Arkitektura e Sigurisë e iOS-it

Mesatar 14 min Siguria Mobile

Hyrje

iOS is designed from the ground up to be hard for both attackers and users to modify, which gives it strong default security but also constrains what analysts can do on the device.

Teoria

Every iOS app runs in a sandbox with a UUID-based data directory and access only to resources explicitly declared in its entitlements. Code signing enforces that only Apple-signed apps can run, with a few exceptions for enterprise and developer provisioning profiles. The Secure Enclave is a separate coprocessor that handles TouchID/FaceID, stores key material, and generates encryption keys that the main CPU never sees in plaintext. Full-disk encryption is always on and tied to the user's passcode. These layers combine into a platform that resists mass-market malware extremely well. Most of the successful iOS attacks have been targeted nation-state campaigns (Pegasus, Predator) using zero-day exploit chains that cost millions to develop. For the average user, keeping iOS up to date and avoiding sideloaded enterprise profiles is close to all the defense they need. For security researchers, this rigid environment makes testing harder. Jailbreaking gives you a root shell and the ability to run tools like Frida, but recent iOS versions are rarely jailbreakable for long, and sideloading test apps requires a developer certificate. A pragmatic researcher uses a jailbroken legacy device for deep research and tests production apps via Apple's TestFlight or by analyzing decrypted IPAs from resources like ipatool.

Mjetet

Komponentet:

  • Secure Enclave (çelësa biometrikë, Face ID).
  • Data Protection API (Complete, CompleteUnlessOpen, etc).
  • App Sandbox, Entitlements, Code Signing.
  • System Integrity Protection, Pointer Authentication.

Praktika

Ruajtje çelësi në Keychain (Swift):

let query: [String: Any] = [
    kSecClass as String: kSecClassGenericPassword,
    kSecAttrAccount as String: "api_token",
    kSecValueData as String: token.data(using: .utf8)!,
    kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
]
SecItemAdd(query as CFDictionary, nil)

Ushtrime

  1. Lexon dokumentacionin e Data Protection Classes dhe zgjedh klasën e duhur për tre lloje të dhënash.
  2. Shpjego rolin e Secure Enclave krahasuar me TEE në Android.

Burime

  • Apple Platform Security Guide.
  • OWASP MASVS.

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re