Other Security Resources
Now that you’ve read about the basics, there are a few more things you should learn. First, read these two documents:
App Sandbox Design Guide tells you the things you need to know about designing code to run in a sandboxed environment before you write the first line of code.
Secure Coding Guide describes in more detail how to design code in ways that maximize security, and also describes what you do while actually writing the code to avoid security holes.
When you’re ready to test your code, the static analyzer in Xcode is a great tool for uncovering a lot of common security bugs. Read Xcode Help to learn more about the kinds of testing and analysis that you can perform with Xcode.
After reading those documents, consider reading some of the documents listed in the rest of this appendix.
Other Apple Documentation
Here are a few other Apple documents you might be interested in, depending on what technologies you want to learn more about.
Authentication and Authorization
Authentication, Authorization, and Permissions Guide provides additional information about authentication and authorization at a conceptual level. (macOS only)
Authorization Services Programming Guide and Authorization Services C Reference explain how to perform certain authorization-related tasks. (macOS only; note that many of these tasks, such as elevating privilege, are not allowed in a sandboxed environment)
Open Directory Programming Guide explains how to use Open Directory APIs to authenticate a user or obtain information about a user. (macOS only)
Security Interface Framework Reference describes the Objective-C interface to Authorization Services. This interface also provides a variety of security-related user interface elements. (macOS only)
Technical Note TN2095, Authorization for Everyone, also discusses the use of Authorization Services. (macOS only)
Cryptographic Services Guide describes encryption, decryption, signing, verifying, digital certificates, and other related concepts in more detail at a conceptual level.
Security Transforms Programming Guide and Security Transforms Reference describe the preferred macOS API for most cryptographic tasks. (macOS only)
Certificate, Key, and Trust Services explains how to work with certificates, keys, and other related technologies in more detail.
Code And Application Signing
Configuring Identity and Team Settings in App Distribution Guide shows you how to set up code signing in Xcode.
Code Signing Guide tells you how to perform code signing on the command line and other unusual signing-related tasks.
CFNetwork Programming Guide and URL Loading System Programming Guide explain how to make secure network connections using high-level APIs.
Secure Transport Reference tells how to make secure network connections at the socket layer. (macOS only)
Daemons and Services Programming Guide describes XPC services, which is the preferred way of launching and communicating with helper apps in a sandboxed environment. (macOS only)
Apple's Open Source website provides Apple’s open source security code. You can examine it to see which security protocols and algorithms are supported by Apple’s macOS and iOS security implementation and to find additional documentation.
The Security topic areas in the macOS Developer Library and the iOS Developer Library contain a number of security-specific release notes.
There are a number of excellent books on computer security that you should consider reading. Here are just a few of them, grouped into subject areas.
Lee, Graham J. Professional Cocoa Application Security, Wrox Professional Guides, 2010.
Howard, Michael, and David LeBlanc. Writing Secure Code (second edition), Microsoft Press, 2003.
Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems, 2d ed. John Wiley & Sons, 2001.
Sutton, Michael, Adam Greene, and Pedram Amini. Fuzzing: Brute Force Vulnerability Discovery, Pearson Education, 2007.
Schneier, Bruce. Applied Cryptography. 2d ed. John Wiley & Sons. 1996.
Brands, Stefan. Rethinking PKI and Digital Certificates: Building in Privacy. The MIT Press. 2000.
Gray, John Shapley. Interprocess Communications in UNIX. 2d ed. Prentice Hall Professional. 1997.
Stevens, W. Richard. UNIX Network Programming: Interprocess Communications. Vol. 2, 2d ed. Prentice Hall Professional. 1998.
Stevens, W. Richard, Bill Fenner, and Andres M. Rudoff. UNIX Network Programming: The Sockets Networking API. Vol. 1. 3d ed. Addison Wesley Professional. 2004.
Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix & Internet Security. 3d ed. O’Reilly. 2003.
McKusick, Marshall Kirk, Keith Bostic, Michael Karels, and John Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Addison-Wesley. 1996.
Standards and Protocol References
The following pages describe some of the standards, protocols, and algorithms used by Apple. Although many of these pages are fairly old, the standards have not changed enough to invalidate their usefulness.
For more information about the Common Criteria, including links to download the complete official criteria, see the Common Criteria portal at http://www.commoncriteriaportal.org/ and the website of the Common Criteria Evaluation and Validation Scheme (CCEVS) (http://www.niap-ccevs.org/cc-scheme/).
For information on Kerberos authentication, see the MIT Kerberos website.
See macOS server help for details on the services that support Kerberos and on how to implement a Kerberos KDC on your macOS server.
Other Secure Networking Protocols
The authentication model for HTTP is described in RFC 2617, HTTP Authentication: Basic and Digest Access Authentication.
Documentation of the AES encryption algorithm used for FileVault is available on the National Institute of Standards and Technology (NIST) website.