BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ
News Articles Presentations Podcasts Guides

Topics

Choose your language

QCon San Francisco - image
QCon San Francisco

Level up your software skills by uncovering the emerging trends you should focus on. Register now.

 QCon London - image
QCon London

Discover emerging trends, insights, and real-world best practices in software development & tech leadership. Join now.

 QCon London - image
InfoQ Dev Summit Boston

Learn how senior software developers are solving the challenges you face. Register now with early bird tickets.

 The Software Architects Newsletter - image
The Software Architects' Newsletter

Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.

InfoQ Homepage News Apple Open-sources Three Cryptographic Libraries

Mobile

Apple Open-sources Three Cryptographic Libraries

This item in japanese

Bookmarks

Oct 31, 2015 1 min read

Write for InfoQ

Feed your curiosity. Help 550k+ global
senior developers
each month stay ahead.Get in touch

Apple has announced they have open sourced three major components in their OSes’ security subsystem. Apple’s announcement has spun some controversy due to the restrictive nature of the license used for one of the libraries.

The three open-sourced components are:

  • corecrypto: the fundamental building block of other cryptographic libraries. It provides low level cryptographic primitives that, according to Apple, “should not be used by iOS or OS X apps” directly. corecrypto has been made available to allow developers or other interested parties to verify it implementation and security characteristics. As it will be discussed later, corecrypto is subject to more restrictive licensing terms than the other two libraries.
  • Common Crypto: a library that provides support for common cruyptographic operations such as symmetric encryption, hash-based message authentication, and digests. This library provides iOS and OS X Cryptograhic Services.
  • Security Framework, a framework that provides APIs to manage certificates, key pairs, and trust policies. This framework includes important OS X and iOS services such as Keychain and transport level network security.

An important details in Apple’s announcement is that the lowest-level component, corecrypto is not being actually open-sourced at all, as many remarked publicly. It would seem more correct to think of this in terms of “source disclosure”, since Apple subject downloading corecrypto to an “internal use license agreement” that only grants the right to download and inspect the source code for a period of 90 days from the download while explicitly forbidding redistribution. According to a reddit commenter, the 90 days limit could help grant revocability: in case Apple ever decide to stop offering the download option for `corecrypto`, it would ensue that at most 90 days after their source would go globally unlicensed.

Another reason of concern that has been vented is the impossibility of actually knowing whether the cryptographic libraries and frameworks that are included in actually shipping versions of iOS and OS X have been effectively built from the source code that Apple provides.

Still, Apple hope that the availability of their cryptographic libraries will allow third-party developers to build more advanced security features in their apps.

Rate this Article

Adoption
Style

This content is in the Mobile topic

Related Topics:

Educational Content

BT