Skip to main content

PrismSecurity

PrismSecurity provides a comprehensive security layer for Apple platforms — from system permissions and biometric auth to encrypted transport channels, tamper detection, and PII redaction. Built on CryptoKit, Security framework, and LocalAuthentication with Swift 6.3 strict concurrency.

Permissions & Biometrics

Unified API for 16 system permissions plus Face ID / Touch ID / Optic ID authentication.

Encryption & Keychain

AES-GCM, ChaChaPoly, HMAC, HKDF, Secure Enclave, and typed keychain storage.

Certificate Pinning

SHA-256 public key pinning with strict, report-only, and trust-on-first-use policies.

Secure Transport

P256 ECDH key exchange, encrypted channels, and signed envelopes with forward secrecy.

Audit & Tokens

Hash-chain audit log, JWT decode, actor-based token refresh, and Bearer injection.

Privacy Guard

PII redaction, screen protection on background, auto-clearing clipboard, field classification.

Architecture

┌──────────────────────────────────────────────────────────────┐
│                       PrismSecurity                          │
├───────────┬──────────┬───────────┬───────────┬──────────────┤
│Permissions│Biometric │ Keychain  │Encryption │SecureEnclave │  ← Phase 1
├───────────┴──────────┴───────────┴───────────┴──────────────┤
│ CertPinning │ Integrity │ SecureTransport │ AuditLog       │  ← Phase 2
├─────────────┴───────────┴─────────────────┴────────────────┤
│    TokenManager    │     PrivacyGuard    │  SecureStore     │
├────────────────────┴─────────────────────┴─────────────────┤
│              CryptoKit + Security + LocalAuthentication      │
└──────────────────────────────────────────────────────────────┘

Quick Start

One Import, Full Security
import PrismSecurity

// Request camera permission
let client = PrismPermissionClient()
let status = try await client.request(.camera)

// Authenticate with Face ID
let bio = PrismBiometricAuth()
try await bio.authenticate(reason: "Access vault")

// Encrypt and store securely
let store = PrismSecureStore(configuration: .biometricProtected)
try store.save(mySecret, forKey: "credentials")

// Redact PII from logs
let guard = PrismPrivacyGuard()
let safe = guard.redact("Email: john@example.com")
// → "Email: j***@***.***"

Key Concepts

ConceptTypeDescription
PermissionPrismPermissionClientUnified request/check for 16 system permissions
BiometricPrismBiometricAuthOne-line Face ID / Touch ID / Optic ID
KeychainPrismKeychainTyped CRUD with access control
EncryptorPrismEncryptorAES-GCM + ChaChaPoly via CryptoKit
Secure StorePrismSecureStoreEncrypt + keychain in one call
Cert PinningPrismPinningValidatorPublic key hash validation (actor)
IntegrityPrismIntegrityCheckerJailbreak / debugger / tamper detection
Secure ChannelPrismSecureChannelECDH → symmetric encrypted pipe
Audit LogPrismSecurityAuditLogHash-chain tamper-evident event log
Token ManagerPrismTokenManagerActor-based JWT lifecycle + refresh
Privacy GuardPrismPrivacyGuardPII redact, classify, screen protect
PrismSecurity depends only on PrismFoundation — no UIKit or SwiftUI in core types. SwiftUI imports are isolated to PrismScreenProtection and PrismClipboardGuard via #if canImport.

Next Steps

Permissions & Biometrics

Request permissions and authenticate with Face ID.

Encryption & Keychain

Encrypt data and store secrets in the keychain.

Cert Pinning & Integrity

Pin certificates and detect tampering.

Secure Transport

Encrypted channels with ECDH and forward secrecy.

Audit, Tokens & Privacy

Audit logging, JWT management, and PII protection.
For server-side security (TLS, sessions, input validation), see the Server Security section. For encrypted persistence, check PrismStorage Encryption.