One, foreword

The Epic Games vs. Apple lawsuit is very exciting and exciting, and the inside scoop is also very exciting! Satisfied a wave of hot summer people eating melons, of course, as a technical personnel, we in addition to pay attention to whether the melon is sweet, but also analyze why the melon is sweet?

Epic Games has invited an expert witness to debate the issue of “iOS security” : The idea that Apple could make iOS more like macOS in terms of app distribution and third party access without compromising security.

Second, the body

2.1 debater

In response to this debate: “IOS could be like macOS without security drawbacks,” we start with the debater, Epic Games’ expert witness, James Mickens, professor of computer science at ‮ College, Harvard. Who is this?

You may not know much about Professor James Mickens, and that’s ok! We can check it out on Wikipedia:

James W. Mickens is an American computer scientist and Gordon McKay Professor of Computer Science at Harvard University’s John A. Paulson School of Engineering and Applied Science. His research focuses on distributed systems, such as large-scale services, and ways to make them more secure. He is critical of machine learning as a template solution to the most prominent computing problems.

Also, for gossip, the title “Gordon McKay” : Gordon McKay is a wealthy businessman who has made a large donation to Harvard, which is put into a trust fund. Money from the fund pays for 40 different professorships at Harvard. The person with the Gordon Mackay chair — that is, the person employed by a Harvard professor whose position is funded by a trust set up by Gordon Mackay — will have the title of “Professor Gordon Mackay”. What is a ‘Gordon McKay Professor’? – Quora

As you can see from the introduction of professor James Mickens, the debater, he focuses on computer and security, and he should have some unique insights. So let’s go into the debate of this great man!

2.2 the argument

Now that we have the author’s background, let’s return to today’s topic and look at the arguments of the debate:

Summary of Conclusions:

  • Security for the iPhone is primarily performed by the iPhone’s operating system (iOS)
  • There is evidence that the App Review process is weak at enforcing additional security attributes that cannot be enforced by the operating system alone (I note: here means that apple's review is actually very weak on the security review chicken! ?)
  • IOS, much like macOS, can already install apps that aren’t distributed through Apple’s App Store
  • If Apple were to allow iPhone users to choose third-party distribution channels, those users would not suffer from a significantly diminished security experience

So, for these ‮ points, let’s not rush to explain, and next, listen to the professor how to start a debate ~

2.3 Argument: How to implement security measures on the iPhone?

As you can see, there are three layers of security on the iPhone:

  • Off-device SECURITY: Application distribution. (Performed by a third party)
  • On-device SECURIY: indicates the operating system. (Independent of app distribution method)
  • Off-device SECURITY: hardware

Off-device SECURITY is divided into:

  • App Review
  • Developer Identification
  • It’s important to know that Code Signing is important.

In these ways, Provides minimal (if any) security benefits relative to what iOS on-device security Provides minimal (if any) security benefits relative to iOS on-device security Mechanisms dojo.provide).

Note: The professor here means that this part of the security benefits the least, the implication is that the App Review (application Review) on the security protection effect is very little! ?

Epic Games wants apple to reduce its share of in-app purchases in the AppStore. The most direct way is not to go through the app review process. So Epic Games has found a security Angle: in terms of iOS security, app approval matters very little, so apps can be distributed without Apple approval! ?

With Epic Games’ needs in mind, professor James Mickens’ next step is to demonstrate how iOS security can be defended. Thinking is important, so let’s move on!

On-device SECURIY: (operating system) :

  • Digital Signature Validation
  • Sandboxing
  • Address Space Layout Randomization (ASLR)
  • Execute Never (W^X)W^X: either write or execute, but not both.)
  • Memory Isolation
  • Kernel Integrity Protection
  • Page Protection Layer (Page Protection Layer)

On-device SECURIY: (hardware), divided into:

  • Biometric Authentication
  • Secure Enclave
  • Storage Encryption
  • Secure Boot

Operating systems and hardware layer, then, so let’s talk about the first layer, the professor said the first layer of security protection role, relative to the second and third layer is the minimum (minimal), in fact, just want to overthrow the apple to the application of audit mechanism, the idea is not the key, you need not too entangled), we need to focus on is how professor, That’s the point of eating melon

2.4 Operating system design

The professor was really trying! For the convenience of the masses to understand (judge?) For those of you who are not computer science majors, you may not be able to understand the second and third layers.

As you can see, the professor compared the restaurant to a computing device (a computer, which is also a micro computer). In other words, you can think of the iPhone as a restaurant.

  1. Diners – > App
  2. Server -> middleware
  3. Cook -> kernel
  4. Kitchen -> Hardware

What is the core of a restaurant? Chefs and waiters, of course! So this is the equivalent of the operating system, which is iOS, the core of the iPhone.

So, the professor started talking about iOS again:

2.5 Argument: How to implement security measures on the iPhone? (Operating system)

  • Kernel Integrity Protection
  • Page Protection Layer (Page Protection Layer)

These two features are the kernel memory protection, here for the time being, I will not make too much introduction, if there is time to write an independent article to expand it. We are interested in can also search for ah ~

  • Address Space Layout Randomization (ASLR)
  • Execute Never (W^X)W^X: either write or execute, but not both.)
  • Memory Isolation

These three features are used for memory protection between the kernel and the App. It will be introduced in detail below, but I will skip it here.

  • Sandboxing

A sandbox is a security mechanism that prevents different applications from accessing each other. In iOS, each app has its own sandbox, and each sandbox is independent of each other and cannot be accessed (without jailbreaking).

  • Each application has its own storage space;
  • Applications cannot cross their own space to access resources that do not belong to them;
  • The data requested by the application must pass the permission detection. If it does not meet the conditions, it cannot be obtained.

Sandbox mechanism, we don’t need to say much about this, as we all know, iOS sandbox: the individual resources of each App, not only the storage space, but also the process scheduling, etc. IOS system will isolate the abnormal behavior of the process, to ensure the isolation of apps, to ensure the security of each App.

  • Digital Signature Validation

When an App is launched, it checks the developer certificate in the package body, checks the code signature, and authorizes the various App distribution models (i.e., different types of authorization certificates, signed by individuals, companies, businesses, etc.).

To sum up, these operating system (iOS) features are independent of App distribution security methods.

Note: App distribution, here the focus refers to Apple’s application review, that is, the Built-in security features of iOS system, is not dependent on the App distribution channel, even less dependent on Apple’s application review.

2.6 iOS Application review: Security attributes

As can be seen from the figure above, the professor compares Apple app approval and iOS devices through several security attributes, and compares them from the following aspects:

  • Sandbox Compliance
  • Exploit Resistance
  • Malware Exclusion
  • User Consent for Private Data
  • Legal Compliance

User Consent for Private Data is much more difficult to verify than that of iOS. Professor: That’s right. “Weak, at best”. On iOS, the professor thinks it can be secured by listening to system API calls. But there seems to be no way to completely avoid the collection and exploitation of users’ private data.

As for Legal Compliance, he said, “It is difficult to determine whether apple or iOS will comply.” Objectively speaking, actually human review or can avoid some problems, such as copyright issues, so professor this idea a little stand feet ~ of course, change after careful application content, this application is also the audit is inevitable problems, if is this, that is consistent with the professor says the conclusion, the opinion of ~

If you have ever seen jailbreak, or the underlying iOS system, you must have seen Sandboxing, ASLR, W^X, KIP, etc., so I summarize the meaning of these terms for you (if you feel good, give us a like!). :

noun parsing note
SIP System Integrity Protection A security feature of the Apple macOS operating system introduced in OS X El Capitan (September 16, 2015). It contains a number of mechanisms executed by the kernel. The core is to protect system-owned files and directories against changes by processes that do not have specific “permissions,” even if performed by the root user or a user with root privileges.
AMFI Apple Mobile File Integration Originated with iOS, which prevents any attempt to run unsigned code. AMFI is a kernel extension, originally introduced in iOS. Add to macOS in macOS 10.10. Like the sandbox, it extends the MACF (Mandatory Access Control Framework) and plays a key role in executing SIP and code signing.
MACF MAC Mandatory Access Control (MAC) Framework In the SDK for Mac OS X 10.5 Leopard (October 26, 2007), Apple “mistakenly” introduced a new monitoring mechanism, the Mandatory Access Control Policy Framework. Apple soon corrected the mistake and took the interface private. In the documentQA1574Apple explicitly states that third parties should not use the MAC mechanism, which is not part of the KPI. MACF is a powerful security feature introduced by Apple from TrustedBSD. The user-mode perspective is very limited, and only the kernel can reliably enforce this security. When XNU calls the MAC layer to validate an operation, the MAC layer calls the policy module, which then takes care of the validation.
PIC / PIE Position Independent Code, address Independent Code. Also known asPIEPosition Independent Executables In the computer world, address independent code, also known as address independent executable, is a machine code that can run correctly anywhere in main memory, independent of its absolute address. PIC is widely used in shared libraries, allowing code from the same library to be loaded into the address Spaces of different processes. PIC is also used in computer systems that lack a memory management unit, allowing the operating system to isolate different running programs in a single address space.
ASLR Address Space Layout Randomization This technology was introduced with OS X Mountain Lion (July 25, 2012). It has become a must-have technique for operating systems that want to prevent hackers and malware from injecting code. The main method of defense against code injection is Data Execution Prevention (DEP, also known as W^X or XD in Intel and XN in ARM), which can make it more difficult for hackers to attempt to inject code.
W^X Write XOR execute The Apple chip forces memory page properties to be either writable or executable, but not both writable and executable. In particular, jIT-enabled languages like JS often allocate writable and executable pages, so Apple provides a dedicated API (pthread_JIT_write_protect_NP ()) for the JIT to convert between RW and RX pages.
KPP Kernel Patch Protection Kernel integrity Protection Kernel integrity protection, also known as “KPP,” comes with iOS9 and prevents kernel tampering at run time. When the kernel is loaded into memory, the Apple chip protects the memory page of the kernel from being tampered with.
PAC Pointer to verify Pointer validation is a feature of the ARM architecture that verifies the pointer when the PC makes a jump, thus effectively preventing attacks such as ROP (back directed Programming). Apple first deployed this mechanism in the iPhone XS and XR. At present, Apple only provides PAC protection for the kernel and system services of macOS. The apps we write on Mac do not have PAC protection.
Device isolation Device memory isolation On An Intel Mac, the memory space of devices and drivers on the system is shared, but on an ARM64 Mac, the memory space between devices and drivers is isolated.
Secure boot Safe launch The new architecture of Apple Silicon’s Mac device, the macOS Big Sur, is launched using iOS’s secure startup mode, where the Apple chip verifies the signature of the firmware loaded at each step to ensure its integrity and security. Also, during system installation, the user can select yesfull security(Complete safety) mode orreduce security(low security) mode. By default, Apple uses full security mode, in which the MAC can be considered just like an iPhone — for example, it can’t degrade or load third-party kernel extensions. In low security mode, users can install any version of macOS, load kernel extensions, and turn off SIP (system integrity protection).
AFC Apple File Conduit File transfer service that runs on iOS devices. It allows you to access your iPhone via USB/var/mobile/MediaFiles in the directory of. AFC service bylockdowndProvided by the daemon, namedcom.apple.afc.

2.7 iOS App distribution Model: Security feature

In order to emphasize App Review, the professor summarized the current way of iOS App distribution:

  1. App Store
  2. Enterprise Certificate Signature
  3. TestFlight test

As can be seen from the figure, the professor wants to express whether the process of App Review is not affected?

Note: There are two points that need to be corrected. The first point is that if the TestFlight test is to be opened to the public, it needs to be reviewed manually. For details, see the official document: Testflight-Apple Developer. Second, in addition to the above distribution methods, there is also a distribution method called “super signature” in China. For details, see this article: How to install aN App in iOS Non-Appstore.

2.8 macOS: App distribution model

Said so much, professor a turn, finally returned to the topic of debate! IOS vs macOS, so let’s start with how macOS currently distributes apps:

  1. Mac App Store
  2. Third party distribution (notarization)
  3. Third party distribution (no audit + no notarization)

The author’s note: Notarization: from macOS 10.15 on, all apps downloaded from the Internet without Notarization can’t be opened by default, so apps distributed outside the App Store are notarized; The App must be uploaded to Apple’s servers for processing before release. Notarization is the process of sending packages through instructions to Apple servers for verification (viruses or whatever), and then apple returns the verified package body, which can be distributed to others to install. For more notarized information, you can check the Official information of Apple: All About Notarization – WWDC 2019-Videos – Apple Developer.

2.9 Comparing iOS and macOS software layers

As you can see from the figure, the core systems of iOS and macOS are shared, while the middleware has its own special processing. In other words, at the bottom of the operating system, the security mechanism of iOS and macOS is very similar.

The author’s note: Since Apple launched macOS 11 Big Sur and ARM-based Apple Silicon M1 chip in WWDC20 last year, in fact, the system boot and startup process of M1 device is directly the process of iPhone, because everyone is based on ARM architecture. And the design on the iPhone has been so well developed that, underneath the system, the iPhone and THE M1(macOS Big Sur) are indeed very similar. See WWDC20 for more details: Explore the New System Architecture of Apple Silicon MacS-WWDC 2020-Video-Apple Developer.

2.10 How Do I Implement Security on iOS and macOS?

Finally, through the similarities and differences of security between iOS and macOS, the professor came to the conclusion that there are three technical points to practice macOS security on iOS:

  1. Notarization
  2. A Catekeeper
  3. Malicious Software scanner

Gatekeeper ensures that users install apps from the Mac App Store or with developer signatures. Specifically, it can be used as an App identification tool for the Mac App Store, as well as to identify the developers of apps from outside the Mac App Store, thus preventing some malicious software from getting in. Reference to official information: Advances in macOS security-WWDC 2019-seed-Apple Developer and Safely open apps on your Mac-Apple Support Access control – Apple support is used in deployment.

Here, the professor’s intention is very clear!

“IOS could have been as open as macOS, no ‮ security influenced by all”

If the above three macOS security features are added to the iOS system, the security protection of iOS apps should be further improved, and the security of iPhone will also be further guaranteed. Of course, all of the professor’s arguments are based on the safety of technology, but what about the safety of humanity?

So, what do you think of this? Let’s discuss it in the comments section

2.11 App distribution: Design Meaning

Finally, the professor gave a comparison of iOS and macOS, and that ended the debate

This summary picture is intended to show that in the App distribution of iOS and macOS, the operating system has done the security guarantee, while Apple’s App review has only guaranteed the App Store channel and Notarized(notarization is mainly used to scan for malicious software viruses). Other distribution methods, such as developer Enterprise Certificate, TestFlight, Mac uncertified third-party apps, etc., do not actually have Apple App approval, but currently have no security issues??

So, could Apple make third-party distribution more open??

Third, summary

As you can see, the whole demonstration process of the professor is very interesting, and we can learn a lot of iOS knowledge from it, which is really a melon and a knowledge!

The professor claims that iOS has Notarization, Catekeeper, and Malware scanner’s security is comparable to macOS’s, which has no major security problems. So it seems perfectly reasonable to open iOS like macOS, without app approval! ? Of course, Professor James Mickens’ testimony was to defend one of Epic Games’ core arguments against the iOS App Store. You can keep your own opinions and thoughts, and you don’t have to complete acceptance.

In the author’s opinion, professor’s thinking Angle is very reasonable in terms of security technology. In terms of technical security, we need to improve security from attack and defense, and learn from excellent designs (such as macOS). It is indeed worth learning from iOS.

As for the manual review mechanism of iOS or the App Store mechanism, there is no way to explain it in a sentence or two, so we are going to talk about the insider information of Apple’s App review in our next article. Stay tuned

If you have any questions, please feel free to share in the comments section

As a preview, our next article, “Revealing apple’s approval team,” will be published soon, so you can follow us for updates

Four, reference

  • James Mickens – Wikipedia
  • What is a ‘Gordon McKay Professor’? – Quora
  • Explore the new system architecture of Apple silicon Macs – WWDC 2020 – Videos – Apple Developer
  • TestFlight – Apple Developer
  • How to install an App on iOS without the AppStore
  • All About Notarization – WWDC 2019 – Videos – Apple Developer
  • Safely open apps on your Mac – Apple Support
  • Advances in macOS Security – WWDC 2019 – Videos – Apple Developer
  • Use access control – Apple support in macOS deployments
  • Epic Games expert says iOS could be like macOS without security drawbacks | AppleInsider
  • Epic expert: Apple iOS could have been as open as macOS without security implications – home of IT

Note: If reproduced, please indicate the source.