App security overview
Today, apps are among the most critical elements of a security architecture. Even as apps provide amazing productivity benefits for users, they also have the potential to negatively impact system security, stability and user data if they’re not handled properly.
Because of this, Apple provides layers of protection to help ensure that apps are free of known malware and haven’t been tampered with. Additional protections enforce that access from apps to user data is carefully mediated. These security controls provide a stable, secure platform for apps, enabling thousands of developers to deliver hundreds of thousands of apps for iOS, iPadOS and macOS — all without impacting system integrity. And users can access these apps on their Apple devices without undue fear of viruses, malware or unauthorised attacks.
On iPhone and iPad, all apps are obtained from the App Store — and all apps are sandboxed — to provide the tightest controls.
On Mac, many apps are obtained from the App Store, but Mac users also download and use apps from the internet. To safely support internet downloading, macOS layers additional controls. First, by default in macOS 10.15 or later, all Mac apps need to be notarised by Apple to launch. This requirement helps ensure that these apps are free of known malware, without requiring that the apps be provided through the App Store. Second, macOS includes state-of-the-art antivirus protection to block — and if necessary remove — malware.
As an additional control across platforms, sandboxing helps protect user data from unauthorised access by apps. And in macOS, data in critical areas is itself protected — which helps ensure that users remain in control of access to files in Desktop, Documents, Downloads and other areas from all apps, whether the apps attempting access are themselves sandboxed or not.
Native capability | Third-party equivalent |
|---|---|
Plug-in unapproved list, Safari extension unapproved list | Virus/Malware definitions |
File Quarantine | Virus/Malware definitions |
XProtect/YARA signatures | Virus/Malware definitions; endpoint protection |
Gatekeeper | Endpoint protection; enforces code signing on apps to help ensure that only trusted software runs |
eficheck (Necessary for a Mac without an Apple T2 Security Chip) | Endpoint protection; rootkit detection |
Application firewall | Endpoint protection; firewalling |
Packet Filter (pf) | Firewall solutions |
System Integrity Protection | Built into macOS |
Mandatory Access Controls | Built into macOS |
Kext exclude list | Built into macOS |
Mandatory app code signing | Built into macOS |
App notarisation | Built into macOS |