Framework

Security

Secure the data your app manages, and control access to your app.

Overview

Use the Security framework to protect information, establish trust, and control access to software. Broadly, security services support these goals:

  • Establish a user’s identity (authentication) and then selectively grant access to resources (authorization).

  • Secure data, both on disk and in motion across a network connection.

  • Ensure the validity of code to be executed for a particular purpose.

As shown in Figure 1, you can also use lower level cryptographic resources to create new secure services. Cryptography is difficult and the cost of bugs typically so high that it's rarely a good idea to implement your own cryptography solution. Rely on the Security framework when you need cryptography in your app.

Figure 1

Tools to enable secure interaction with users, data, and code

Diagram showing your app sitting above the Security framework.

Topics

Authorization and Authentication

Password AutoFill

Streamline your app’s login and onboarding procedures.

Shared Web Credentials

Share credentials between iOS apps and their website counterparts.

Authorization Services

Access restricted areas of the operating system, and control access to particular features of your macOS app.

Authorization Plug-ins

Extend the authorization services API by creating plug-ins that can participate in authorization decisions.

Sessions

Manage login, authorization, and security sessions in macOS.

Secure Data

Keychain Services

Securely store small chunks of data on behalf of the user.

Secure Transport

Secure network communication using standardized transport layer security mechanisms.

Secure Code

Code Signing Services

Examine and validate signed code running on the system.

Notarizing Your App Before Distribution

Give users even more confidence in your software by submitting it to Apple for notarization.

Preparing Your App to Work with Pointer Authentication

Test your app against the arm64e architecture to ensure that it works seamlessly with enhanced security features.

Cryptography

Certificate, Key, and Trust Services

Establish trust using certificates and cryptographic keys.

Cryptographic Message Syntax Services

Cryptographically sign and encrypt S/MIME messages.

Randomization Services

Generate cryptographically secure random numbers.

Security Transforms

Perform cryptographic functions like encoding, encryption, signing, and signature verification.

ASN.1

Encode and decode Distinguished Encoding Rules (DER) and Basic Encoding Rules (BER) data streams.

Result Codes

Security Framework Result Codes

Evaluate result codes common to many Security framework functions.

Legacy Interfaces

Common Security Services Manager

A set of open source modules underpinning the legacy implementation of the Security framework.

Entitlements

App Sandbox Entitlement

A Boolean value that indicates whether the app may use access control technology to contain damage to the system and user data if an app is compromised.

Apple Events Entitlement

A Boolean value that indicates whether the app may send Apple Events to other apps.

com.apple.security.assets.movies.read-only

A Boolean value that indicates whether the app may have read-only access to the Movies folder.

com.apple.security.assets.movies.read-write

A Boolean value that indicates whether the app may have read-write access to the Movies folder.

com.apple.security.assets.music.read-only

A Boolean value that indicates whether the app may have read-only access to the Music folder.

com.apple.security.assets.music.read-write

A Boolean value that indicates whether the app may have read-write access to the Music folder.

com.apple.security.assets.pictures.read-only

A Boolean value that indicates whether the app may have read-only access to the Pictures folder.

com.apple.security.assets.pictures.read-write

A Boolean value that indicates whether the app may have read-write access to the Pictures folder.

Allow DYLD Environment Variables Entitlement

A Boolean value that indicates whether the app may be impacted by dyld environment variables, which can be used to inject code into the process.

Allow Execution of JIT-compiled Code Entitlement

A Boolean value that indicates whether the app may create writable and executable memory using the MAP_JIT flag.

Allow Unsigned Executable Memory Entitlement

A Boolean value that indicates whether the app may create writable and executable memory without using the MAP_JIT flag.

Debugging Tool Entitlement

A Boolean value that indicates whether the app is a debugger and may attach to other processes or get task ports.

Disable Executable Memory Protection Entitlement

A Boolean value that indicates whether to disable code signing protections while launching the app.

Disable Library Validation Entitlement

A Boolean value that indicates whether the app may load plug-ins or frameworks signed by other developers.

Audio Input Entitlement

A Boolean value that indicates whether the app may record audio using the built-in microphone and access audio input using Core Audio.

Bluetooth Entitlement

A Boolean value that indicates whether the app may interact with Bluetooth devices.

Camera Entitlement

A Boolean value that indicates whether the app may capture movies and still images using the built-in camera.

Microphone Entitlement

A Boolean value that indicates whether the app may use the microphone.

Print Entitlement

A Boolean value that indicates whether the app may print a document.

USB Entitlement

A Boolean value that indicates whether the app may interact with USB devices.

All Files Entitlement

A Boolean value that indicates whether the app may have access to all files.

Deprecated
Downloaded Files - Read Only Entitlement

A Boolean value that indicates whether the app may have read-only access to the Downloads folder.

Downloaded Files - Read/Write Entitlement

A Boolean value that indicates whether the app may have read-write access to the Downloads folder.

User-Selected Files - Read Only Entitlement

A Boolean value that indicates whether the app may have read-only access to files the user has selected using an Open or Save dialog.

User-Selected Files - Read/Write Entitlement

A Boolean value that indicates whether the app may have read-write access to files the user has selected using an Open or Save dialog.

com.apple.security.network.client

A Boolean value that indicates whether the app may have incoming network connections.

com.apple.security.network.server

A Boolean value that indicates whether the app may have outgoing network connections.

Address Book Entitlement

A Boolean value that indicates whether the app may have read-write access to contacts in the user's address book.

Calendars Entitlement

A Boolean value that indicates whether the app may have read-write access to the user's calendar.

Location Entitlement

A Boolean value that indicates whether the app may access location information from Location Services.

Photos Library Entitlement

A Boolean value that indicates whether the app may have read-write access to the user's Photos library.

Property List Keys

Property List Key ITSAppUsesNonExemptEncryption

A Boolean value indicating whether the app uses encryption.

Property List Key ITSEncryptionExportComplianceCode

The export compliance code provided by App Store Connect for apps that require it.

Property List Key NSAppleEventsUsageDescription

A message that tells the user why the app is requesting the ability to send Apple Events.

Property List Key NSSystemAdministrationUsageDescription

A message in macOS that tells the user why the app is requesting to manipulate the system configuration.