Security Starting Point
Get Up and Running
To get a high-level view of OS X security features, start with Security Overview. It describes the OS X security architecture, introduces important security concepts (such as authentication, permissions, access control lists (ACLs), and digital certificates), and gives an overview of the security APIs provided by OS X.
To learn how to protect your users from unauthorized use of their data or an attack on their system through vulnerabilities in your application, read Secure Coding Guide.
To work seamlessly with built-in security features in the OS X operating system and to give your users the best-possible experience, you must add a digital signature to your application. To get started, read Code Signing Guide.
Using Certificates and Cryptographic Keys
You use digital certificates for a variety of purposes, including signing data, authenticating users over a network, and encrypting data. Certificates use and store public cryptographic keys. The combination of a certificate and a private key is known as an identity and is used in authentication and encryption applications.
To learn more about how certificates and keys are used to identify users and processes and to establish trust, read Certificate, Key, and Trust Services Programming Guide.
Working with Encryption
If you are exclusively working with symmetric encryption, public-key signing and verifying, or Base64 encoding, use the higher-level Security Transforms API. To learn how to use Security Transforms, read Security Transforms Programming Guide.
If you need asymmetric encryption, SSL, or other functionality that isn’t present in Security Transforms, use the lower-level Common Crypto API. To learn how to use Common Crypto, read the
CC_crypto(3cc) man pages.
The sample code project SSLSample shows how to use secure transport to create a secure network connection.
You can authorize users to control access to data or to restrict access to specific application features. Authorization Services Programming Guide explains how to add fine-grained control of privileged operations in an application.
The sample code project BetterAuthorizationSample illustrates the common tasks done with the Authorization Services API; Technical Note TN2095, Authorization for Everyone, discusses the sample code project.
The sample code project CryptNoMore shows how to authenticate a user using Open Directory (Directory Services).
The sample code project NameAndPassword demonstrates how to subclass
SFAuthorizationPluginView to display your own user interface in OS X authorization dialogs.
The sample code project NullAuthPlugin is a sample authorization plug-in that you can use as a template for writing a new authorization plug-in or as a tool for debugging the authorization process.
Using the Keychain
The OS X keychain provides secure storage that can be used to store passwords, keys, certificates, and other data. Keychain Services Programming Guide describes programmatic access to the keychain and provides samples that show how to use the keychain APIs.