Apple Developer Connection
Advanced Search
Member Login Log In | Not a Member? Contact ADC

Security Overview

Mac OS X offers a large selection of system-level security, authentication, and cryptographic services that you can use to easily add security to your products. You can also extend some of the built-in services of Mac OS X to offer custom security features, such as managing certificates, public and private keys, and restricting access to parts of your application. Process sandboxing prevents code from accessing things that it shouldn't, including files, network resources, and other applications.

The reliable security technologies in Mac OS X are built on top of the robust open source Common Data Security Architecture (CDSA) API. CDSA is a set of layered security services and cryptographic frameworks that provide the infrastructure for creating interoperable, security-enabled applications for client-server environments. The CDSA solutions cover all the essential components of security capability to secure electronic commerce and other business applications with services that handle cryptography, certificate management, trust policy management, and key recovery. To make it easier for you to add such features as authorization and evaluation of digital certificates to your applications, Mac OS X provides a set of security APIs layered on top of CDSA in the Security framework.

For starters, you can use the Secure Transport library to access the Secure Sockets Layer (SSL) version 3 protocol, which ensures secure transport of server-based transactions by providing a layer of public-key encryption on top of any TCP connection. Apple provides high-level access to Secure Transport in the Web Kit and CFNetwork APIs.

You can use the Certificate, Key, and Trust Services API for managing certificates, public and private keys, and trust policies in your Carbon, Cocoa, and UNIX applications. You can use these services to determine identity by matching a certificate with a private key, create and request certificates, create public-private key pairs, and represent trust policies. Or use Keychain Services, an API for securely managing public and private keys, certificates, and trust policies. Mac OS X uses Keychain Services to store its database of root certificates. Keychain Services also ensures a uniform way to handle passwords for multiple accounts, such as email or scheduling programs; multiple databases, such as banking or insurance programs; and any situation in which a user must enter single or multiple passwords, such as when accessing websites with a browser. Each item in a keychain includes an access control list (ACL) for fine-grained control.

Mac OS X improves flexibility by using separate keychains for system-provided certificates, admin certificates, and per-user certificates. In addition, the Common Crypto library provides encryption and digest API functions for commonly-used cryptographic utilities. Symmetric encryption and HMAC are available, and include support for AES 128/192/256, DES, 3DES, CAST, and RC4.

With the Certificate Preference API, you can find the preferred ID for a given name or URI, as well as find someone's preferred certificate, such as for email encryption. Mac OS X also allows you to generate certificates and include them in signed email invitations, so the user knows he or she can trust your certificate.

Authorization Services defines a programming interface that facilitates fine-grained control of privileged operations, such as accessing restricted areas of the operating system and parts of your Mac OS X application. You can use Authorization Services to create locked preference panes and install privileged parts of the application.

The Authorization Plug-in API enables you to create plug-ins that participate in authorization decisions. A typical use for authorization plug-ins is to implement policies that are not included in the standard authorization configuration. For example, you could write a plug-in that authorizes a user to send a fax by requiring a personal identification number (PIN) for a specific fax machine.

Mac OS X also offers support for smart cards, allowing multiple users to share systems while keeping personal data and settings private. The Smart Card Services SDK allows you to write PC/SC-compliant applications and drivers on Mac OS X. PC/SC is a standard that builds upon existing industry smart card standards and complements them by defining low-level device interfaces and device-independent application APIs, and also by managing resources, which allows multiple applications to share smart card devices attached to a system. Smart cards can be used to restrict access to systems and networks, yet provide easy access to personal settings and data for authorized users.

The integrated security services of Mac OS X—with TCP encryption, certificate and key management services, secure password storage in keychains, fine-grain control of privileged operations, and support for smart cards—gives you a simple and smooth way to incorporate security into your applications, while process sandboxing protects system and network resources from access by untrusted code.

For news, updates and links to other ADC content related to Security on Mac OS X, return to the Security topic page.

Updated: 2007-10-26