Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apple Security and Privacy

Apple Security and Privacy

Lightening Talk given on June 30, 2016.

A summary of some points mentioned in the WWDC 2016 sessions:
705 - How iOS Security Really Works
706 - What's New in Security
709 - Engineering Privacy for Your Users

Has a few pointers about what you can do in your app to protect your users' security and privacy.

Caesar Wirth

July 01, 2016
Tweet

More Decks by Caesar Wirth

Other Decks in Programming

Transcript

  1. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  2. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  3. What makes iOS Secure 1. Secure Boot 2. Data Protection

    3. Sandboxing 4. Code Signing 5. Touch ID
  4. What makes iOS Secure 1. Secure Boot 2. Data Protection

    3. Sandboxing 4. Code Signing 5. Touch ID
  5. Data Protection » Encryption key is derived from passcode »

    Can't be opened after 10 attemps » Entangled with hardware
  6. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  7. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  8. Keeping your App Secure Third-Party Libraries » You are responsible

    for the third-party code you use » AFNetworking » 25k Apps Affected
  9. Keeping your App Secure App Transport Security (ATS) » Enforced

    at end of 2016 » Update your servers! » TLS v1.2, forward secrecy, SHA-2 certificates
  10. Keeping your App Secure App Transport Security (ATS) Not good

    enough! Explain your exceptions. eg. third-party server hasn't upgraded yet.
  11. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries ✅ Update your servers!
  12. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  13. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  14. Maintaining User Privacy Focus on trends, not individuals. » Use

    anonymous identifiers » Collect aggregated data
  15. Maintaining User Privacy Good Identifiers // Random every time let

    sessionId = UUID() // Changes when app is uninstalled let vendorId = UIDevice.current().identifierForVendor // Only for advertising!!! let adId = ASIdentifierManager.shared().advertisingIdentifier
  16. Maintaining User Privacy Data Collection » Only take data that

    is needed » eg. event happened 5, 10, 20, 30, 50+ times, rather than 86 » Data from just 10% of users gives a good average » Collect data with with aggregates
  17. Maintaining User Privacy Data Collection With Aggregates 1. Begin with

    data 2. Add noise 3. Server receives privatized data 4. Compute averages
  18. Maintaining User Privacy Data Collection With Aggregates How Many Hours

    Worked Last Week Original Value: 48 Projection: ...0000001000000...
  19. Maintaining User Privacy Data Collection With Aggregates How Many Hours

    Worked Last Week Original Value: 48 Projection: ...0000001000000... Randomized: ...0100101001001...
  20. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries ✅ Update your servers! ✅ Collect data, while protecting privacy
  21. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries ✅ Update your servers! ✅ Collect data, while protecting privacy
  22. WWDC 2016 ! & ✋ Sessions let sessionUrl = "https://developer.apple.com/videos/play/wwdc2016/\(sessionId)"

    » 705 - How iOS Security Really Works » 706 - What's New in Security » 709 - Engineering Privacy for Your Users