Apple is a notoriously tight-lipped and insular organization, a tendency that has often put it at odds with the security research community. The company is typically secretive on the technical details of how its products and security features work. So the resource that security researchers say they have come to rely on most for bread crumbs is Apple's annual Platform Security Guide, the new edition of which launched today. It provides the most comprehensive and technical look at Apple's safeguards yet—including the first documentation of Apple's new M1 chips.
Apple first offered the guide a decade ago as a very short writeup at the dawn of the iPhone era. It would later evolve into an “iOS Security Guide" focused exclusively on mobile, before expanding to encompass macOS in 2019. It details security features like Touch ID and Face ID, Apple's secure enclave, and secure boot, so that software developers and security researchers can understand more about how those features work and interact with each other. Over the years, the company says it has tried to balance readability for a wide audience with usefulness to those with deeper technical knowledge. This year, it packs in more information than ever about features both new and old.
“I am constantly referring to that guide, and have been for years,” says Sarah Edwards, a longtime Apple security researcher. “I use it for all aspects of my research, my day job, my teaching gig, everything. About once a year or so I sit down with it on my iPad and read it page by page to see what I might have missed before or what happens to 'click' when I review it again after learning something through my research.”
This year's edition contains significantly expanded information about hardware like M1, new details about the secure enclave, and an accounting of a host of software features.
Researchers and hackers alike glean a lot through reverse engineering, the process of determining how something is built by examining the finished product. That "security through obscurity" helps keep attackers at bay to a degree, but by releasing the Platform Security Guide, Apple can help its customers take advantage of its defensive features while also providing guideposts for security researchers, in hopes that they can find vulnerabilities before the bad guys do.
“Everything can be reverse engineered. That’s a lot of fun, at least for me,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “But having a verbose and well-detailed authoritative document from Apple is helpful, as it allows folks to know the intentions and limitations associated with certain security capabilities. Apple always does a great job with it, even if it doesn’t dive too deeply in the weeds."
Researchers say they always have some “wish list” items that they want Apple to include in future guides. Strafach wants to know more about how M1 chips securely handle booting other operating systems, always a question for jailbreakers when Apple releases new processors. And he is curious about Apple's iOS 14 enhancements that were meant to negate a ubiquitous jailbreak exploit but can be circumvented in some cases.
Researchers each have specific, even esoteric hopes and dreams for new guides based on their specialities. Patrick Wardle, an independent Apple security researcher, said he was hoping to see more details on Apple's own antivirus and malware detection tools, something the company added in today's report. He still hopes to get more insight, though, into how to control some macOS features more granularly.
“The guide is largely aimed at helping organizations that deploy Apple devices do so in a secure manner,” Wardle says. “And while the information provided by Apple is often quite helpful, I wish they would be more focused on practical advice for using their security components to lock systems down.”
The Platform Security Guide has grown steadily over the past decade, now weighing in at almost 200 pages. This slow progress reflects Apple's deep-seated reluctance to open up to security researchers. Until 2016, the company didn't even offer a bug bounty program to incentivize researchers to disclose vulnerabilities they discovered in Apple products. In 2019 it announced it would distribute special, less restricted iPhones to a handful of security researchers—and they finally started shipping at the very end of 2020.
For cryptographers at Johns Hopkins University who recently conducted an extensive analysis of the various encryption states in iOS and Android, the Platform Security Guide and historic iOS guides have been vital to understanding how everything fit together. “The guides were a really useful resource,” says Maximilian Zinkus, a PhD student at Johns Hopkins who led the analysis of iOS. Apple doesn't keep a central archive of the documents, but Zinkus and his colleagues compiled them back to 2012 from third parties.
Zinkus says that while the change log at the end of each report is helpful for figuring out what information has been updated from edition to edition, it would be more useful if Apple documented changes with footnotes throughout. And including technical explanations for changes would help researchers understand certain decisions. For example, in the February 2014 iOS Security Guide, Apple listed location data as being in a special, extra-sensitive data category requiring very strong encryption. But in another version from October 2014 the paragraph mentioning that requirement was gone. “Those subtle changes can be worrying—that was definitely a surprise to see,” Zinkus says.
As researchers begin to dig into the new report, they emphasize that more information is always better. But when it comes to proprietary platforms and systems, they're always going to have their wish list of what else they would want to know to help find more vulnerabilities before bad actors do—and propose ever stronger defenses in return.