End User Devices Security Guidance: Apple iOS 6
Updated 14 October 2013
© Crown copyright 2013
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/end-user-devices-security-guidance-apple-ios-6/end-user-devices-security-guidance-apple-ios-6
This guidance is applicable to devices running iOS 6.0 and 6.1. This guidance was developed following testing performed on iPhone 5 and iPad devices running iOS 6.1.4 and 6.1.3 respectively.
1. Usage Scenario
iOS devices will be used remotely over 3G, 4G and non-captive Wi-Fi networks to enable a variety of remote working approaches such as:
- accessing OFFICIAL email;
- reviewing and commenting on OFFICIAL documents;
- accessing the OFFICIAL intranet resources, the Internet and other web-resources
To support these scenarios, the following architectural choices are recommended:
- All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic, and to allow the devices and data on them to be protected by enterprise protective monitoring solutions.
- Arbitrary third-party application installation by users is not permitted on the device. An enterprise application catalogue should be used to distribute in-house applications and trusted third-party applications.
2. Summary of Platform Security
This platform has been assessed against each of the twelve security recommendations, and that assessment is shown in the table below. Explanatory text indicates that there is something related to that recommendation that the risk owners should be aware of. Rows marked [!] represent a more significant risk. See How the Platform Can Best Satisfy the Security Recommendations for more details about how each of the security recommendations is met.
| Recommendation | Rationale |
|---|---|
| 1. Assured data-in-transit protection | The VPN can be disabled by the user. The built-in VPN has not been independently assured to Foundation Grade, and no suitable third-party products exist. |
| 2. Assured data-at-rest protection | iOS data protection has not been independently assured to Foundation Grade. Only applications which opt to use the relevant Data Protection APIs on iOS have their sensitive information protected in the locked state. |
| 3. Authentication | |
| 4. Secure boot | |
| 5. Platform integrity and application sandboxing | |
| 6. Application whitelisting | |
| 7. Malicious code detection and prevention | |
| 8. Security policy enforcement | Whilst Configurator settings cannot be overridden, the MDM profiles can be removed by the user. The MDM APIs only offer a limited set of controls Significant overhead per-device is required to provision each device. |
| 9. External interface protection | Radio interfaces such as Wi-Fi and Bluetooth cannot be controlled by policy. |
| 10. Device update policy | |
| 11. Event collection for enterprise analysis | [!] There is no facility for collecting logs remotely from a device, and collecting forensic log information from a device is very difficult. |
| 12. Incident response |
2.1 Significant Risks
The following key risks should be read and understood before the platform is deployed.
- CESG have performed a due-diligence risk assessment of the VPN component and found that the VPN currently does not support some of the mandatory requirements expected from assured VPNs. Without assurance in the VPN there is a risk that data transiting from the device could be compromised. In addition, there is no guarantee that data from applications on the device will use the VPN, leading to potential for data leakage onto untrusted networks. A private APN can be used to help treat this risk.
- iOS data protection has not been independently assured to Foundation Grade. However, CESG has previously determined that the level of protection is commensurate with Foundation Grade for applications that use Data Protection APIs to protect data when the device is locked.
- Applications must opt in to the various classes of data encryption on a per-file basis, and the only default application which opts-in to encryption whilst locked is the Mail application. Files other than e-mail and attachments will not be encrypted when the device is locked, and could be extracted without knowledge of the password, using a vulnerability in the platform.
- Collection of events for enterprise analysis is limited, meaning protective monitoring and forensic analysis following any compromise may be much harder than on other platforms.
- There are no policy controls available to restrict the external interfaces a user can enable, meaning that external interfaces may be accidentally or deliberately enabled by the end-user. Enabling external interfaces means additional attack surface could be exposed and data could be inadvertently or maliciously leaked without enterprise visibility.
- Procedural controls are used to achieve some of the requirements where no technical controls could be used, which means that users have to be trusted not to alter certain settings on the device, or perform actions which may impact the security of the device. These controls are discussed in later sections.
3. How the Platform Can Best Satisfy the Security Recommendations
This section details the platform security mechanisms which best address each of the security recommendations.
3.1 Assured data-in-transit protection
Use the native IPsec VPN client until a Foundation Grade VPN client for this platform becomes available.
3.2 Assured data-at-rest protection
iOS data protection is enabled by default. The mail application uses Data Protection APIs to encrypt emails and attachments when the device is locked. Third-party developers can also use this protection class to gain the benefit of the technology.
3.3 Authentication
The user has a strong 7 character password to authenticate themselves to the device. This password unlocks a key which encrypts certificates and other credentials, giving access to enterprise services.
3.4 Secure boot
This requirement is met by the platform without additional configuration.
3.5 Platform integrity and application sandboxing
This requirement is met by the platform without additional configuration.
3.6 Application whitelisting
An enterprise application catalogue can be established to permit users access to an approved list of in-house applications. If the App Store is enabled, MDM can be used to monitor which applications a user has installed.
3.7 Malicious code detection and prevention
The enterprise app catalogue should only contain approved in-house applications which have been checked for malicious code. iOS does not support side-loading of applications. Content-based attacks can be filtered by scanning on the email server.
3.8 Security policy enforcement
Settings applied through Configurator cannot be removed by the user.
Settings applied through MDM can be removed completely, but that also removes any data stored as part of accounts configured through MDM (e.g. e-mail and credentials).
3.9 External interface protection
The USB interface is configured by using Configurator to put the device into supervised mode. No technical controls exist to prevent users from enabling Wi-Fi and Bluetooth.
3.10 Device update policy
Users are free to update applications and firmware when they wish. The enterprise has no control over this.
3.11 Event collection for enterprise analysis
iOS does not support remote or local historic event collection.
3.12 Incident response
iOS devices can be locked, wiped, and configured remotely by their MDM.
4. Network Architecture
All remote or mobile working scenarios should use a typical remote access architecture based on the Walled Garden Architectural Pattern. The following network diagram describes the recommended architecture for this platform.
Recommended network architecture for iOS 6 deployments
An MDM server is required. Apple’s OS X Server Profile Manager is sufficient for this purpose; alternatively, third-party products exist which may offer additional functionality over and above Profile Manager.
5. Deployment Process
The following steps should be followed to prepare the enterprise infrastructure for hosting a deployment of these devices:
- Deploy OS X 10.7.5+ and install iTunes 11.0.3+ and Apple Configurator 1.2.1+ onto a dedicated provisioning terminal.
- Procure, deploy and configure other network components, including an approved IPsec VPN Gateway.
- Set up the MDM with Profile Manager component, and create policies for users and groups in accordance with the settings later in this chapter.
6. Provisioning Steps
The following steps should be followed to provision each end user device onto the enterprise network to prepare it for distribution to end users:
- Use Configurator to supervise the iOS devices
- Enrol the devices into the MDM deployed earlier and install the predefined configuration profile
- Apply any additional required security controls by using the Restrictions menu locally on the device.
7. Policy Recommendations
This section details important security policy settings which are recommended for an iOS deployment. Other settings (eg server address) should be chosen according to the relevant network configuration.
7.1 Configurator Settings
These settings should be applied to the device by creating profiles in the Configurator utility.
| Configuration Rule | Configuration Setting |
|---|---|
| General Group | |
| Security (user can remove profile) | Never |
| Automatically Remove Profile | Never |
The Global HTTP Proxy settings should also be set to match your particular network configuration for when the device is connected to the VPN.
7.2 MDM Settings
These settings should be applied to the device by creating profiles on the MDM server.
| Passcode Group | |
|---|---|
| Allow Simple | No |
| Require alphanumeric value | Yes |
| Minimum passcode length | 7 (characters) |
| Minimum complex characters | 1 |
| Maximum passcode age | 90 (days) |
| Maximum auto-lock | 10 (minutes) |
| Passcode history | 8 |
| Maximum grace period for device lock | 5 (minutes) |
| Maximum number of failed attempts | 5 |
| Restrictions Group | |
| Allow installing apps | No |
| Allow screen capture | No |
| Allow installation of Configuration Profiles (Supervised devices only) | No |
| Allow iCloud backup | No |
| Allow iCloud document syncing | No |
| Allow accepting untrusted TLS certificates | No |
If you are using Profile Manager, you should ensure that the option to sign configuration profiles is selected. Other MDMs may have a similar option which should be selected.
7.3 On-device Restrictions Menu
In Settings → General → Restrictions, the following items should be set as described and protected using a unique 4-digit PIN which is not shared with the device user. These settings must be set on each device.
| Configuration Rule | Recommended Setting |
|---|---|
| Contacts - Don’t allow changes | Yes |
| Calendars - Don’t allow changes | Yes |
| Photos - Don’t allow changes | As per organisational policy |
| Bluetooth Sharing - Don’t allow changes | Yes |
| Twitter - Don’t allow changes | As per organisational policy |
| Facebook - Don’t allow changes | As per organisational policy |
| Accounts - Don’t allow changes | Yes |
Allowing changes to these restrictions will allow applications on the device to request access to the named data store. Any that are not required should be disabled.
Allowing changes to the Facebook and Twitter settings will allow applications on the device to request access information from the user’s Facebook and Twitter accounts, including identity, and make posts to that account.
7.4 VPN Profile
The deployed VPN solution should be configured to negotiate the following parameters. Not all of these settings can be configured on the device so the configuration needs to also be enforced from the VPN server.
| Setting | Value |
|---|---|
| IKE DH Group | 5 (1536-bit) |
| IKE Encryption Algorithm | AES-128 |
| IKE Hash Algorithm | SHA-1 |
| IKE Authentication Method | RSA X.509 |
| IPsec Encryption | AES-128 |
| IPsec Auth | SHA-1 |
| SA Lifetime | 24 hours |
| VPN On Demand | Always |
Set the VPN on demand triggers to be the address of the Global Proxy configured using Configurator.
Note that for an iOS device to verify the VPN server certificate, the certificate must have an alternate subject name entry that matches the common name. Information on the supported server configurations can be found at http://help.apple.com/iosdeployment-vpn/mac/1.2/
8. Enterprise Considerations
The following points are in addition to the common enterprise considerations, and contain specific issues for iOS deployments.
8.1 App Store Applications
The configuration given above prevents users from accessing the App Store to install applications, but an organisation can still host its own Enterprise App Catalogues to distribute in-house applications to their employees if required.
8.2 VPN
On iOS users can alter the configuration of the VPN which can adversely affect the security of the device. Procedural controls must be present in the user security procedures to prohibit the altering of any settings related to the VPN.
8.3 Cloud Integration
iOS devices do not need to be associated with an Apple ID to operate as required within the enterprise. For example, it is still possible to receive push notifications without associating to an account. Procedural controls will therefore be necessary to prevent users from associating their device with an Apple ID, and therefore preventing enterprise data from being synchronised with Apple servers.
8.4 iOS 7.0
At the time of publication of this guidance, Apple have recently released iOS 7 – a major update to iOS 6. As it is not generally possible to downgrade or deploy legacy versions of iOS onto devices, the majority of devices will soon be running the updated iOS software. Whilst an update to this platform security guidance is being developed, CESG advise that organisations continue to follow this iOS 6 deployment and risk management guidance when using iOS 7. However, any new security features should be given careful consideration before being enabled or not used until guidance on their use is made available.