Security, privacy and cryptography at WWDC19

Slide 1

Slide 1 text

Security, privacy and crypto @vixentael at #wwdc19

Slide 2

Slide 2 text

@vixentael product engineer in security and cryptography OSS maintainer: Themis, Acra cryptographic tools, security engineering, datasec training

Slide 3

Slide 3 text

Bespoke data security solutions and security engineering.

Slide 4

Slide 4 text

@vixentael

Slide 5

Slide 5 text

@vixentael PRIVACY

Slide 6

Slide 6 text

@vixentael

Slide 7

Slide 7 text

developer.apple.com/app-store/review/rejections/ @vixentael apple.com/ios/app-store/principles-practices/

Slide 8

Slide 8 text

@vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

Slide 9

Slide 9 text

@vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

Slide 10

Slide 10 text

@vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j new apps – now existing apps – 3 September

Slide 11

Slide 11 text

@vixentael WATCHOS

Slide 12

Slide 12 text

@vixentael NOISE

Slide 13

Slide 13 text

@vixentael SIGN IN, SIGN UP developer.apple.com/documentation/watchkit/ authenticating_users_on_apple_watch

Slide 14

Slide 14 text

@vixentael HOMEKIT

Slide 15

Slide 15 text

@vixentael

Slide 16

Slide 16 text

@vixentael theverge.com/2019/6/3/18646453/apple-homekit-support-smart- home-security-routers-wwdc-2019

Slide 17

Slide 17 text

@vixentael SIGN IN WITH APPLE

Slide 18

Slide 18 text

@vixentael

Slide 19

Slide 19 text

@vixentael

Slide 20

Slide 20 text

@vixentael

Slide 21

Slide 21 text

@vixentael https://developer.apple.com/news/?id=06032019j https://twitter.com/hybridcattt/status/1139253619637854208

Slide 22

Slide 22 text

@vixentael MACOS

Slide 23

Slide 23 text

@vixentael https://developer.apple.com/documentation/authenticationservices/ asauthorizationsinglesignonprovider ASAuthorizationSingleSignOnProvider

Slide 24

Slide 24 text

@vixentael https://developer.apple.com/documentation/localauthentication/lapolicy/ lapolicydeviceownerauthenticationwithwatch?language=objc LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

Slide 25

Slide 25 text

@vixentael TLS CERTIFICATES https://twitter.com/BasileBailey/status/1136017729842962432 https://support.apple.com/en-us/HT210176 • TLS 1.3 welcome • RSA keys >= 2048 bits • no SHA-1 anymore • ExtendedKeyUsage required • max 825 days

Slide 26

Slide 26 text

@vixentael • Endpoint security framework • App notarization, Gatekeeper, quarantine • new permissions 701: Advances in macOS Security FOR MACOS DEVS

Slide 27

Slide 27 text

@vixentael https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/ @patrickwardle THREE WORDS TO RUIN AN APPLE ENGINEER'S DAY: 'PATRICK WARDLE DISCLOSURE'

Slide 28

Slide 28 text

@vixentael PRIVACY

Slide 29

Slide 29 text

@vixentael IOS & MACOS PRIVACY UPDS • prevents macApps from taking screenshots https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take- screenshots • prevents iOS apps from tracking location https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the- users-ios-location-data-without-actually-having-access

Slide 30

Slide 30 text

@vixentael IOS & MACOS PRIVACY UPDS

Slide 31

Slide 31 text

@vixentael FIND MY

Slide 32

Slide 32 text

@vixentael wired.com/story/apple-ﬁnd-my-cryptography-bluetooth/

Slide 33

Slide 33 text

@vixentael blog.cryptographyengineering.com/2019/06/05/how-does-apple- privately-ﬁnd-your-offline-devices/ wired.com/story/apple-ﬁnd-my-cryptography-bluetooth/

Slide 34

Slide 34 text

@vixentael CRYPTO

Slide 35

Slide 35 text

@vixentael developer.apple.com/documentation/cryptokit/

Slide 36

Slide 36 text

@vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

Slide 37

Slide 37 text

@vixentael developer.apple.com/documentation/cryptokit/

Slide 38

Slide 38 text

@vixentael https://twitter.com/veorq/status/660028363449454592

Slide 39

Slide 39 text

@vixentael

Slide 40

Slide 40 text

@vixentael

Slide 41

Slide 41 text

@vixentael wired.com/story/apple-ﬁnd-my-cryptography-bluetooth/

Slide 42

Slide 42 text

@vixentael developer.apple.com/documentation/cryptokit/ - CryptoKit is based on corecrypto (C, FIPS 140-2 compliant) - should be fast on ARM - high level API - modern crypto (AES GCM, Chacha20, ECC) CRYPTOKIT

Slide 43

Slide 43 text

@vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

Slide 44

Slide 44 text

@vixentael developer.apple.com/documentation/cryptokit/ - crypto-library, you need to work hard to make entire app - key management is still dev’s pain CRYPTOKIT

Slide 45

Slide 45 text

@vixentael https://github.com/cossacklabs/themis

Slide 46

Slide 46 text

@vixentael

Slide 47

Slide 47 text

@vixentael

Slide 48

Slide 48 text

• 708: Designing for Privacy • 709: Cryptography and Your Apps • 703: All About Notarization • 706: Introducing Sign In with Apple • 701: Advances in macOS Security • 702: System Extensions and DriverKit • 504: What’s New in Authentication, Safari, and WebKit

Slide 49

Slide 49 text

@vixentael product engineer in security and cryptography OSS maintainer: Themis, Acra cryptographic tools, security engineering, datasec training github.com/vixentael/my-talks wwdcbysundell.com/2019/ anastasiia-voitova-on-security/

Slide 50

Slide 50 text

Security Basics SECURITY WORKSHOPS Enterprise Secure Architecture Secure Web apps Secure Software Development Secure Mobile apps