Security Changes

Read about essential security changes for all Apple platforms.

System Administration Update for iOS 11, macOS High Sierra, and macOS Server 5.4

If you’re a system administrator, review this list to prepare for iOS 11, macOS High Sierra, and macOS Server 5.4.

End-of-Life for SHA-1 Certificate Support

In 2017, a security update to Apple’s operating systems removed support for SHA-1 signed certificates used for Transport Layer Security (TLS) in Safari and WebKit. Make sure to use SHA-256 signed certificates.

Making Secure Connections

A range of APIs on Apple platforms enable your apps to employ secure network connections and to benefit from OS-level security policies.

App Transport Security (ATS)

ATS establishes best-practice policies for secure network communications using Apple platforms, employing Transport Layer Security (TLS) version 1.2, forward secrecy, and strong cryptography.

Secure Transport API

Use Apple’s secure transport API to employ current versions of the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) cryptographic protocols for network communications.

Supported Algorithms

Starting with iOS 10 and macOS v10.12, the RC4 cipher suite is disabled by default. In addition, Apple recommends that your servers use certificates signed with the SHA-2 cryptographic function.

Certificate Transparency and Certificate Trust APIs

Strong encryption for your network connections is not enough. To help ensure your app is connecting to the right server, employ Apple’s certificate trust APIs and Certificate Transparency.

Protecting User Data

Apple platforms provide a variety of features for protecting user data.

Purpose Strings

Purpose strings let you statically declare the sensitive data and resources your app employs.

Copying and Pasting Sensitive Data

Copying and pasting sensitive data in iOS can take advantage of privacy options.

Keychain and iCloud Keychain

Keychain and iCloud Keychain provide a secure repository for sensitive user data, such as certificates, keys, passwords, and notes.

Executing Code Securely

Apple platforms protect users with secure code execution. Xcode, Apple’s integrated development environment (IDE), directly provides code signing for iOS, tvOS, and watchOS apps, as well as for macOS apps that you distribute through the Mac App Store.

Developer ID

Developer ID and Gatekeeper support app distribution outside the Mac App Store.

Cryptographic Signing

If distributing your Mac app outside of the Mac App Store, use cryptographic signing with Developer ID to certify that your app is genuine.

Cryptographic Interfaces

Apple platforms offer a comprehensive set of low-level APIs for developing cryptographic solutions within your apps.

SecKey API for Asymmetric Keys

SecKey provides a unified asymmetric key API across Apple platforms.

CryptoTokenKit for Smart Card Support

The CryptoTokenKit framework provides first-class access for working with smart cards and other cryptographic devices in macOS.

Common Crypto Library

The Common Crypto library supports symmetric encryption, hash-based message authentication codes, and digests.


Both Security Framework and Common Crypto rely on the corecrypto library to provide implementations of low level cryptographic primitives. This is also the library submitted for validation of compliance with U.S. Federal Information Processing Standards (FIPS) 140-2 Level 1. Although corecrypto does not directly provide programming interfaces for developers and should not be used by iOS or macOS apps, the source code is available to allow for verification of its security characteristics and correct functioning.