Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apple Security and Privacy

Apple Security and Privacy

Lightening Talk given on June 30, 2016.

A summary of some points mentioned in the WWDC 2016 sessions:
705 - How iOS Security Really Works
706 - What's New in Security
709 - Engineering Privacy for Your Users

Has a few pointers about what you can do in your app to protect your users' security and privacy.

696cf5da599733261059de06c4d1fe22?s=128

Caesar Wirth

July 01, 2016
Tweet

Transcript

  1.  ! & ✋ WWDC 2016 Caesar Wirth - June

    30, 2016
  2. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  3. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  4. What makes iOS Secure 1. Secure Boot 2. Data Protection

    3. Sandboxing 4. Code Signing 5. Touch ID
  5. What makes iOS Secure 1. Secure Boot 2. Data Protection

    3. Sandboxing 4. Code Signing 5. Touch ID
  6. Data Protection » Encryption key is derived from passcode »

    Can't be opened after 10 attemps » Entangled with hardware
  7. Touch ID » Same protections as passcode » Securely linked

    to Secure Enclave » Fast » Easy
  8. Passcode use before Touch ID

  9. Passcode use after Touch ID

  10. Things To Do ✅ Use Touch ID

  11. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  12. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  13. Keeping your App Secure Third-Party Libraries

  14. Keeping your App Secure Third-Party Libraries » You are responsible

    for the third-party code you use » AFNetworking » 25k Apps Affected
  15. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries
  16. Keeping your App Secure App Transport Security (ATS)

  17. Keeping your App Secure App Transport Security (ATS) » Enforced

    at end of 2016 » Update your servers! » TLS v1.2, forward secrecy, SHA-2 certificates
  18. Keeping your App Secure App Transport Security (ATS) Not good

    enough! Explain your exceptions. eg. third-party server hasn't upgraded yet.
  19. Keeping your App Secure App Transport Security (ATS) http://developer.hatenastaff.com/entry/2016/06/16/165924

  20. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries ✅ Update your servers!
  21. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  22. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy
  23. Maintaining User Privacy Focus on trends, not individuals. » Use

    anonymous identifiers » Collect aggregated data
  24. Maintaining User Privacy Good Identifiers » Short-lived » Anonymous »

    Resettable » Identify Sessions, not Users
  25. Maintaining User Privacy Good Identifiers // Random every time let

    sessionId = UUID() // Changes when app is uninstalled let vendorId = UIDevice.current().identifierForVendor // Only for advertising!!! let adId = ASIdentifierManager.shared().advertisingIdentifier
  26. Maintaining User Privacy Data Collection » Only take data that

    is needed » eg. event happened 5, 10, 20, 30, 50+ times, rather than 86 » Data from just 10% of users gives a good average » Collect data with with aggregates
  27. Maintaining User Privacy Data Collection With Aggregates 1. Begin with

    data 2. Add noise 3. Server receives privatized data 4. Compute averages
  28. Maintaining User Privacy Data Collection With Aggregates How Many Hours

    Worked Last Week Original Value: 48
  29. Maintaining User Privacy Data Collection With Aggregates How Many Hours

    Worked Last Week Original Value: 48 Projection: ...0000001000000...
  30. Maintaining User Privacy Data Collection With Aggregates How Many Hours

    Worked Last Week Original Value: 48 Projection: ...0000001000000... Randomized: ...0100101001001...
  31. Maintaining User Privacy Data Collection with Aggregates

  32. Maintaining User Privacy Data Collection with Aggregates Average = 41

    hours ...0000000000100000...
  33. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries ✅ Update your servers! ✅ Collect data, while protecting privacy
  34. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries ✅ Update your servers! ✅ Collect data, while protecting privacy
  35. WWDC 2016 ! & ✋ Sessions let sessionUrl = "https://developer.apple.com/videos/play/wwdc2016/\(sessionId)"

    » 705 - How iOS Security Really Works » 706 - What's New in Security » 709 - Engineering Privacy for Your Users
  36. Thank You!