Security is about restricting access, whether to a physical object, a location, information, an application, or a particular feature of an application.
To learn how to protect your users from unauthorized use of their data or an attack on their system through vulnerabilities in your application, read Secure Coding Guide.
To work seamlessly with built-in security features in the Mac OS X operating system and to give your users the best-possible experience, you must add a digital signature to your application. To get started, read Code Signing Guide.
Depending on what you need to protect, you may want to:
Verify someone’s identity (authenticate the user) with digital certificates, password verification, or some other method
Determine what information a user has permission to see or what software a user has permission to use (that is, determine their access permissions)
Set policies controlling who can see particular information or use particular software (perform authorization or set trust policy)
Store information securely in the keychain or retrieve the information when needed
Issue credentials someone can use to certify their identity (issue digital certificates)
Ensure the integrity of documents and emails by adding digital signatures
Encrypt or decrypt data
Encrypt data while it is in transit (set up a secure transport channel)
If your software needs to protect information or if you need to control access to your software, then you need to be familiar with the security features and APIs of Mac OS X.
Start with Security Overview to get a high-level view of Mac OS X security features:
Introduction to Security Overview introduces the book and includes a list of references for further reading.
Security Architecture describes the Mac OS X security architecture.
Security Concepts introduces security concepts such as authentication, authorization, permissions, access control lists (ACLs), and digital certificates. Even if you’re already an expert, look at the sections titled “Mac OS X” and “Network”, which describe how Mac OS X access controls differ from BSD, AppleShare, and other common systems.
Security Services introduces the security APIs provided by Mac OS X.
See the security sample code for examples of the security APIs in use. In particular:
BetterAuthorizationSample: Illustrates the common tasks done with Authorization Services; and see Technical Note TN2095, Authorization for Everyone, which discusses BetterAuthorizationSample.
SSLSample: Shows how to use Secure Transport to create a secure network connection.
CryptNoMore: Shows how to authenticate a user using Open Directory (Directory Services).
CryptoSample: Contains sample code showing symmetric encryption and message digest calculation.
NameAndPassword: Demonstrates how to subclass SFAuthorizationPluginView to display your own user interface in Mac OS X authorization dialogs.
NullAuthPlugin: A sample authorization plugin that you can use as a template for writing a new authorization plug-in, or as a tool to debug the authorization process.
Sometimes you need task-focused information or answers to specific questions to get started. The documents described below take a task-oriented approach to explaining how to use Mac OS X security APIs.
You can authorize users to control access to data or to restrict access to specific application features. Authorization Services Programming Guide explains how to add fine-grained control of privileged operations in an application.
The Mac OS X keychain provides secure storage that can be used by users to store passwords and other secrets, and by applications to store passwords, keys, certificates, and other data. Keychain Services Programming Guide describes programmatic access to the keychain and provides samples that show how to use the keychain APIs.
Digital certificates can be used for a variety of purposes, including signing data, authenticating users over a network, and encrypting data. Certificates use and store public cryptographic keys. The combination of a certificate and a private key is known as an identity and is used in authentication and encryption applications. To learn more about how certificates and keys are used to identify users and processes and to establish trust, read Certificate, Key, and Trust Services Programming Guide.
The Snow Leopard Reference Library holds many more resources that can make your job easier. To narrow the list of resources, you can set filters to focus on specific resource types (such as references, guides, or sample code) or on specific topics (such as security or data management).
Last updated: 2009-05-27