Other Security Resources
Now that you’ve read about the basics, there are a few more things you should learn. First, read these two documents:
App Sandbox Design Guide tells you the things you need to know about designing code to run in a sandboxed environment before you write the first line of code.
Secure Coding Guide describes in more detail how to design code in ways that maximize security, and also describes what you do while actually writing the code to avoid security holes.
When you’re ready to test your code, the static analyzer in Xcode is a great tool for uncovering a lot of common security bugs. Read Xcode Help to learn more about the kinds of testing and analysis that you can perform with Xcode.
After reading those documents, consider reading some of the documents listed in the rest of this appendix.
Other Apple Documentation
Here are a few other Apple documents you might be interested in, depending on what technologies you want to learn more about.
Authentication and Authorization
Authentication, Authorization, and Permissions Guide provides additional information about authentication and authorization at a conceptual level. (macOS only)
Authorization Services Programming Guide and Authorization Services C Reference explain how to perform certain authorization-related tasks. (macOS only; note that many of these tasks, such as elevating privilege, are not allowed in a sandboxed environment)
Open Directory Programming Guide explains how to use Open Directory APIs to authenticate a user or obtain information about a user. (macOS only)
Security Interface Framework Reference describes the Objective-C interface to Authorization Services. This interface also provides a variety of security-related user interface elements. (macOS only)
Technical Note TN2095, Authorization for Everyone, also discusses the use of Authorization Services. (macOS only)
Cryptography
Cryptographic Services Guide describes encryption, decryption, signing, verifying, digital certificates, and other related concepts in more detail at a conceptual level.
Security Transforms Programming Guide describes a macOS API for certain cryptographic tasks. (macOS only)
Certificate, Key, and Trust Services Reference explains how to work with certificates, keys, and other related technologies in more detail.
Code And Application Signing
Cryptography Concepts In Depth in Cryptographic Services Guide explains code signing concepts in greater depth.
Code Signing Guide tells you how to perform code signing on the command line and other unusual signing-related tasks.
Secure Storage
Keychain Services Reference explains how to use the keychain in your code.
Protecting Data Using On-Disk Encryption in App Programming Guide for iOS explains how to use the iOS data protection feature in your app. (iOS only)
Secure Networking
CFNetwork Programming Guide and URL Loading System explain how to make secure network connections using high-level APIs.
Secure Transport Reference tells how to make secure network connections at the socket layer. (macOS only)
Privilege Separation
Designing Secure Helpers and Daemons in Secure Coding Guide provides guidance on how to securely perform privilege separation.
Daemons and Services Programming Guide describes XPC services, which is the preferred way of launching and communicating with helper apps in a sandboxed environment. (macOS only)
Miscellaneous
Apple's Open Source website provides Apple’s open source security code. You can examine it to see which security protocols and algorithms are supported by Apple’s macOS and iOS security implementation and to find additional documentation.
The Security topic areas in the macOS Developer Library and the iOS Developer Library contain a number of security-specific release notes.
Third-Party Documentation
There are a number of excellent books on computer security that you should consider reading. Here are just a few of them, grouped into subject areas.
Cocoa Security
Lee, Graham J. Professional Cocoa Application Security, Wrox Professional Guides, 2010.
Threat Modeling
Howard, Michael, and David LeBlanc. Writing Secure Code (second edition), Microsoft Press, 2003.
Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems, 2d ed. John Wiley & Sons, 2001.
Fuzz Testing
Sutton, Michael, Adam Greene, and Pedram Amini. Fuzzing: Brute Force Vulnerability Discovery, Pearson Education, 2007.
Cryptography
Schneier, Bruce. Applied Cryptography. 2d ed. John Wiley & Sons. 1996.
Brands, Stefan. Rethinking PKI and Digital Certificates: Building in Privacy. The MIT Press. 2000.
Secure Networking
Gray, John Shapley. Interprocess Communications in UNIX. 2d ed. Prentice Hall Professional. 1997.
Stevens, W. Richard. UNIX Network Programming: Interprocess Communications. Vol. 2, 2d ed. Prentice Hall Professional. 1998.
Stevens, W. Richard, Bill Fenner, and Andres M. Rudoff. UNIX Network Programming: The Sockets Networking API. Vol. 1. 3d ed. Addison Wesley Professional. 2004.
General
Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix & Internet Security. 3d ed. O’Reilly. 2003.
Viega, John, and Gary McGraw. Building Secure Software. Addison-Wesley Professional. 2002.
McKusick, Marshall Kirk, Keith Bostic, Michael Karels, and John Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Addison-Wesley. 1996.
Standards and Protocol References
The following pages describe some of the standards, protocols, and algorithms used by Apple. Although many of these pages are fairly old, the standards have not changed enough to invalidate their usefulness.
Common Criteria
For more information about the Common Criteria, including links to download the complete official criteria, see the Common Criteria portal at http://www.commoncriteriaportal.org/ and the website of the Common Criteria Evaluation and Validation Scheme (CCEVS) (http://www.niap-ccevs.org/cc-scheme/).
Kerberos
For information on Kerberos authentication, see the MIT Kerberos website.
See macOS server help for details on the services that support Kerberos and on how to implement a Kerberos KDC on your macOS server.
Other Secure Networking Protocols
The authentication model for HTTP is described in RFC 2617, HTTP Authentication: Basic and Digest Access Authentication.
For information on the SSL protocol for secure networking, see the IETF SSL Version 3.0 Draft Specification. For the TLS protocol, see the TLS Working Group website and RFC 5246.
Documentation of the AES encryption algorithm used for FileVault is available on the National Institute of Standards and Technology (NIST) website.
Copyright © 2012 Apple Inc. All Rights Reserved. Terms of Use | Privacy Policy | Updated: 2012-12-13