iOS App Security: 6 Ways How Apple Protects the User’s Data

Apple loves bragging about how secure their devices are. Not without reason: there are lots of security features you probably use daily, including code autofill, password reuse auditing, Safari built-in privacy, and many more. 

Same for developers. For example, Apple doesn't release their source code to app developers for security reasons. And the owners of iOS devices can't modify the code on their phones themselves. 

But there are many other, less-known security features Apple uses to prevent their devices from being hacked. 

We will discuss how exactly Apple handles user data protection on their devices and what security measures they take. I've divided the article into two parts, covering popular iOS security features for user data storage and transportation.




How Apple Handles Secure Data Storing

Apple has an extensive Apple Platform Security guide I'll be referring to throughout the article. This guide covers hardware security, data encryption, system security, and many other security-related issues. 

iOS-powered devices come with an A7 (or later version) processor and have a Secure Enclave Processor (a coprocessor) that provides an additional security layer. This processor powers iOS security features in a hardware-accelerated way.

Let’s start with the features Apple uses for secure data storing:

1. Apple App Sandbox 

Apps are one of the most critical elements of security architecture. While they give users productivity benefits, they may also affect the system's security and user data if not handled the right way. 

That's why users are supposed to download the iPhone, iPad, and iPod touch apps only from the App Store. Any company can create an app for iOS, but only the apps that comply with App Store guidelines will be published.

And these apps run in a sandbox, a directory they can use to store data in. 

Sandboxing helps protect all user data from unauthorized access, as apps can only use the data stored in their home directory. 



If an attacker tries to exploit security holes in your app, the sandbox will use a defensive mechanism that limits the app's access to files, preferences, network resources, and hardware.


2. Data Protection API

Data protection feature secures app files and prevents unauthorized access to them. It’s enabled as soon as the user sets a passcode for the device. 

This process goes unnoticeable for the user, is automatic and hardware-accelerated. Users read and edit files the way they always do, while the encryption-decryption process goes behind the scenes. 

There are four data protection levels:

  • No protection. The file is not encrypted and always accessible. 
  • Complete until the first authorization (the default level). The file is encrypted until the user unlocks their device for the first time. It remains decrypted until the shutdown or reboot of the device. 
  • Complete unless open. The file remains encrypted until the first time an app opens it. Then the data remains decrypted even in case the device is locked. 
  • Complete. The file is accessible only when the device is unlocked. 

If you don't choose the protection level when creating a file, iOS applies the default security level automatically. 

Sure, it’s better to use the highest protection level Apple offers. But if you need to access files in the background while the device stays locked, complete data encryption may not be the best option for you.


3. Keychain

The keychain is a secure space used to store bits of data in an encrypted database. 

Each iOS application gets its own space in the keychain, the space no other app can access. There's no need to store encryption keys in your app: you rely on the system to provide the highest security level. 


Related Topic- Here's How iOS Jailbreak Really Works


This feature is great for people who manage lots of online accounts and (in a perfect world) have a unique password for each. Remembering each new string of letters and numbers is impossible while writing them down is insecure. Same for using one password for multiple accounts. 

The keychain solves this problem by giving users a mechanism to store these chunks of data. It’s not limited to storing passwords, though. Users can also keep such information as credit card details or even short notes. 



How Secure Is Data Transmission

Next to data safety stands the communication between an app and its remote counterparts. 

Here are the security measures iOS offers for this case:


1. App Transport Security

There's a networking feature on iOS-powered devices called App Transport Security (ATS for short). ATS requires that all connections use HTTPS secured with Transport Layer Security (TLS) protocol—unlike standard HTTP connections that aren't encrypted. 

If connections don't meet security specifications, ATS blocks them. But it can be configured to loosen up these restrictions (which Apple warns against, claiming that 'it reduces the security of your app').



2. TLS Pinning

HTTPS connections are checked by default. The system inspects the server certificate and checks if the certificate is valid for this domain. 

In theory, this should prevent the device from connecting to malicious servers. In fact, there are loopholes for cyber attackers to perform so-called 'man-in-middle' attacks. They do it by compromising a certificate authority or changing the user's device settings to trust another malicious certificate. 

This way, attackers could access all messages sent between the client and the server. 

TLS pinning restricts which certificates are considered valid for a particular website, making sure the app communicates only with the verified server. iOS developers implement pinning by adding a list of valid certificates in their app bundle. The app checks if the certificate used by this server is on the list—and only then communicates with the server.


3. End-to-End Encryption

End-to-end encryption provides the highest level of security when it comes to data transportation. The information is protected with a key combined with your device passcode—the detail only the owner knows. 

Messages are encrypted in a way that only the sender or receiver can decrypt. Neither Apple nor your services can read this data.



Details like Apple card transactions (iOS 12.4 or later), health and home data, search history, payment information, Wi-Fi passwords, and Siri information are stored in iCloud secured by end-to-end encryption. 





1. How does Apple protect user's privacy?

Apple offers quite a few pretty stringent privacy controls and security features for iOS users, including those for data storage and transportation. 


2. Is iOS really more secure than Android?

Apple offers lots of security features and doesn't release its source code to developers. That's why Apple's iOS operating system has long been considered more secure than Android. 

Still, that doesn't mean it can't be hacked.


3. How does Apple handle secure data storing?

The best-known iOS features for data storage: 

  • Sandboxing (every app has a sandbox, a directory it can use to store data in)
  • Data protection API (secures app files and prevents unauthorized access to them
  • Keychain (a secure space used to store bits of data)


4. How secure is data transmission?

iOS has the following features for secure data transmission:

  • App Transport Security (requires that all connections use HTTPS with TLS protocol)
  • TLS pinning (restricts which certificates are considered valid for a particular website)
  • End-to-end encryption (protects data with a key combined with the device passcode)


Published on Jan 28, 2021
Vitaly Kuprenko
Written by Vitaly Kuprenko
Vitaly Kuprenko is a writer at Cleveroad, a web and mobile app development company headquartered in Ukraine. Vitaly enjoys iOS-powered devices on an everyday basis and is deeply concerned about its security level.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now