这其中itune扮演了很屌的角色!安装或者更新时, iTunes (如果你是wifi甚至你不差钱通过3G那就是设备了) 会连接到 Apple installation authorization server (gs.apple.com) ,会加密发送你要更新的内容信息(切记肯定是摘要之类的信息)(比如 LLB, iBoot, the kernel, and OS image), 一个防止重放攻击的随机数、 设备unique ID (ECID). 服务器检查一下你要升级那些(服务器记录了你终端的状态信息。。。这点也很可怕哦),如果发现数据库里面记录的这部ecid终端原来是io6,现在想升级成ios7.说明是个良民啊。准奏!那就签个名返回吧,准许安装,当然安装包肯定是要验证签名的。
– URL Scheme allows to edit or delete data without user permission
Ex: Skype URL Handler Dial Arbitrary Number
<iframesrc="skype://14085555555?call"></iframe>
Address space layout randomization (ASLR)、ARM’s Execute Never (XN) feature我就不多说啦,微软这么多年一直都在这方面努力。
XN :可写可执行的一定严格控制, The kernel checks for the presence of the Apple-only “dynamic-codesigning” entitlement.即使如此, only a single mmap call can be made to request an executable and writable page, which is given a randomized address. Safari uses this functionality for its JavaScript JIT compiler。逼不得已才开放!
ROP等攻击一直在持续。
4、++API控制
ios基本把危险的API全部干掉了!剩下的都是运行时提示。
5、数据加密
这可是ios最大的亮点。其他系统还在学习中!
1)、硬件加密引擎内置,内置 AES engine, SHA-1,说实话,没有硬件保存密钥、完成加密运算。数据加密就已经失去了8成安全!苹果的加密引擎DMA path between the flash storage and main system memory。大数据加密效率非常重要。
2)、内置两个初始密钥 unique ID (UID) and a device group ID (GID) are AES 256-bit keys。这两个东西谁都无法读写,除了加密引擎。
The UID是每个设备独有的 and not recorded by Apple or any of its suppliers.(革命形势啊!)
为此, iOS 提供一个Effaceable Storage. accesses the underlying storage technology (for example, NAND) to directly address and erase a small number of blocks at a very low level.。以便wear-leveling删除太麻烦。
data partition 每个文件创建时,Data Protection会创建一个256-bit key (“per-file” key) ,然后使用这个密钥借助硬件 AES engine。加密模式通常是AES CBC mode(不懂的看密码学). 既然是CBC自然需要IV,IV怎么来, 用文件的块偏移计算LFSR( linear feedback shift register (LFSR) calculated with the block offset into the file), IIV也是加密存储,encrypted with the SHA-1 hash of the per-file key.
per-file key是实际用来加密文件的,那它也得被保护啊。这就得分好几种条件了。
然后,加密的 per-file key is stored in the file’s metadata。.
然后file’s metadata又被加密了,The metadata of all files in the file system are encrypted with a random key, which is created when iOS is first installed or when the device is wiped by a user. The file system key is stored in Effaceable Storage. 其实这个加密价值不大。主要是为了销毁密钥方便。ios界面上操作 “Erase all content and settings” option,就是干掉了这个密钥。最终无法获得加密的per-file key。per-file key到底被谁加密,环境很多。根据不同的环境使用不用的 class key。 class key 又被 hardware UID 保护,有些情况下是通过user’s passcode. 如果你的数据相关联pin,那就得靠他。这非常重要!!!
class key来自于passcode and the device UID杂交而成。. 比如 locks a device (10 seconds, if the Require Password setting is Immediately),解密后的class key is discarded,要想解密数据就得重新输入pin吗。比如存储的邮件就是这种保护机制。
2)Protected Unless Open
(NSFileProtectionCompleteUnlessOpen):
先用椭圆曲线密钥算法ECDH 产生一对密钥。用刚刚产生的 file’s private key 和the Protected Unless Open class public key(系统产生的)计算一个共享密钥, 他对应的私钥被user’s passcode and the device UID保护。从这儿就管理了pin码!然后实际用来加密文件的密钥就被这个共享密钥的hash 加密并且存储在文件metadata ,同时存储ecc产生的 file’s public key,然后销毁ECC私钥。打开文件时,共享密钥可以由 the Protected Unless Open class’s private key(它靠pin和uid计算)计算。计算出 hash 就可以解密 the per-file key, 然后解密文件。
3)Protected Until First User Authentication
和第一种一样,, 唯一的区别就是锁屏后不清除内存密钥。the decrypted class key is not removed from memory when the device is locked.
4)No Protection
(NSFileProtectionNone): class key 被UID保护, 这种加密主要是擦除方便。因为所有用来计算密钥的信息都在终端上保存,如果一个越狱后的木马,那就。。。
The iOS Software Development Kit (SDK) 提供Data Protection供您选择!Data Protection is available for file and database APIs, including NSFileManager, CoreData, NSData, and SQLite.
keychain 的存在实体是数据库sqllite。他通过上文提到的 No Protection class保护。
既然keychain里面存储了各类应用的敏感数据,securityd daemon 管理这些数据。
Keychain access APIs 会调用 the securityd framework,该框架检测应用是否申请 “keychain-access-groups” and the “application-identifier” entitlement。通常keychain是绑定与创建的进程的,但也可以通过 access groups 对应用共享。如何共享,只有给同一个开发者。这通过iOS Developer Program中配置access group完成。开发的同志们自己去体验一下。至于这些数据如何加密的,和上述的文件加密基本类似。
High-level APIs (such as CFNetwork) make it easy for developers to adopt TLS in their apps, while low-level APIs (SecureTransport) provide fine-grained control.
各类VPN支持,ipsec、l2tp、sslvpn、pptp
9、wifi
支持EAP-TLS, EAP-TTLS, EAP-FAST,EAP-SIM, PEAPv0, PEAPv1, and LEAP.
10、企业管理
1)口令类
• Allow simple value
• Require alphanumeric value
• Minimum passcode length
• Minimum number of complex characters
• Maximum passcode age
• Passcode history
• Auto-lock timeout
• Grace period for device lock
• Maximum number of failed attempts
2)配置类
Passcode policies
• Restrictions on device features (disabling the camera, for example)
• Wi-Fi settings
• VPN settings
• Email server settings
• Exchange settings
• LDAP directory service settings
• CalDAV calendar service settings
• Web clips
• Credentials and keys
• Advanced cellular network settings
• Allow app installs
• Allow use of camera
• Allow FaceTime
• Allow screen capture
• Allow voice dialing
• Allow automatic sync while roaming
• Allow in-app purchases
• Force user to enter store password for all purchases
• Allow multiplayer gaming
• Allow adding Game Center Friends
• Allow Siri
Allow Siri while device is locked
• Allow use of YouTube
• Allow use of iTunes Store
• Allow use of Safari
• Enable Safari autofill
• Force Fraudulent Website Warning
• Enable JavaScript
• Block pop-ups
• Accept cookies
• Allow iCloud backup
• Allow iCloud document sync
• Allow Photo Stream
• Allow diagnostics to be sent to Apple
• Allow user to accept untrusted TLS certificates
• Force encrypted backups
• Restrict media by content rating