iOS | Quizlet

How Apple Protects Device Data

Uses hardware-based encryption tied to the device's unique hardware key.

Data protected with File Data Protection classes enforcing different encryption levels based on device lock state.

Sensitive data stored in the Secure Enclave, a separate chip managing cryptographic operations.

Combines encryption with passcodes to control acces

How Passcodes Work

User passcode is combined with a unique hardware key to create an encryption key.

Passcodes protect the keybags that encrypt file system keys.

Longer, complex passcodes increase protection by making brute force attacks exponentially harder.

After multiple failed attempts, device delays or wipes data (configurable).

Encryption in iOS

Uses AES-256 encryption for file data.

Implements Data Protection Classes:

Complete Protection: Data only accessible when device unlocked.

Protected Unless Open: Data accessible until device is locked.

No Protection: Data always accessible (for non-sensitive files).

Encryption keys are wrapped by passcode-derived keys and hardware keys.

Apple Ecosystem Security

Data syncs securely across devices via iCloud Keychain and end-to-end encryption.

Uses device attestation to verify trusted hardware.

Apps communicate via secure app sandboxing and permissions.

Continuity features like Handoff are secured with encryption and authentication.

What Happens When You Change Your Passcode

The device re-encrypts the keybag with a new key derived from the new passcode.

Ensures previously encrypted data cannot be accessed with the old passcode.

All file protection keys remain the same but are rewrapped.

Protects against unauthorized access if the old passcode was compromised.

How Memory is Encrypted

iOS devices have hardware-based memory encryption protecting RAM contents.

Uses Effaceable Storage: Secure storage wiped on passcode reset or erase.

Secure Enclave handles sensitive cryptographic operations off main CPU.

Protects against physical memory attacks and cold boot attacks.

Secure Enclave Role

Dedicated coprocessor for key management, cryptographic functions, and biometric data (Face ID/Touch ID).

Isolated from main processor, preventing direct access by iOS or apps.

Enforces secure boot, preventing unauthorized OS or firmware loading.

Stores keys that never leave the enclave, enhancing security.

Code Signing in iOS

Ensures only Apple-approved, cryptographically signed apps run on devices.

Prevents execution of unauthorized or modified code.

Protects system integrity by verifying app authenticity at install and runtime.

Blocks attackers from injecting or running native malicious code.

Runtime Protections in iOS

Includes Address Space Layout Randomization (ASLR) to randomize memory addresses.

Implements Data Execution Prevention (DEP) to prevent execution of data sections.

Enforces sandboxing restricting app access to files and resources.

Together, these make typical buffer overflow and code injection attacks difficult.

Why Attackers Use NSPredicate and Scripting Languages for RCE

iOS prevents native code injection via strict code signing.

Attackers leverage embedded interpreters (like NSPredicate, JavaScriptCore) to run malicious scripts inside signed apps.

This bypasses code signing by executing code in trusted runtime environments.

NSPredicate can evaluate complex expressions, enabling logic execution without native code

iOS Data Protection Keybags and Passcode Changes

Keybags store file encryption keys wrapped by passcode-derived keys and hardware keys.

Changing passcode re-encrypts the keybag with the new passcode key.

Files remain encrypted with original keys; only the wrapping key changes.

This ensures seamless security without needing to re-encrypt all data.

Secure Enclave and Key Management

Secure Enclave stores cryptographic keys isolated from main CPU.

Manages passcode verification, biometric data, and file encryption keys.

Ensures keys never leave the enclave unencrypted.

Supports secure key derivation during passcode changes.

Return Oriented Programming (ROP)

Attack technique where hackers use existing code snippets ("gadgets") already in memory.

They chain these gadgets together to perform malicious actions without injecting new code.

Used to bypass protections like non-executable memory (DEP).

Common in exploits on systems like iOS where running injected code is blocked.

ASLR

Security feature that randomizes the memory locations where code and data are loaded.

Makes it difficult for attackers to predict addresses of code gadgets for ROP.

Helps prevent buffer overflow and ROP attacks by increasing uncertainty.

Implemented in iOS and many other modern OSes.

Data Execution Prevention (DEP)

Marks certain areas of memory as non-executable, so code can't run from there.

Prevents execution of injected code from data buffers or stack.

Forces attackers to use techniques like ROP instead of classic code injection.