S stands for security in WWDC

Transcript

1. Security, privacy and crypto
   @vixentael
   at #wwdc19
   

   View Slide

2. @vixentael
   product engineer in security
   and cryptography
   OSS maintainer: Themis, Acra
   cryptographic tools, security
   engineering, datasec training
   

   View Slide

3. Bespoke data security solutions
   and security engineering.
   

   View Slide

4. @vixentael
   

   View Slide

5. @vixentael
   PRIVACY
   

   View Slide

6. @vixentael
   

   View Slide

7. developer.apple.com/app-store/review/rejections/ @vixentael
   apple.com/ios/app-store/principles-practices/
   

   View Slide

8. @vixentael
   PRIVACY POLICY UPDATE
   https://developer.apple.com/news/?id=06032019j
   

   View Slide

9. @vixentael
   PRIVACY POLICY UPDATE
   https://developer.apple.com/news/?id=06032019j
   

   View Slide

10. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j
    new apps – now
    existing apps – 3 September
    

    View Slide

11. @vixentael
    WATCHOS
    

    View Slide

12. @vixentael
    NOISE
    

    View Slide

13. @vixentael
    SIGN IN,
    SIGN UP
    developer.apple.com/documentation/watchkit/
    authenticating_users_on_apple_watch
    

    View Slide

14. @vixentael
    HOMEKIT
    

    View Slide

15. @vixentael
    

    View Slide

16. @vixentael
    theverge.com/2019/6/3/18646453/apple-homekit-support-smart-
    home-security-routers-wwdc-2019
    

    View Slide

17. @vixentael
    SIGN IN
    WITH APPLE
    

    View Slide

18. @vixentael
    

    View Slide

19. @vixentael
    

    View Slide

20. @vixentael
    

    View Slide

21. @vixentael
    https://developer.apple.com/news/?id=06032019j
    https://twitter.com/hybridcattt/status/1139253619637854208
    

    View Slide

22. @vixentael
    MACOS
    

    View Slide

23. @vixentael
    https://developer.apple.com/documentation/authenticationservices/
    asauthorizationsinglesignonprovider
    ASAuthorizationSingleSignOnProvider
    

    View Slide

24. @vixentael
    https://developer.apple.com/documentation/localauthentication/lapolicy/
    lapolicydeviceownerauthenticationwithwatch?language=objc
    LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch
    

    View Slide

25. @vixentael
    TLS CERTIFICATES
    https://twitter.com/BasileBailey/status/1136017729842962432
    https://support.apple.com/en-us/HT210176
    • TLS 1.3 welcome
    • RSA keys >= 2048 bits
    • no SHA-1 anymore
    • ExtendedKeyUsage required
    • max 825 days
    

    View Slide

26. @vixentael
    • Endpoint security framework
    • App notarization, Gatekeeper, quarantine
    • new permissions
    701: Advances in macOS Security
    FOR MACOS DEVS
    

    View Slide

27. @vixentael
    https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/
    @patrickwardle
    THREE WORDS TO RUIN AN APPLE ENGINEER'S
    DAY: 'PATRICK WARDLE DISCLOSURE'
    

    View Slide

28. @vixentael
    PRIVACY
    

    View Slide

29. @vixentael
    IOS & MACOS PRIVACY UPDS
    • prevents macApps from taking screenshots
    https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take-
    screenshots
    • prevents iOS apps from tracking location
    https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the-
    users-ios-location-data-without-actually-having-access
    

    View Slide

30. @vixentael
    IOS & MACOS PRIVACY UPDS
    

    View Slide

31. @vixentael
    FIND MY
    

    View Slide

32. @vixentael
    wired.com/story/apple-find-my-cryptography-bluetooth/
    

    View Slide

33. @vixentael
    blog.cryptographyengineering.com/2019/06/05/how-does-apple-
    privately-find-your-offline-devices/
    wired.com/story/apple-find-my-cryptography-bluetooth/
    

    View Slide

34. @vixentael
    CRYPTO
    

    View Slide

35. @vixentael
    developer.apple.com/documentation/cryptokit/
    

    View Slide

36. @vixentael
    https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it
    

    View Slide

37. @vixentael
    developer.apple.com/documentation/cryptokit/
    

    View Slide

38. @vixentael
    https://twitter.com/veorq/status/660028363449454592
    

    View Slide

39. @vixentael
    

    View Slide

40. @vixentael
    

    View Slide

41. @vixentael
    wired.com/story/apple-find-my-cryptography-bluetooth/
    

    View Slide

42. @vixentael
    developer.apple.com/documentation/cryptokit/
    - CryptoKit is based on corecrypto (C, FIPS 140-2
    compliant)
    - should be fast on ARM
    - high level API
    - modern crypto (AES GCM, Chacha20, ECC)
    CRYPTOKIT
    

    View Slide

43. @vixentael
    https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it
    

    View Slide

44. @vixentael
    developer.apple.com/documentation/cryptokit/
    - crypto-library, you need to work hard to make entire
    app
    - key management is still dev’s pain
    CRYPTOKIT
    

    View Slide

45. @vixentael
    https://github.com/cossacklabs/themis
    

    View Slide

46. @vixentael
    

    View Slide

47. @vixentael
    

    View Slide

48. • 708: Designing for Privacy
    • 709: Cryptography and Your Apps
    • 703: All About Notarization
    • 706: Introducing Sign In with Apple
    • 701: Advances in macOS Security
    • 702: System Extensions and DriverKit
    • 504: What’s New in Authentication, Safari, and WebKit
    

    View Slide

49. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training
    github.com/vixentael/my-talks
    wwdcbysundell.com/2019/
    anastasiia-voitova-on-security/
    

    View Slide

50. Security
    Basics
    SECURITY
    WORKSHOPS
    Enterprise Secure
    Architecture
    Secure Web apps
    Secure Software
    Development
    Secure Mobile apps
    

    View Slide