Other Security Resources
Now that you’ve read about the basics, there are a few more things you should learn. First, read these two documents:
App Sandbox Design Guide tells you the things you need to know about designing code to run in a sandboxed environment before you write the first line of code.
Secure Coding Guide describes in more detail how to design code in ways that maximize security, and also describes what you should do while actually writing the code to avoid security holes.
When you’re ready to test your code, read “Debug and Tune Your App” in Xcode Overview. This document explains how to use the static analyzer in Xcode, which is a great way to find a lot of common security bugs.
After reading those documents, consider reading some of the documents listed in the rest of this appendix.
Other Apple Documentation
Here are a few other Apple documents you might be interested in, depending on what technologies you want to learn more about.
Authentication and Authorization
Authentication, Authorization, and Permissions Guide provides additional information about authentication and authorization at a conceptual level. (OS X only)
Authorization Services Programming Guide and Authorization Services C Reference explain how to perform certain authorization-related tasks. (OS X only; note that many of these tasks, such as elevating privilege, are not allowed in a sandboxed environment)
Open Directory Programming Guide explains how to use Open Directory APIs to authenticate a user or obtain information about a user. (OS X only)
Security Interface Framework Reference describes the Objective-C interface to Authorization Services. This interface also provides a variety of security-related user interface elements. (OS X only)
Technical Note TN2095, Authorization for Everyone, also discusses the use of Authorization Services. (OS X only)
Cryptographic Services Guide describes encryption, decryption, signing, verifying, digital certificates, and other related concepts in more detail at a conceptual level.
Certificate, Key, and Trust Services Programming Guide and Certificate, Key, and Trust Services Reference explain how to work with certificates, keys, and other related technologies in more detail.
Code And Application Signing
“Creating Your Team’s Signing Certificates” in Developing for the App Store shows you how to set up code signing in Xcode.
Code Signing Guide tells you how to perform code signing on the command line and other unusual signing-related tasks.
“Advanced App Tricks” in iOS App Programming Guide explains how to use the iOS data protection feature in your app. (iOS only)
Secure Transport Reference tells how to make secure network connections at the socket layer. (OS X only)
Daemons and Services Programming Guide describes XPC services, which is the preferred way of launching and communicating with helper apps in a sandboxed environment. (OS X only)
Apple's Open Source website provides Apple’s open source security code. You can examine it to see which security protocols and algorithms are supported by Apple’s OS X and iOS security implementation and to find additional documentation.
The Security topic areas in the OS X Developer Library and the iOS Developer Library contain a number of security-specific release notes.
There are a number of excellent books on computer security that you should consider reading. Here are just a few of them, grouped into subject areas.
Lee, Graham J. Professional Cocoa Application Security, Wrox Professional Guides, 2010.
Howard, Michael, and David LeBlanc. Writing Secure Code (second edition), Microsoft Press, 2003.
Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems, 2d ed. John Wiley & Sons, 2001.
Sutton, Michael, Adam Greene, and Pedram Amini. Fuzzing: Brute Force Vulnerability Discovery, Pearson Education, 2007.
Schneier, Bruce. Applied Cryptography. 2d ed. John Wiley & Sons. 1996.
Brands, Stefan. Rethinking PKI and Digital Certificates: Building in Privacy. The MIT Press. 2000.
Gray, John Shapley. Interprocess Communications in UNIX. 2d ed. Prentice Hall Professional. 1997.
Stevens, W. Richard. UNIX Network Programming: Interprocess Communications. Vol. 2, 2d ed. Prentice Hall Professional. 1998.
Stevens, W. Richard, Bill Fenner, and Andres M. Rudoff. UNIX Network Programming: The Sockets Networking API. Vol. 1. 3d ed. Addison Wesley Professional. 2004.
Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix & Internet Security. 3d ed. O’Reilly. 2003.
McKusick, Marshall Kirk, Keith Bostic, Michael Karels, and John Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Addison-Wesley. 1996.
Standards and Protocol References
The following pages describe some of the standards, protocols, and algorithms used by Apple. Although many of these pages are fairly old, the standards have not changed enough to invalidate their usefulness.
For more information about the Common Criteria, including links to download the complete official criteria, see the Common Criteria portal at http://www.commoncriteriaportal.org/ and the website of the Common Criteria Evaluation and Validation Scheme (CCEVS) (http://www.niap-ccevs.org/cc-scheme/).
For information on Kerberos authentication, see the MIT Kerberos website.
See OS X Server Open Directory Administration available at http://www.apple.com/server/documentation/ for details on the services that support Kerberos and on how to implement a Kerberos KDC on your OS X server.
Other Secure Networking Protocols
The authentication model for HTTP is described in RFC 2617, HTTP Authentication: Basic and Digest Access Authentication.
Documentation of the AES encryption algorithm used for FileVault is available on the National Institute of Standards and Technology (NIST) website.