See what’s new in security
Apple devices, platforms, and services provide world-class security and privacy to our users, with powerful APIs for you to leverage in your own apps.
Authentication
Face ID and Touch ID
These secure ways to unlock, authenticate, and pay let users quickly access your app with just a glance or a touch of their finger. The SecureEnclave, a hardware-based security processor isolated from the rest of the system, encrypts and protects the user’s data.
Learn more
Apple Pay
Apple Pay provides an easy and secure way to pay using Face ID or Touch ID, or by double-clicking Apple Watch. Users can quickly provide their payment, shipping, and contact information to check out. And because you don’t receive any credit or debit card numbers, you don't need to handle sensitive data when customers use Apple Pay.
Learn more
Sign in with Apple
Your users can easily sign in to your apps and websites using their Apple ID. Instead of filling out forms, verifying email addresses, and choosing new passwords, they can use Sign in with Apple to set up an account and start using your app right away.
Learn more
Automatic strong passwords
Password AutoFill simplifies login and account creation tasks for iOS and iPadOS apps, as well as websites. With just a few taps, your users can create and save unique, strong passwords or log in to an existing account. They don’t even need to know their password — the system handles everything.
Learn more
Passkeys
Based on industry standards for account authentication, passkeys replace passwords with cryptographic key pairs, making them easier to use and far more secure. Adopt passkeys to give people a simple, secure way to sign in to your apps and websites across platforms — with no passwords required.
Learn more
Making secure connections
A range of APIs on Apple platforms enables your apps to employ secure network connections and to benefit from OS-level security policies.
App Transport Security (ATS)
ATS establishes best-practice policies for secure network communications using Apple platforms, employing Transport Layer Security (TLS) version 1.2, forward secrecy, and strong cryptography.
- NSAppTransportSecurity
Secure Transport API
Use Apple’s secure transport API to employ current versions of the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) cryptographic protocols for network communications.
- Secure Transport Reference
Supported algorithms
Starting with iOS 10 and macOS 10.12, the RC4 cipher suite is disabled by default. In addition, Apple recommends that your servers use certificates signed with the SHA-2 cryptographic function.
- What’s New in Security
DeviceCheck and the App Attest API
Protect against security threats to your iOS, iPadOS, and tvOSapps and reduce fraudulent use of your services by managing device states and asserting app integrity. The DeviceCheck services provide information that you can integrate into an overall antifraud strategy for your app and risk assessment for a given device.
Using the DeviceCheck service, a token on your server can set and query two binary digits of data per device — for example, to flag a device you‘ve determined to be fraudulent — while maintaining user privacy. And with App Attest, you can generate a special cryptographic key on a device running iOS 14, iPadOS 14, and tvOS 15 or later, and use that key to validate the integrity of your app before your server provides access to sensitive data.
- DeviceCheck Framework
Certificate Trust APIs and Certificate Transparency
Strong encryption for your network connections is not enough. To help ensure your app is connecting to the right server, employ Apple’s Certificate Trust APIs and Certificate Transparency.
- Certificate, Key, and Trust Services
- Certificate Transparency website
- iOS trusted root certificates
Protecting user data
Apple platforms provide a variety of features for protecting user data.
Purpose strings
Purpose strings let you statically declare the sensitive data and resources your app employs.
- API guidance for using purpose strings
- Information Property List Key Reference
Copying and pasting sensitive data
Take advantage of privacy options when allowing users to copy and paste sensitive data in your apps on iPhone or iPad.
- UIPasteboard Class Reference
Keychain and iCloud Keychain
Keychain and iCloud Keychain provide a secure repository for sensitive user data, such as certificates, keys, passwords, and notes.
- Keychain Services
- Configuring Keychain Sharing
App sandboxing
Protect Mac systems and users by limiting the privileges of an app to its intended functionality, increasing the difficulty for malicious software to compromise users’ systems.
- App Sandbox
Executing code securely
Apple platforms protect users with secure code execution. Xcode, Apple’s integrated development environment (IDE), directly provides code signing for iOS, iPadOS, macOS, tvOS, and watchOS apps that you distribute on the App Store.
Sign your apps with Developer ID
Gatekeeper on macOS helps protect users from downloading and installing malicious software distributed outside the Mac App Store by checking for a Developer ID certificate.
- Developer ID and Gatekeeper
- Code Signing Guide
- macOS Code Signing In Depth
Notarize your apps
If distributing your Mac app outside of the Mac App Store, sign and upload your app to Apple to be notarized to certify your app is genuine and to perform a security check.
- Notarizing macOS Software Before Distribution
- Xcode Help: Distribute outside the Mac App Store
Cryptographic interfaces
Apple platforms offer a comprehensive set of low-level APIs for developing cryptographic solutions within your apps.
Apple CryptoKit
Perform cryptographic operations securely and efficiently in your app.
- CryptoKit
Common Crypto library
The Common Crypto library supports symmetric encryption, hash-based message authentication codes, and digests.
- Cryptographic Services Guide
- Common Crypto on Apple Open Source
SecKey API for asymmetric keys
SecKey provides a unified asymmetric key API across Apple platforms.
- Certificate, Key, and Trust Services: Keys
CryptoTokenKit for smart card support
The CryptoTokenKit framework provides first-class access for working with smart cards and other cryptographic devices in macOS.
- CryptoTokenKit
Security fundamentals and resources
These resources provide background information and support for security on Apple platforms.
Guides
- Apple Platform Security
- Apple Product Security
Programs
- Apple Security Research Device Program
- Apple Security Bounty
- Apple Root Certificate Program
corecrypto
Both the Security framework and Common Crypto rely on the corecrypto library to provide implementations of low-level cryptographic primitives. This is also the library submitted for validation of compliance with U.S. Federal Information Processing Standards (FIPS) 140-2/-3. Visit the Security Certifications and Compliance Center for up-to-date information on corecrypto validations. Although corecrypto does not directly provide programming interfaces for developers and should not be used by iOS, iPadOS, or macOS apps, the source code is available to allow for verification of its security characteristics and correct functioning.
APPLE INC.
CORECRYPTO INTERNAL USE LICENSE AGREEMENT
PLEASE READ THE FOLLOWING CORECRYPTO INTERNAL USE LICENSE AGREEMENT (“AGREEMENT”) CAREFULLY BEFORE DOWNLOADING OR USING THE APPLE SOFTWARE (AS DEFINED BELOW). THESE TERMS AND CONDITIONS CONSTITUTE A LEGAL AGREEMENT BETWEEN YOU AND APPLE.
IMPORTANT NOTE: BY DOWNLOADING OR USING THE APPLE SOFTWARE, YOU REPRESENT THAT YOU ARE AN AUTHORIZED REPRESENTATIVE FOR YOUR APPLE DEVELOPER ACCOUNT AND THAT YOU HAVE READ AND AGREE TO THE TERMS OF THIS AGREEMENT.
1. As used in this Agreement, the term “Apple Software” collectively means and includes all of the Apple corecrypto materials provided by Apple here, including but not limited to the Apple corecrypto software, frameworks, libraries, documentation and other Apple-created materials. In consideration of your agreement to abide by the following terms, conditioned upon your compliance with these terms and subject to these terms, Apple grants you, for a period of ninety (90) days from the date you download the Apple Software, a limited, non-exclusive, non-sublicensable license under Apple’s copyrights in the Apple Software to make a reasonable number of copies of, compile, and run the Apple Software internally within your organization only on devices and computers you own or control, for the sole purpose of verifying the security characteristics and correct functioning of the Apple Software; provided that you must retain this notice and the following text and disclaimers in all copies of the Apple Software that you make. You may not, directly or indirectly, redistribute the Apple Software or any portions thereof. The Apple Software is only licensed and intended for use as expressly stated above and may not be used for other purposes or in other contexts without Apple's prior written permission. Except as expressly stated in this notice, no other rights or licenses, express or implied, are granted by Apple herein.
2. The Apple Software is provided by Apple on an "AS IS" basis. APPLE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE APPLE SOFTWARE OR ITS USE AND OPERATION ALONE OR IN COMBINATION WITH YOUR PRODUCTS, SYSTEMS, OR SERVICES. APPLE DOES NOT WARRANT THAT THE APPLE SOFTWARE WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION OF THE APPLE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, THAT DEFECTS IN THE APPLE SOFTWARE WILL BE CORRECTED, OR THAT THE APPLE SOFTWARE WILL BE COMPATIBLE WITH FUTURE APPLE PRODUCTS, SOFTWARE OR SERVICES. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY APPLE OR AN APPLE AUTHORIZED REPRESENTATIVE WILL CREATE A WARRANTY.
3. IN NO EVENT SHALL APPLE BE LIABLE FOR ANY DIRECT, SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ARISING IN ANY WAY OUT OF THE USE, REPRODUCTION, COMPILATION OR OPERATION OF THE APPLE SOFTWARE, HOWEVER CAUSED AND WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, EVEN IF APPLE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
4. This Agreement is effective until terminated. Your rights under this Agreement will terminate automatically without notice from Apple if you fail to comply with any term(s) of this Agreement. Upon termination, you agree to cease all use of the Apple Software and destroy all copies, full or partial, of the Apple Software. This Agreement will be governed and construed in accordance with the laws of the State of California, without regard to its choice of law rules.
You may report security issues about Apple products to product-security@apple.com, as described here: https://www.apple.com/support/security/. Non-security bugs and enhancement requests can be made via https://bugreport.apple.com as described here: https://developer.apple.com/bug-reporting/
EA1350
10/5/2015