S stands for security in WWDC

S stands for security in WWDC

Talk by Anastasiia Vixentael

Originally posted here: https://speakerdeck.com/vixentael/security-privacy-and-cryptography-at-wwdc19

Это будет обзорная лекция, посвященная нововведениям в сфере security, представленным на WWDC, в частности фреймворку CryptoKit, с точки зрения опытного security-инженера.

This talk was made for CocoaFriday #4 ( https://cocoaheads.org.ua/cocoafriday/4 ) which took place Jun 14, 2019

Video: https://youtu.be/61BUVpDBdZQ

Db84cf61fdada06b63f43f310b68b462?s=128

CocoaHeads Ukraine

June 14, 2019
Tweet

Transcript

  1. Security, privacy and crypto @vixentael at #wwdc19

  2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training
  3. Bespoke data security solutions and security engineering.

  4. @vixentael

  5. @vixentael PRIVACY

  6. @vixentael

  7. developer.apple.com/app-store/review/rejections/ @vixentael apple.com/ios/app-store/principles-practices/

  8. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

  9. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

  10. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j new apps – now existing

    apps – 3 September
  11. @vixentael WATCHOS

  12. @vixentael NOISE

  13. @vixentael SIGN IN, SIGN UP developer.apple.com/documentation/watchkit/ authenticating_users_on_apple_watch

  14. @vixentael HOMEKIT

  15. @vixentael

  16. @vixentael theverge.com/2019/6/3/18646453/apple-homekit-support-smart- home-security-routers-wwdc-2019

  17. @vixentael SIGN IN WITH APPLE

  18. @vixentael

  19. @vixentael

  20. @vixentael

  21. @vixentael https://developer.apple.com/news/?id=06032019j https://twitter.com/hybridcattt/status/1139253619637854208

  22. @vixentael MACOS

  23. @vixentael https://developer.apple.com/documentation/authenticationservices/ asauthorizationsinglesignonprovider ASAuthorizationSingleSignOnProvider

  24. @vixentael https://developer.apple.com/documentation/localauthentication/lapolicy/ lapolicydeviceownerauthenticationwithwatch?language=objc LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

  25. @vixentael TLS CERTIFICATES https://twitter.com/BasileBailey/status/1136017729842962432 https://support.apple.com/en-us/HT210176 • TLS 1.3 welcome •

    RSA keys >= 2048 bits • no SHA-1 anymore • ExtendedKeyUsage required • max 825 days
  26. @vixentael • Endpoint security framework • App notarization, Gatekeeper, quarantine

    • new permissions 701: Advances in macOS Security FOR MACOS DEVS
  27. @vixentael https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/ @patrickwardle THREE WORDS TO RUIN AN APPLE ENGINEER'S

    DAY: 'PATRICK WARDLE DISCLOSURE'
  28. @vixentael PRIVACY

  29. @vixentael IOS & MACOS PRIVACY UPDS • prevents macApps from

    taking screenshots https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take- screenshots • prevents iOS apps from tracking location https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the- users-ios-location-data-without-actually-having-access
  30. @vixentael IOS & MACOS PRIVACY UPDS

  31. @vixentael FIND MY

  32. @vixentael wired.com/story/apple-find-my-cryptography-bluetooth/

  33. @vixentael blog.cryptographyengineering.com/2019/06/05/how-does-apple- privately-find-your-offline-devices/ wired.com/story/apple-find-my-cryptography-bluetooth/

  34. @vixentael CRYPTO

  35. @vixentael developer.apple.com/documentation/cryptokit/

  36. @vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

  37. @vixentael developer.apple.com/documentation/cryptokit/

  38. @vixentael https://twitter.com/veorq/status/660028363449454592

  39. @vixentael

  40. @vixentael

  41. @vixentael wired.com/story/apple-find-my-cryptography-bluetooth/

  42. @vixentael developer.apple.com/documentation/cryptokit/ - CryptoKit is based on corecrypto (C, FIPS

    140-2 compliant) - should be fast on ARM - high level API - modern crypto (AES GCM, Chacha20, ECC) CRYPTOKIT
  43. @vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

  44. @vixentael developer.apple.com/documentation/cryptokit/ - crypto-library, you need to work hard to

    make entire app - key management is still dev’s pain CRYPTOKIT
  45. @vixentael https://github.com/cossacklabs/themis

  46. @vixentael

  47. @vixentael

  48. • 708: Designing for Privacy • 709: Cryptography and Your

    Apps • 703: All About Notarization • 706: Introducing Sign In with Apple • 701: Advances in macOS Security • 702: System Extensions and DriverKit • 504: What’s New in Authentication, Safari, and WebKit
  49. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training github.com/vixentael/my-talks wwdcbysundell.com/2019/ anastasiia-voitova-on-security/
  50. Security Basics SECURITY WORKSHOPS Enterprise Secure Architecture Secure Web apps

    Secure Software Development Secure Mobile apps