First there was the so-called “Gotofail” error that left traffic that should have been encrypted totally unsecure.
Less than a week later, security firm FireEye revealed that it was possible to make a “keylogger” on iOS that can track what you’re doing on your device and send that information to a remote server.
Perhaps to quell some of the fears of enterprise buyers (or the IT guys who have to support them), Apple released a new white paper (PDF) last week detailing the various security systems built into iOS, the operating system that powers the iPhone, iPad, and Apple TV product lines.
The most interesting bits to read in the otherwise dry security document are the parts detailing the workings of the iPhone 5s — the first device from Apple to combine iOS 7, the A7 system-on-a-chip, and the Touch ID fingerprint scanner.
Built into Apple’s A7 — the chip famous for its 64-bit “desktop class” application processor — is a less well-known coprocessor called the Security Enclave. While it’s not making video play smoother or music download faster, it is doing something that anyone can appreciate: letting you unlock your phone in a fraction of a second while keeping malicious hackers at bay.
The Security Enclave goes through a secure boot process independent of the rest of the chip and also goes through its own software updates. It’s kept separate from the rest of the system, but comes in when anything secure needs to happen.
Unlocking your device with your thumb? Fingerprint data from the Touch ID sensor goes to the Security Enclave, where it is compared with data saved on the device. If it’s a match, the device unlocks. Same thing with making purchases via iTunes or the App Store.
The actual processor never touches the data — it’s all forwarded over an encrypted bus that only the Security Enclave can read. And after the Security Enclave deals with fingerprint data, it throws it out, too. The only thing left afterward is a set of data that can’t be used to reconstruct an actual fingerprint and has no data connected to your identity.
Apple’s document makes it clear that enterprise buyers (including government buyers, who can now buy the iPhone 5S thanks to its validated compliance with U.S. Federal Information Processing Standard 140-2 Level 1) need not fear buying and trusting the security behind Touch ID. But there’s another use for Touch ID that could prove even more lucrative for Apple: payments.
As it stands, Apple doesn’t give any third-party access to the Security Enclave or Touch ID. That stands in sharp contrast to Samsung, whose new Samsung Galaxy S5 now sports a fingerprint reader. Samsung is partnering with PayPal to facilitate mobile and Web-based payments with the swipe of a finger.
As Business Insider’s Jim Edwards recently documented, it’s becoming rather evident that Apple is going to open up Touch ID-controlled payments to third-party retailers as well. But Apple’s payments solution won’t rely on any third-party services — the payments themselves will be authorised and facilitated within the existing iTunes infrastructure, which Touch ID and the Security Enclave were literally designed for.
We don’t know much about the security built into Samsung’s latest flagship, but considering Android’s poor history with security, it could be a deciding factor in what becomes the leading mobile payments platform.