Information Technology Reference
In-Depth Information
approved source and have not been tampered with, iOS requires that all executable code
be signed using an Apple-issued certificate."
Sandboxing
Sandboxing mitigates the post-code-execution exploitation by placing the application into
a tightly restricted area. Applications installed on the iOS device are sandboxed, and one
application cannot access the data stored by the other application.
Encryption
On iOS devices, the entire file system is encrypted with a file system key, which is com-
puted from the device's unique hardware key.
Data protection
Data protection is designed to protect data at rest and to make offline attacks difficult. It
allows applications to leverage the user's device passcode in concert with the device hard-
ware encryption to generate a strong encryption key. Later, the strong encryption key is
used to encrypt the data stored on the disk. This key prevents data from being accessed
when the device is locked, ensuring that critical information is secured even if the device
is compromised.
Address Space Layout Randomization
Address Space Layout Randomization (ASLR) is an exploit mitigation technique intro-
duced with iOS 4.3. ASLR randomizes the application objects' location in the memory,
making it difficult to exploit the memory corruption vulnerabilities.
Privilege separation
iOS runs with the principle of least privileges. It contains two user roles:
root
and
mobile
.
The most important processes in the system run with root user privileges. All other applic-
ations that the user has direct access to, such as the browser and third-party applications,
run with mobile user privileges.
Stack smashing protection
Stack smashing protection is an exploit mitigation technique. It protects against buffer
overflow attacks by placing a random and known value (called
stack canary
) between a
buffer and control data on the stack.
