Authentication

Face ID and Touch ID

These secure ways to unlock, authenticate, and pay let users quickly access your app with just a glance or a touch of their finger. The Secure Enclave, a hardware-based security processor isolated from the rest of the system, encrypts and protects the user’s data.

Learn more

Apple Pay

Apple Pay provides an easy and secure way to pay using Face ID or Touch ID, or by double-clicking Apple Watch. Users can quickly provide their payment, shipping, and contact information to check out. And because you don’t receive any credit or debit card numbers, you don't need to handle sensitive data when customers use Apple Pay.

Learn more

Sign in with Apple

Your users can easily sign in to your apps and websites using their Apple ID. Instead of filling out forms, verifying email addresses, and choosing new passwords, they can use Sign in with Apple to set up an account and start using your app right away.

Learn more

Automatic strong passwords

Password AutoFill simplifies login and account creation tasks for iOS and iPadOS apps, as well as websites. With just a few taps, your users can create and save unique, strong passwords or log in to an existing account. They don’t even need to know their password — the system handles everything.

Learn more

Passkeys

Based on industry standards for account authentication, passkeys replace passwords with cryptographic key pairs, making them easier to use and far more secure. Adopt passkeys to give people a simple, secure way to sign in to your apps and websites across platforms — with no passwords required.

Learn more

Making secure connections

A range of APIs on Apple platforms enables your apps to employ secure network connections and to benefit from OS-level security policies.

App Transport Security (ATS)

ATS establishes best-practice policies for secure network communications using Apple platforms, employing Transport Layer Security (TLS) version 1.2, forward secrecy, and strong cryptography.

Secure Transport API

Use Apple’s secure transport API to employ current versions of the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) cryptographic protocols for network communications.

Supported algorithms

Starting with iOS 10 and macOS 10.12, the RC4 cipher suite is disabled by default. In addition, Apple recommends that your servers use certificates signed with the SHA-2 cryptographic function.

DeviceCheck and the App Attest API

Protect against security threats to your iOS, iPadOS, and tvOS apps and reduce fraudulent use of your services by managing device states and asserting app integrity. The DeviceCheck services provide information that you can integrate into an overall antifraud strategy for your app and risk assessment for a given device.

Using the DeviceCheck service, a token on your server can set and query two binary digits of data per device — for example, to flag a device you‘ve determined to be fraudulent — while maintaining user privacy. And with App Attest, you can generate a special cryptographic key on a device running iOS 14, iPadOS 14, and tvOS 15 or later, and use that key to validate the integrity of your app before your server provides access to sensitive data.

Certificate Trust APIs and Certificate Transparency

Strong encryption for your network connections is not enough. To help ensure your app is connecting to the right server, employ Apple’s Certificate Trust APIs and Certificate Transparency.

Protecting user data

Apple platforms provide a variety of features for protecting user data.

Purpose strings

Purpose strings let you statically declare the sensitive data and resources your app employs.

Copying and pasting sensitive data

Take advantage of privacy options when allowing users to copy and paste sensitive data in your apps on iPhone or iPad.

Keychain and iCloud Keychain

Keychain and iCloud Keychain provide a secure repository for sensitive user data, such as certificates, keys, passwords, and notes.

App sandboxing

Protect Mac systems and users by limiting the privileges of an app to its intended functionality, increasing the difficulty for malicious software to compromise users’ systems.

Executing code securely

Apple platforms protect users with secure code execution. Xcode, Apple’s integrated development environment (IDE), directly provides code signing for iOS, iPadOS, macOS, tvOS, and watchOS apps that you distribute on the App Store.

Sign your apps with Developer ID

Gatekeeper on macOS helps protect users from downloading and installing malicious software distributed outside the Mac App Store by checking for a Developer ID certificate.

Notarize your apps

If distributing your Mac app outside of the Mac App Store, sign and upload your app to Apple to be notarized to certify your app is genuine and to perform a security check.

Cryptographic interfaces

Apple platforms offer a comprehensive set of low-level APIs for developing cryptographic solutions within your apps.

Apple CryptoKit

Perform cryptographic operations securely and efficiently in your app.

Common Crypto library

The Common Crypto library supports symmetric encryption, hash-based message authentication codes, and digests.

SecKey API for asymmetric keys

SecKey provides a unified asymmetric key API across Apple platforms.

CryptoTokenKit for smart card support

The CryptoTokenKit framework provides first-class access for working with smart cards and other cryptographic devices in macOS.

Security fundamentals and resources

These resources provide background information and support for security on Apple platforms.

corecrypto

Both the Security framework and Common Crypto rely on the corecrypto library to provide implementations of low-level cryptographic primitives. This is also the library submitted for validation of compliance with U.S. Federal Information Processing Standards (FIPS) 140-2/-3. Visit the Security Certifications and Compliance Center for up-to-date information on corecrypto validations. Although corecrypto does not directly provide programming interfaces for developers and should not be used by iOS, iPadOS, or macOS apps, the source code is available to allow for verification of its security characteristics and correct functioning.