Apple shares security guides for each new release of its operating systems. Today it shared its 2019 Platform Security guide that examines all of its platforms. There’s also a web page dedicated to it.
2019 Platform Security
The guide [PDF] is organized into sections covering: Hardware security and biometrics, system security, encryption and data protection, app security, services security, network security, developer kits, secure device management, and security certifications and programs. Here are a few bits that stand out to me:
When Messages in iCloud is enabled, iMessage, Business Chat, text (SMS), and MMS messages are removed from the userʼs existing iCloud Backup, and are instead stored in an end-to-end encrypted CloudKit container for Messages. The userʼs iCloud Backup retains a key to that container.
To prevent brute-force attacks, when Mac boots, no more than 30 password attempts are allowed at the Login Window or using Target Disk Mode, and escalating time delays are imposed after incorrect attempts…To prevent malware from causing permanent data loss by trying to attack the userʼs password, these limits are not enforced after the user has successfully logged into the Mac, but is reimposed after reboot.
If the 30 attempts are exhausted, 10 more attempts are available after booting into macOS Recovery. And if those are also exhausted, then 60 additional attempts are available for each FileVault recovery mechanism (iCloud recovery, FileVault recovery key, and institutional key), for a maximum of 180 additional attempts. Once those additional attempts are exhausted, the Secure Enclave no longer processes any requests to decrypt the volume or verify the password, and the data on the drive becomes unrecoverable.