One, foreword

The recent Epic Games vs Apple litigation battle was very intense and exciting, and the inside information was also very exciting! Satisfied a wave of scorching summer to eat melon masses, of course, as technical personnel, we in addition to pay attention to sweet melon is not sweet, but also the analysis of this melon why sweet? Epic Games invited an expert witness to argue that Apple could make iOS more like MacOS in terms of app distribution and third party access, without compromising security.

Second, the body

2.1 debater

In response to this debate: “IOS could be like MacOS without security.” Let’s start with the debater, Epic Games’ expert witness. James Mickens, Professor of Computer Science at Harvard University, who is this?

You may not know Professor James Mickens very well. It doesn’t matter! We can check it out on Wikipedia:

James W. Mickens is an American computer scientist and is the Gordon McKay Professor of Computer Science at the John A. Paulson School of Engineering and Applied Sciences at Harvard University. His research focuses on distributed systems, such as large-scale services, and ways to make them more secure. He is critical of machine learning as a model solution to the most prominent computing problems.

Also, gossip about the “Gordon McKay” title: Gordon McKay is a wealthy businessman who donated a large sum of money to Harvard, which has been placed in a trust fund. Money from the foundation pays for 40 different professorships at Harvard. The holder of a chair conferred by Gordon McKay — that is, a person employed by a Harvard professor whose position is funded by a trust set up by Gordon McKay — will have the title “Professor Gordon McKay.” What is a ‘Gordon McKay Professor’? – Quora

In response to Professor James Mickens’ introduction, I can see that his focus is on computers and security and he will have some unique views on the subject, so let’s go to the great ickens debate.

2.2 the argument

Now that we have the author’s background, let’s go back to today’s main topic and look at the arguments in this debate:

Conclusion summary:

  • Security on the iPhone is largely enforced by the iPhone’s operating system, iOS
  • There is some evidence that the App Review process is weak at enforcing additional security attributes that cannot be enforced by the operating system alone. ?).
  • Much like MacOS, iOS already has the ability to install apps that aren’t distributed through Apple’s App Store
  • If Apple had allowed iPhone users to choose third-party app distribution channels, those users would not have suffered a significantly less secure experience

In view of these points, let’s not rush to defend, next, listen to the professor first how to debate ah ~

2.3 Argument: How to implement security measures on iPhone?

As you can see from the picture, there are three layers of security on the iPhone:

  • Off-device Security: Application Delivery. 2. Performed by third parties Can be performed by third parties.
  • On-device security: Operating system. (Independent of App Distribution Method)
  • Off-device SECURITY: Hardware

Off-device SECURITY is divided into:

  • App Review
  • Developer Identification (ID)
  • Code Signing is important.

In these ways, Provides minimal (if any) security benefits relative to what iOS on-device security Mechanisms dojo.provide).

Author’s note: The professor here means that this section has the least security benefit, meaning that App Review has little security benefit! ?

Epic Games wants Apple to lower the AppStore’s share of in-app purchases. The most direct way to do it is to not review the AppStore. So Epic Games has found a security Angle: app approval is minimal in terms of iOS security, so apps can be distributed without Apple approval! ?

Understanding Epic Games’ requirements, we can guess that Professor James Mickens is going to demonstrate how iOS security is defended. Think is important, let’s go on to eat the squash!

ON DEVICE security ON DEVICE security ON DEVICE security ON DEVICE security ON DEVICE security

  • Digital Signature Validation
  • Sandboxing (sandbox)
  • Address Space Layout Randomization (ASLR)
  • Execute Never (WX). WX: either write or Execute, but not both.
  • 1. Memory Isolation
  • Kernel Integrity Protection
  • Page Protection Layer (Page Protection Layer)

(1) ON DEVICE security ON DEVICE security ON DEVICE security ON DEVICE security

  • Biometric Authentication
  • Secure Enclave
  • Storage Encryption Storage Encryption
  • 2. Secure Boot

Operating systems and hardware layer, then, so let’s talk about the first layer, the professor said the first layer of security protection role, relative to the second and third layer is the minimum (minimal), in fact, just want to overthrow the apple application review mechanism, the idea is not the key, you need not too entanglements), we need to focus on is how professor, That’s the point of eating melons

2.4 Operating system design

The professor really paid too much attention! To make it easier for people to understand (judge?) The second layer and the third layer are the two layers that I have just mentioned. If you are not a student of computer technology, you may not be able to understand them, so the professor first put in a comparison picture:



As you can see from the picture, the professor is comparing a restaurant with a computing device (a computer, an iPhone is also a microcomputer).

  1. Diners – > App
  2. Server -> middleware
  3. Chef -> kernel
  4. Kitchen -> hardware

What is the core of a restaurant? The cooks and waiters, of course! So this part is sort of the operating system, iOS, the core of the iPhone.

You should be able to understand, it feels a bit reasonable ~ So, the professor began to discuss iOS operating system:

2.5 Argument: How to implement security measures on the iPhone? (Operating System)

  • Kernel Integrity Protection
  • Page Protection Layer (Page Protection Layer)

These two features are kernel memory protection, but I won’t go into them too much for now. If I have time, I will write an article about them in the future. Everyone has interest also can search by oneself ~

  • Address Space Layout Randomization (ASLR)
  • Execute Never (WX). WX: either write or Execute, but not both.
  • 1. Memory Isolation

These three features are used to protect memory between the kernel and APP. I’ll tell you more about it later, but I’ll skip it here.



PDX-0081-07.png

  • Sandboxing (sandbox)

A sandbox is a security mechanism that prevents different applications from accessing each other. Each app on iOS has its own sandbox, and each sandbox is independent of each other and cannot be accessed (without jailbreak).

  • Each application has its own storage space;
  • An application cannot cross its own space to access space resources that do not belong to it;
  • The data requested by the application program must pass the permission detection. If it does not meet the conditions, it cannot be obtained.

As we all know, the iOS sandbox is an individual resource for each App, not only the storage space, but also the process scheduling, etc. The iOS system will isolate the processes with abnormal behaviors to ensure the isolation between apps and ensure the security of each App.

  • Digital Signature Validation

When an App is launched, it checks the developer’s certificate in the package, checks the code signature, and authorizes various App distribution models (i.e., different types of authorization certificates, signed by individuals, companies, enterprises, etc.).



In summary, these operating system (IOS) features are independent of App distribution security methods.

Note: App distribution here focuses on Apple’s App review. In other words, the security features of the iOS system itself do not depend on App distribution channels, let alone Apple’s App review.

2.6 iOS app review: security attributes



PDX-0081-12.png

As can be seen from the above figure, the professor compared Apple App Review and iOS system devices through several security attributes, and made a comparison from the following aspects:

  • It’s Sandbox Compliance.
  • Exploit Resistance
  • Malware Exclusion
  • User Consent for Private Data
  • Legal Compliance

The first three are all implemented by both app approval and iOS, so let’s look at the different point, “User Consent for Private Data,” which is very difficult for Apple to verify, said Professor Lee. “Weak, at best,” while iOS, the professor thinks, is secure by listening to the system’s API calls. But it seems that there is no way to completely prevent users’ private data from being collected and exploited.

The final “Legal Compliance,” the professor said, “is difficult to determine by Apple or iOS.” Objectively speaking, actually human review or can avoid some problems, such as copyright issues, so professor this idea a little stand feet ~ of course, change after careful application content, this application is also the audit is inevitable problems, if is this, that is consistent with the professor says the conclusion, the opinion of ~

If you’ve ever seen a jailbreak or an underlying iOS system, you’ve probably seen a Sandboxing, ASLR, W^X, KIP, and so on. So let’s take a look at what these terms mean. :

2.7 iOS App distribution model: security features

In order to emphasize App Review Review, the professor summarized the current methods of iOS App distribution:

  • App Store
  • Signature of Enterprise Certificate
  • TestFlight test

As can be seen from the picture, the professor wants to express whether the process of App Review does not affect?? Author’s Note: There are two things that need to be corrected. The first is that TestFlight tests need to be manually reviewed if they are to be opened to the public. See TestFlight — Apple Developer for details. Second, in addition to the above distribution methods, there is also a distribution method called “super signature”. For details, please see this article: How to install an App on iOS outside of the AppStore.

2.8 MacOS: App distribution model

Having said so much, the professor turned around and finally returned to the topic of debate. IOS vs MacOS, so let’s start by explaining how MacOS currently distributes apps:

  • Mac App Store
  • Third party distribution (notarization)
  • Third party distribution (not reviewed + not notarized)

The author’s note: Starting with MacOS 10.15, all apps downloaded from the Internet that are not notarized will not be opened by default, so apps distributed outside the App Store will not be opened by default. The App must be uploaded to Apple’s servers for processing prior to release. Notarization means to send a package to an Apple server for verification (virus or not), and then Apple will return the verified package, which can be distributed to others for installation. For more information About Notarization – WWDC 2019 – Videos – Apple Developer, please check Apple’s official material: All About Notarization – WWDC 2019 – Videos – Apple Developer.

2.9 Comparison between iOS and MacOS software layers

As you can see from the figure, the core systems of iOS and MacOS are shared, and the middleware has its own special processing. In other words, iOS and MacOS have very similar security mechanisms under the operating system.

The author’s note: Since WWDC20 last year, Apple launched MacOS 11 Big SUR and ARM-based Apple Silicon M1 chip. In fact, the system boot process of M1 device is the same as the process of directly moving iPhone, because everyone is based on ARM architecture. Also, the design of the iPhone has been very well developed, so the iPhone and the M1(MacOS Big Sur) are very similar in the underlying system. See WWDC20 for details: Explore the new System Architecture of Apple Silicon MacS-WWDC 2020-Videos-Apple Developer

2.10 How do I implement security on iOS and MacOS?

Finally, through the similarities and differences of security between iOS and MacOS, the professor concludes that there are three technical points for implementing MacOS security on iOS:

  • Notarization (Notarization)
  • A Catekeeper is a gatekeeper.
  • Malware Scanners Malware Scanners anners

Note: Gatekeeper ensures that users install apps from the Mac App Store or that they have a developer signature. More specifically, it can be used as an App identification tool for the Mac App Store, as well as to identify developers of apps from outside the Mac App Store, thus preventing some malware from entering. For official information: Advances in MacOS Security – WWDC 2019 – Videos – Apple Developer and Passive Open Apps on Your Mac-Apple Support Access control – Apple support is used in deployment.

Now the professor’s intention was clear!

“IOS could have been as open as MacOS, but not as full of sex”

If the above 3 MacOS security features are added to the iOS system, the security protection of iOS APP should be further improved, and the security of iPhone should also be further guaranteed. Of course, all of the professor’s arguments are based on technical security, but what about human security?

So, what do you think about this in the comments section

2.11 App distribution: design meaning



At the end of the debate, the professor showed us a picture of iOS versus MacOS

This summary image is intended to show that the operating system is already secure in the distribution of iOS and MacOS apps, while Apple App Approve only guarantees the App Store channel and Notarized the App. Other distribution channels, such as Developer Enterprise Certificates, TestFlight, and Mac uncertified third-party apps, are not approved by Apple, but do not currently have security issues.

So can Apple make third-party distribution channels more open??

Third, summary

As you can see, the whole process of the professor’s argument is very interesting, and we can learn a lot about IOS from it. It is really a matter of eating melon and gaining knowledge!

The security of iOS, as the professor said, is equivalent to that of MacOS when it adds Notarization, CateKeeper and Malware Scanners, which are not a big security problem. So it seems like it makes perfect sense to open up iOS like MacOS does, without requiring app approval! ? Of course, Professor James Mickens’ testimony was used to defend one of Epic Games’ core arguments against the iOS App Store. You can keep your own opinions and thoughts, you don’t have to accept them.

In the author’s opinion, from the perspective of security technology, the professor’s thinking is very reasonable. From the perspective of technical security, we should improve security by attacking and defending, and learning from excellent design (such as MacOS), which is indeed worthy of reference for IOS.

As for the iOS human review system or the App Store system, there’s no way to explain it in a sentence or two, so we’re going to talk about Apple’s App review in our next post. Stay tuned

That’s all for today. If you have any questions, please share them in the comments section

You can also send me a private message to get timely information about iOS development and interview. If you have any comments and suggestions, please leave a message to me.

Four, reference

  • James Mickens – Wikipedia
  • What is a ‘Gordon McKay Professor’? – Quora
  • Explore the new system architecture of Apple silicon Macs – WWDC 2020 – Videos – Apple Developer
  • TestFlight – Apple Developer
  • How to install an App on iOS outside of the AppStore
  • All About Notarization – WWDC 2019 – Videos – Apple Developer
  • Safely open apps on your Mac – Apple Support
  • Advances in macOS Security – WWDC 2019 – Videos – Apple Developer
  • Use access control – Apple support in macOS deployments
  • Epic Games expert says iOS could be like macOS without security drawbacks | AppleInsider
  • Epic expert: Apple’s iOS could have been as open as MacOS, not compromised by security

Click to get:IOS interview information

Please pay attention to iOS friends! If you like it, give it a like! Thank you very much! Thank you very much! thank you