$30 off During Our Annual Pro Sale. View Details »

S stands for security in WWDC

S stands for security in WWDC

Talk by Anastasiia Vixentael

Originally posted here: https://speakerdeck.com/vixentael/security-privacy-and-cryptography-at-wwdc19

Это будет обзорная лекция, посвященная нововведениям в сфере security, представленным на WWDC, в частности фреймворку CryptoKit, с точки зрения опытного security-инженера.

This talk was made for CocoaFriday #4 ( https://cocoaheads.org.ua/cocoafriday/4 ) which took place Jun 14, 2019

Video: https://youtu.be/61BUVpDBdZQ

CocoaHeads Ukraine

June 14, 2019
Tweet

More Decks by CocoaHeads Ukraine

Other Decks in Programming

Transcript

  1. Security, privacy and crypto
    @vixentael
    at #wwdc19

    View Slide

  2. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training

    View Slide

  3. Bespoke data security solutions
    and security engineering.

    View Slide

  4. @vixentael

    View Slide

  5. @vixentael
    PRIVACY

    View Slide

  6. @vixentael

    View Slide

  7. developer.apple.com/app-store/review/rejections/ @vixentael
    apple.com/ios/app-store/principles-practices/

    View Slide

  8. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j

    View Slide

  9. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j

    View Slide

  10. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j
    new apps – now
    existing apps – 3 September

    View Slide

  11. @vixentael
    WATCHOS

    View Slide

  12. @vixentael
    NOISE

    View Slide

  13. @vixentael
    SIGN IN,
    SIGN UP
    developer.apple.com/documentation/watchkit/
    authenticating_users_on_apple_watch

    View Slide

  14. @vixentael
    HOMEKIT

    View Slide

  15. @vixentael

    View Slide

  16. @vixentael
    theverge.com/2019/6/3/18646453/apple-homekit-support-smart-
    home-security-routers-wwdc-2019

    View Slide

  17. @vixentael
    SIGN IN
    WITH APPLE

    View Slide

  18. @vixentael

    View Slide

  19. @vixentael

    View Slide

  20. @vixentael

    View Slide

  21. @vixentael
    https://developer.apple.com/news/?id=06032019j
    https://twitter.com/hybridcattt/status/1139253619637854208

    View Slide

  22. @vixentael
    MACOS

    View Slide

  23. @vixentael
    https://developer.apple.com/documentation/authenticationservices/
    asauthorizationsinglesignonprovider
    ASAuthorizationSingleSignOnProvider

    View Slide

  24. @vixentael
    https://developer.apple.com/documentation/localauthentication/lapolicy/
    lapolicydeviceownerauthenticationwithwatch?language=objc
    LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

    View Slide

  25. @vixentael
    TLS CERTIFICATES
    https://twitter.com/BasileBailey/status/1136017729842962432
    https://support.apple.com/en-us/HT210176
    • TLS 1.3 welcome
    • RSA keys >= 2048 bits
    • no SHA-1 anymore
    • ExtendedKeyUsage required
    • max 825 days

    View Slide

  26. @vixentael
    • Endpoint security framework
    • App notarization, Gatekeeper, quarantine
    • new permissions
    701: Advances in macOS Security
    FOR MACOS DEVS

    View Slide

  27. @vixentael
    https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/
    @patrickwardle
    THREE WORDS TO RUIN AN APPLE ENGINEER'S
    DAY: 'PATRICK WARDLE DISCLOSURE'

    View Slide

  28. @vixentael
    PRIVACY

    View Slide

  29. @vixentael
    IOS & MACOS PRIVACY UPDS
    • prevents macApps from taking screenshots
    https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take-
    screenshots
    • prevents iOS apps from tracking location
    https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the-
    users-ios-location-data-without-actually-having-access

    View Slide

  30. @vixentael
    IOS & MACOS PRIVACY UPDS

    View Slide

  31. @vixentael
    FIND MY

    View Slide

  32. @vixentael
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View Slide

  33. @vixentael
    blog.cryptographyengineering.com/2019/06/05/how-does-apple-
    privately-find-your-offline-devices/
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View Slide

  34. @vixentael
    CRYPTO

    View Slide

  35. @vixentael
    developer.apple.com/documentation/cryptokit/

    View Slide

  36. @vixentael
    https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

    View Slide

  37. @vixentael
    developer.apple.com/documentation/cryptokit/

    View Slide

  38. @vixentael
    https://twitter.com/veorq/status/660028363449454592

    View Slide

  39. @vixentael

    View Slide

  40. @vixentael

    View Slide

  41. @vixentael
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View Slide

  42. @vixentael
    developer.apple.com/documentation/cryptokit/
    - CryptoKit is based on corecrypto (C, FIPS 140-2
    compliant)
    - should be fast on ARM
    - high level API
    - modern crypto (AES GCM, Chacha20, ECC)
    CRYPTOKIT

    View Slide

  43. @vixentael
    https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

    View Slide

  44. @vixentael
    developer.apple.com/documentation/cryptokit/
    - crypto-library, you need to work hard to make entire
    app
    - key management is still dev’s pain
    CRYPTOKIT

    View Slide

  45. @vixentael
    https://github.com/cossacklabs/themis

    View Slide

  46. @vixentael

    View Slide

  47. @vixentael

    View Slide

  48. • 708: Designing for Privacy
    • 709: Cryptography and Your Apps
    • 703: All About Notarization
    • 706: Introducing Sign In with Apple
    • 701: Advances in macOS Security
    • 702: System Extensions and DriverKit
    • 504: What’s New in Authentication, Safari, and WebKit

    View Slide

  49. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training
    github.com/vixentael/my-talks
    wwdcbysundell.com/2019/
    anastasiia-voitova-on-security/

    View Slide

  50. Security
    Basics
    SECURITY
    WORKSHOPS
    Enterprise Secure
    Architecture
    Secure Web apps
    Secure Software
    Development
    Secure Mobile apps

    View Slide