Skip to content

AD5018: RequireMinimumOSVersion

Summary

Property Value
ID AD5018
Name RequireMinimumOSVersion
Category Security
Severity Warning
Applies to Mach-O (macOS, iOS)

Description

Targeting old OS versions means your application can run on systems that no longer receive security updates from Apple. This rule checks that the minimum deployment target is recent enough to:

  1. Receive security patches: Apple only provides security updates for recent OS versions
  2. Access modern security features: Newer OS versions have improved security mechanisms
  3. Benefit from hardened libraries: System libraries are continually improved
Platform Minimum Version Rationale
macOS 11.0 (Big Sur) ARM64 support, modern security features
iOS 14.0 Modern security baseline

These thresholds are based on Apple's support policies and security feature availability. Older versions may no longer receive critical security updates.

Why This Matters

The minimum deployment target you choose has far-reaching security implications that extend well beyond your application's own code. Your application inherits the security posture of every system library and framework it uses, and those libraries are only as secure as the OS version they ship with.

The OS Security Lifecycle

Apple's security support policy is clear but limited:

macOS Version Release Date Typical Security Support
macOS 14 (Sonoma) 2023 Active updates
macOS 13 (Ventura) 2022 Active updates
macOS 12 (Monterey) 2021 Limited updates
macOS 11 (Big Sur) 2020 End of regular support
macOS 10.15 and earlier 2019- No security updates

Apple typically provides security updates for the current release and two prior versions. Older versions receive no patches, even for critical vulnerabilities.

What You Inherit from the OS

Your deployment target determines which versions of these components users might have:

  1. TLS/SSL Stack: Older SecureTransport versions have known vulnerabilities and lack support for modern protocols (TLS 1.3, modern cipher suites).

  2. Memory Allocator: Each macOS release hardens the memory allocator. Newer versions have better entropy, guard pages, and corruption detection.

  3. System Libraries: libc, libSystem, and other core libraries receive continuous security hardening. Older versions have known exploitable issues.

  4. Kernel Protections: KASLR, SMAP, SMEP, and PAC (on ARM) improve with each release. Applications on older kernels are more vulnerable to privilege escalation.

  5. Code Signing Enforcement: Newer OS versions have stricter signature validation, library validation, and notarization enforcement.

Concrete Security Risks

Targeting old OS versions exposes users to:

  • Known CVEs: macOS 10.14 and earlier have hundreds of unpatched vulnerabilities, some with public exploits.

  • Deprecated Cryptography: Older systems may use SHA-1 certificates, weak random number generators, or obsolete cipher suites.

  • Missing Mitigations: Pre-Big Sur systems lack many hardware security features that newer CPUs provide (especially on Apple Silicon).

  • Reduced ASLR Entropy: Older systems have lower-entropy ASLR that is more susceptible to brute-force bypass.

The Business Trade-off

Supporting old OS versions has real costs beyond security:

Consideration Old OS Support Modern OS Only
Development effort Test matrix explosion Simpler testing
API availability Workarounds needed Modern APIs available
User base Diminishing users Growing majority
Security liability Higher risk Lower risk

According to Apple's data, over 90% of active devices run OS versions from the last 2-3 years. Supporting older versions protects a shrinking minority while increasing everyone's risk.

Compliance Implications

Many security frameworks require running on supported software:

  • PCI DSS: Requires systems to be patched and running supported software
  • HIPAA: Implicitly requires current security patches
  • SOC 2: Requires vulnerability management including keeping systems updated
  • FedRAMP: Requires running supported OS versions

Resolution

Update your deployment target to a supported OS version.

Xcode

  1. Select your project
  2. Go to Build Settings
  3. Search for "Deployment Target"
  4. Set macOS Deployment Target to 11.0 or later
  5. Set iOS Deployment Target to 14.0 or later

Command Line

# Clang
clang -mmacosx-version-min=11.0 your_code.c

# For iOS
clang -mios-version-min=14.0 your_code.c

CMake

set(CMAKE_OSX_DEPLOYMENT_TARGET "11.0")

Cargo (Rust)

# Set via environment variable
MACOSX_DEPLOYMENT_TARGET=11.0 cargo build --release

Detection

This rule checks the following Mach-O load commands: - LC_VERSION_MIN_MACOSX - LC_VERSION_MIN_IPHONEOS - LC_BUILD_VERSION (modern binaries)

Exceptions

Some legitimate cases for lower deployment targets: - System utilities that must support older systems - Enterprise software with specific requirements - Backward compatibility requirements

Document these exceptions in your security policy.

References