Skip to content

Glossary

AMFI (Apple Mobile File Integrity)

The kernel extension that enforces what signed code is allowed to load and run on a Mac (or iPhone). Despite the name, it's not iOS-only — every macOS exec goes through it.

AMFI — Apple Mobile File Integrity — is the kernel extension that gates loading of code on every Apple OS. The "mobile" is historical: it was first an iOS thing and got brought to macOS as the security model converged.

What AMFI does:

  • Refuses to exec binaries with missing or invalid code signatures.
  • Records the signing team identifier on the process.
  • Enforces library validation: a process may only dlopen dylibs signed by Apple or by the same team identifier.
  • On iOS (and increasingly on macOS for some processes), refuses to mprotect pages to executable that weren't loaded from a signed binary — preventing arbitrary JIT.

AMFI lives in AppleMobileFileIntegrity.kext and is not open source. Its consequences are everywhere — every exec, every dlopen, every mprotect(PROT_EXEC) is gated through it.

See also: code signing, entitlement, SIP.