help protect against some data exfiltration attempts and works independently of the Secure Enclave. This isn’t especially new; it has been available since the iPhone 7 and its A10 chip, but is now available to M1 Macs for the first time.

There’s a great deal more to peruse in the full report, which you can explore here. (Apple is expected to revise its Platform Security website pages to reflect the new report.) The report is recommended reading for any enterprise user concerned for Apple device security.

Please follow me on Twitter, or join me at the AppleHolic’s bar & grill on MeWe.

Copyright © 2021 Softwaretoolapps, Inc.

8 COMMENTS

  1. 576426 580068my English teacher hate me cause i maintain writing about somebody from The WANTED called Jay, she gives me evils and low 467754

  2. 153952 418154Exceptional read, I just passed this onto a colleague who was performing slightly research on that. And he truly bought me lunch as I identified it for him smile So let me rephrase that: Thank you for lunch! 373637

  3. 179029 80694But a smiling visitant here to share the really like (:, btw excellent style and design . 492667

  4. 305541 94748i could only wish that solar panels cost only several hundred dollars, i would adore to fill my roof with solar panels- 717979

  5. 608746 82086not everybody would need to have a nose job but my girlfriend actually needs some rhinoplasty coz her nose is kind of crooked- 378998

  6. 939033 819613hello I was really impressed with the setup you used with this weblog. I use blogs my self so congrats. definatly adding to favorites. 12750

  7. 557703 463782Youre so cool! I dont suppose Ive read anything in this way before. So nice to locate somebody by original thoughts on this subject. realy thanks for beginning this up. this fabulous web site is 1 thing that is necessary on the internet, a person with a bit of originality. beneficial project for bringing a new challenge towards internet! 353427

LEAVE A REPLY

Please enter your comment!
Please enter your name here