iPhone and iPad gain NATO security approval
Apple's iPhone and iPad are now approved for use with information classified up to the "restricted" level by NATO. The devices achieved this certification without requiring special configurations. This marks the first time consumer devices have received such approval, a significant development for secure mobile application patterns.
- This approval builds on a foundational Common Criteria certification for iOS 26, which is currently being evaluated against multiple Protection Profiles, including those for Mobile Device Fundamentals, VPN Clients, and WLAN Clients. This independent verification of security features is a prerequisite for consideration in high-security government environments. - The cryptographic core of the approval lies in Apple's Corecrypto Module for OS 26, which is currently undergoing FIPS 140-3 validation by the Cryptographic Module Validation Program (CMVP). This includes separate validations for user-space and kernel-level modules, as well as a hardware module in the Secure Enclave with a physical security level of 3. - Germany's Federal Office for Information Security (BSI) conducted an in-depth technical assessment of iOS and iPadOS, the results of which were then accepted by all NATO nations, streamlining the approval process. This reliance on a member state's trusted evaluation is a key part of NATO's strategy to quickly adopt commercial technology. - For developers, this certification opens a clearer path for creating applications for government and defense entities. Leveraging iOS platform features like the Secure Enclave for key storage, CryptoKit for cryptographic operations, and App Transport Security (ATS) for secure networking can help meet the stringent security requirements of this sector. - The native Mail, Calendar, and Contacts applications on iOS 26 are specifically listed in the NATO Information Assurance Product Catalogue, indicating their approved use for handling "Restricted" information without modification. - This move is part of a larger NATO digital transformation strategy aimed at adopting commercial off-the-shelf technology to maintain a technological edge. This strategy emphasizes the integration of innovative solutions from the private sector to enhance capabilities. - While "NATO Restricted" is the lowest of four classification levels, this approval for an unmodified consumer device is a significant shift from the traditional reliance on expensive, purpose-built hardware from specialized defense contractors. - Future developments may involve certification for higher classification levels, such as "Confidential," which would likely require additional security controls and further validation of the platform's architecture.
