Chapter 15: Batten the Hatches with Security Services
iOS is likely the first platform most developers encounter that employs a true least-privilege security model. Most modern operating systems employ some kind of privilege separation, allowing different processes to run with different permissions, but it is almost always used in a very rough way. Most applications on UNIX, OS X, and Windows either run as the current user, or run as an administrative user that can do nearly anything. Attempts to segment privileges further, whether with Security Enhanced Linux (SELinux) or Windows User Account Control (UAC), have generally led developers to revolt. The most common questions about SELinux are not how to best develop for it, but how to turn it off.
With the Mac App Store, and particularly OS X 10.8, Apple has expanded some of iOS’s least privilege approach to the desktop. Time will tell if it’s successful.
Coming from these backgrounds, developers tend to be shocked when encountering the iOS security model. Rather than ensure maximal flexibility, Apple’s approach has been to give developers the fewest privileges it can and see what software developers are incapable of making with those privileges. Then Apple provides the fewest additional privileges that allow the kinds of software it wants for the platform. This approach can be very restrictive on developers, but it’s also kept iOS quite stable and free of malware. Apple is unlikely to change its stance on this approach, so ...
