Hey guess what? Apple has a new security whitepaper! Apple only releases these things once every few years, and they represent the public’s only window into how iPhones and other Apple products secure the massive amounts of data entrusted to them.
Even though Apple hasn’t released a security whitepaper since September 2015 (or since iOS 9, if you prefer to measure time in software updates), there’s not much earth-shattering new information in the latest edition, which covers iOS 10.
This is probably a good sign for users — the fact that Apple isn’t making many changes to the basic security structure of the iPhone likely means that Apple hasn’t uncovered any major flaws in its product. The company puts significant resources into testing its own security and invites outside researchers to do the same through its bug bounty program.
But Apple has rolled out plenty of new features and products in the last few years, and the security whitepaper reflects that. Here are some of the biggest new developments:
Touch ID opened to developers
When Apple first debuted Touch ID, it used customers’ fingerprints solely for unlocking iPhones and approving purchases in Apple-controlled environments like iTunes and iBooks. But starting in iOS 9, Apple opened up Touch ID to support biometric-approved logins for third-party app developers. The whitepaper gives us a small update on the encryption key generation and storage that makes this possible:
With iOS 9 or later, developers can:
• Generate and use ECC keys inside Secure Enclave. These keys can be protected by Touch ID. Operations with these keys are always done inside Secure Enclave after Secure Enclave authorizes the use. Apps can access these keys using Keychain through SecKey. SecKeys are just references to the Secure Enclave keys and the keys never leave Secure Enclave.
By generating the codes on a one-time basis, Apple is able to offer access to Touch ID confirmations without re-using keys that could…