Apple publishes in-depth M1, Mac, and iOS security guide

Apple has published its annual Apple Platform Security Guide, which includes updated details concerning the security of all its platforms, including the new M1 and A14 chips inside Apple Silicon Macs and current iPhones, respectively.

The first look inside M1 Mac security

The extensive 196-page report explains how Apple continues to develop its core security models along the premise of mutually distrusting security domains. The idea here is that each element in the security chain is independent, gathers little user information, and is built with a zero-trust model that helps boost security resilience.

The report explores hardware, biometrics, system, app, network, and services security. It also explains how Apple’s security models protect encryption and data and looks at secure device management tools.

For most Apple users, particularly in the enterprise, it’s what the guide reveals concerning the M1 chips and the security of Macs running them that may be of most interest, as the guide provides the deepest dive yet on this topic.

It confirms that Macs running the M1 chip now support the same degree of robust security you find in iOS devices, which means things like Kernel Integrity Protection, Fast Permission Restrictions (which help mitigate web-based or runtime attacks), System Coprocessor Integrity Protection, and Pointer Authentication Codes.

You also get a series of data protections and a built-in Secure Enclave.

All of these are designed to help prevent common attacks, such as those that target memory or use javascript on the web. Apple claims its protections will mitigate against successful attacks of this nature: “Even if attacker code somehow executes, the damage it can do is dramatically reduced,” the report says.

Apple Silicon Boot modes

The guide provides a deeper look into how M1 Macs boot, including information on boot processes and modes, (described as “very like” those of an iPhone or iPad) and start-up disk security policy controls. The latter explains:

“Unlike security policies on an Intel-based Mac, security policies on a Mac with Apple silicon are for each installed operating system. This means that multiple installed macOS instances with different versions and security policies are supported on the same machine.”

The guide explains how to access the available Boot modes for Macs running Apple Silicon.

• macOS, the standard mode, launches when you switch on your Mac.
• recoveryOS: From shutdown, press and hold the power button to access this.
• Fallback recovery OS: From shutdown, double press and hold the power button. This launches a second copy of recoveryOS.
• Safe mode: From shutdown, press and hold the power button to access recovery mode and then hold Shift while selecting the start-up volume.

A slight change in biometrics

Another change in the A14/M1 processor is in how the Secure Neural Engine used for Face ID works. This function was formerly integrated in the Secure Enclave, but now becomes a secure mode in the Neural Engine on the processor. A dedicated hardware security controller switches between Application Processor and Secure Enclave tasks, resetting the Neural Engine state on each transition to keep Face ID data secure.

The report also works to explain that Face and Touch ID are layers atop passcode-based protection, not a replacement. That is why you must enter your passcode to erase or update your systems, change passcode settings, to unlock the Security pane on a Mac, or when you haven’t unlocked your device for over 48 hours and at other times.

The report once again concedes that the probability a random person in the population could unlock a user’s device is 1 in 50,000 with Touch ID or 1 in 1 million with Face ID, noting that this probability rises in proportion to the number of fingerprints you enroll.

What is Sealed Key Protection?

One security feature enterprises may want to explore closely is called Sealed Key Protection. This is only available on Apple’s chips and aims to mitigate against attacks in which encrypted data is extracted from the device for brute force attacks, or attacks are made against the OS and/or its security policies.

The idea is that user data is rendered unavailable off the device in the absence of appropriate user authorization.

This may help protect against some data exfiltration attempts and works independently of the Secure Enclave. This isn’t especially new; it has been available since the iPhone 7 and its A10 chip, but is now available to M1 Macs for the first time.

There’s a great deal more to peruse in the full report, which you can explore here. (Apple is expected to revise its Platform Security website pages to reflect the new report.) The report is recommended reading for any enterprise user concerned for Apple device security.

Please follow me on Twitter, or join me at the AppleHolic’s bar & grill on MeWe.