1. 4
  1.  

  2. 1

    Lots of marketing speak.

    How does IOS security compare to other phone OS’s? Other hardware platforms? Is it best of breed?

    Can we do better in the future?

    Anyone care to comment?

    1. 3

      I’m surprised you’re so quick to dismiss this as marketing speak. That the 5s doesn’t stores fingerprints, but something akin to a hash of the fingerprint, is something worth knowing. The section on Data Protection APIs available to apps is also fairly technical.

      What information is missing that you think is needed to make this a technical document?

      1. 1

        You’re right. My comment might be a bit too trollish.

        I think, in general, I am put off by all the “fluffy sentences.”

        The introduction might have put me off with it’s talk of “major leap forward” and “stringent security features.” So, I didn’t read everything.

        But more examples of fluff:

        Every iOS device has a dedicated AES 256 crypto engine built into the DMA path between the flash storage and main system memory, making file encryption highly efficient

        “Highly efficient” isn’t exactly technical. Efficient in time or space or power? I think they were talking about power. How much more efficient, then? Why are they even talking about efficiency, when the topic is security?

        But my questions in the grand parent stand: Is IOS more secure than other platforms like Android? That topic of conversation was really the point of my post.

        1. 2

          “Highly Efficient” may be an approximation, but it certainly isn’t non-technical. It is also used in a lot of technical papers:

          http://scholar.google.com/scholar?hl=en&q=highly+efficient&btnG=&as_sdt=1%2C5&as_sdtp=

          In regards to whether or not iOS is more secure than Android, that is a massive, and likely very difficult to quantify answer.

          1. 1

            “Highly efficient” is not technical, in my opinion, because it’s not backed up with any facts (and doesn’t pertain to the topic of security). I think it’s just fluff.

            In the google search you posted, for example, on the first result I looked at the article and they explain what they mean by highly efficient:

            lipofection is from 5- to greater than 100-fold more effective than either the calcium phosphate or the DEAE-dextran transfection technique.

            See: http://www.pnas.org/content/84/21/7413.short

            1. 2

              I think we may be playing semantics. Regardless, I do agree that it would have been nice to have a far more granular analysis of the various components that make iOS “secure”.

              1. 2

                :)

          2. 1

            Why are they even talking about efficiency, when the topic is security?

            People don’t use inefficient crypto. They are pointing out that they can easily, transparently encrypt all the data on the phone, as opposed to selectively only encrypting the very most important bits.

            Why doesn’t every computer always encrypt everything on the hard drive? Because people are afraid it’s too slow.

            As another point that’s not mentioned in the paper (likely beyond the scope), the ios kernel is perhaps better hardened against memory corruption exploits than any other I’m aware of.

            1. 1

              Another reply. :)

              Securely erasing saved keys is just as important as generating them. It’s especially challenging to do so on flash storage, where wear-leveling might mean multiple copies of data need to be erased. To address this issue, iOS devices include a feature dedicated to secure data erasure called Effaceable Storage.

              That’s something I’m happy to read and which I didn’t know when I woke up this morning. When I erase my phone and mail it to Amazon, I like knowing that the data on the phone is not trivially recoverable with some undelete command. That’s not fluff to me.

              I alluded to ios kernel hardening. For some of the things Apple doesn’t talk about, refer to this presentation.

              http://conference.hackinthebox.org/hitbsecconf2012kul/materials/D1T2%20-%20Mark%20Dowd%20&%20Tarjei%20Mandt%20-%20iOS6%20Security.pdf

          3. 1