S stands for security in WWDC

Transcript

1. Security, privacy and crypto @vixentael at #wwdc19

2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

   Acra cryptographic tools, security engineering, datasec training

3. Bespoke data security solutions and security engineering.

4. @vixentael

5. @vixentael PRIVACY

6. @vixentael

7. developer.apple.com/app-store/review/rejections/ @vixentael apple.com/ios/app-store/principles-practices/

8. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

9. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

10. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j new apps – now existing

    apps – 3 September

11. @vixentael WATCHOS

12. @vixentael NOISE

13. @vixentael SIGN IN, SIGN UP developer.apple.com/documentation/watchkit/ authenticating_users_on_apple_watch

14. @vixentael HOMEKIT

15. @vixentael

16. @vixentael theverge.com/2019/6/3/18646453/apple-homekit-support-smart- home-security-routers-wwdc-2019

17. @vixentael SIGN IN WITH APPLE

18. @vixentael

19. @vixentael

20. @vixentael

21. @vixentael https://developer.apple.com/news/?id=06032019j https://twitter.com/hybridcattt/status/1139253619637854208

22. @vixentael MACOS

23. @vixentael https://developer.apple.com/documentation/authenticationservices/ asauthorizationsinglesignonprovider ASAuthorizationSingleSignOnProvider

24. @vixentael https://developer.apple.com/documentation/localauthentication/lapolicy/ lapolicydeviceownerauthenticationwithwatch?language=objc LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

25. @vixentael TLS CERTIFICATES https://twitter.com/BasileBailey/status/1136017729842962432 https://support.apple.com/en-us/HT210176 • TLS 1.3 welcome •

    RSA keys >= 2048 bits • no SHA-1 anymore • ExtendedKeyUsage required • max 825 days

26. @vixentael • Endpoint security framework • App notarization, Gatekeeper, quarantine

    • new permissions 701: Advances in macOS Security FOR MACOS DEVS

27. @vixentael https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/ @patrickwardle THREE WORDS TO RUIN AN APPLE ENGINEER'S

    DAY: 'PATRICK WARDLE DISCLOSURE'

28. @vixentael PRIVACY

29. @vixentael IOS & MACOS PRIVACY UPDS • prevents macApps from

    taking screenshots https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take- screenshots • prevents iOS apps from tracking location https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the- users-ios-location-data-without-actually-having-access

30. @vixentael IOS & MACOS PRIVACY UPDS

31. @vixentael FIND MY

32. @vixentael wired.com/story/apple-find-my-cryptography-bluetooth/

33. @vixentael blog.cryptographyengineering.com/2019/06/05/how-does-apple- privately-find-your-offline-devices/ wired.com/story/apple-find-my-cryptography-bluetooth/

34. @vixentael CRYPTO

35. @vixentael developer.apple.com/documentation/cryptokit/

36. @vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

37. @vixentael developer.apple.com/documentation/cryptokit/

38. @vixentael https://twitter.com/veorq/status/660028363449454592

39. @vixentael

40. @vixentael

41. @vixentael wired.com/story/apple-find-my-cryptography-bluetooth/

42. @vixentael developer.apple.com/documentation/cryptokit/ - CryptoKit is based on corecrypto (C, FIPS

    140-2 compliant) - should be fast on ARM - high level API - modern crypto (AES GCM, Chacha20, ECC) CRYPTOKIT

43. @vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

44. @vixentael developer.apple.com/documentation/cryptokit/ - crypto-library, you need to work hard to

    make entire app - key management is still dev’s pain CRYPTOKIT

45. @vixentael https://github.com/cossacklabs/themis

46. @vixentael

47. @vixentael

48. • 708: Designing for Privacy • 709: Cryptography and Your

    Apps • 703: All About Notarization • 706: Introducing Sign In with Apple • 701: Advances in macOS Security • 702: System Extensions and DriverKit • 504: What’s New in Authentication, Safari, and WebKit

49. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training github.com/vixentael/my-talks wwdcbysundell.com/2019/ anastasiia-voitova-on-security/

50. Security Basics SECURITY WORKSHOPS Enterprise Secure Architecture Secure Web apps

    Secure Software Development Secure Mobile apps