Apple Security and Privacy

by Caesar Wirth

Slide 1

Slide 1 text

 ! & ✋ WWDC 2016 Caesar Wirth - June 30, 2016

Slide 2

Slide 2 text

Providing the Best Protections 1. What makes iOS Secure 2. Keeping your App Secure 3. Maintaining User Privacy

Slide 3

Slide 3 text

Providing the Best Protections 1. What makes iOS Secure 2. Keeping your App Secure 3. Maintaining User Privacy

Slide 4

Slide 4 text

What makes iOS Secure 1. Secure Boot 2. Data Protection 3. Sandboxing 4. Code Signing 5. Touch ID

Slide 5

Slide 5 text

What makes iOS Secure 1. Secure Boot 2. Data Protection 3. Sandboxing 4. Code Signing 5. Touch ID

Slide 6

Slide 6 text

Data Protection » Encryption key is derived from passcode » Can't be opened after 10 attemps » Entangled with hardware

Slide 7

Slide 7 text

Touch ID » Same protections as passcode » Securely linked to Secure Enclave » Fast » Easy

Slide 8

Slide 8 text

Passcode use before Touch ID

Slide 9

Slide 9 text

Passcode use after Touch ID

Slide 10

Slide 10 text

Things To Do ✅ Use Touch ID

Slide 11

Slide 11 text

Providing the Best Protections 1. What makes iOS Secure 2. Keeping your App Secure 3. Maintaining User Privacy

Slide 12

Slide 12 text

Providing the Best Protections 1. What makes iOS Secure 2. Keeping your App Secure 3. Maintaining User Privacy

Slide 13

Slide 13 text

Keeping your App Secure Third-Party Libraries

Slide 14

Slide 14 text

Keeping your App Secure Third-Party Libraries » You are responsible for the third-party code you use » AFNetworking » 25k Apps Affected

Slide 15

Slide 15 text

Things To Do ✅ Use Touch ID ✅ Know your third-party libraries

Slide 16

Slide 16 text

Keeping your App Secure App Transport Security (ATS)

Slide 17

Slide 17 text

Keeping your App Secure App Transport Security (ATS) » Enforced at end of 2016 » Update your servers! » TLS v1.2, forward secrecy, SHA-2 certificates

Slide 18

Slide 18 text

Keeping your App Secure App Transport Security (ATS) Not good enough! Explain your exceptions. eg. third-party server hasn't upgraded yet.

Slide 19

Slide 19 text

Keeping your App Secure App Transport Security (ATS) http://developer.hatenastaff.com/entry/2016/06/16/165924

Slide 20

Slide 20 text

Things To Do ✅ Use Touch ID ✅ Know your third-party libraries ✅ Update your servers!

Slide 21

Slide 21 text

Providing the Best Protections 1. What makes iOS Secure 2. Keeping your App Secure 3. Maintaining User Privacy

Slide 22

Slide 22 text

Providing the Best Protections 1. What makes iOS Secure 2. Keeping your App Secure 3. Maintaining User Privacy

Slide 23

Slide 23 text

Maintaining User Privacy Focus on trends, not individuals. » Use anonymous identifiers » Collect aggregated data

Slide 24

Slide 24 text

Maintaining User Privacy Good Identifiers » Short-lived » Anonymous » Resettable » Identify Sessions, not Users

Slide 25

Slide 25 text

Maintaining User Privacy Good Identifiers // Random every time let sessionId = UUID() // Changes when app is uninstalled let vendorId = UIDevice.current().identifierForVendor // Only for advertising!!! let adId = ASIdentifierManager.shared().advertisingIdentifier

Slide 26

Slide 26 text

Maintaining User Privacy Data Collection » Only take data that is needed » eg. event happened 5, 10, 20, 30, 50+ times, rather than 86 » Data from just 10% of users gives a good average » Collect data with with aggregates

Slide 27

Slide 27 text

Maintaining User Privacy Data Collection With Aggregates 1. Begin with data 2. Add noise 3. Server receives privatized data 4. Compute averages

Slide 28

Slide 28 text

Maintaining User Privacy Data Collection With Aggregates How Many Hours Worked Last Week Original Value: 48

Slide 29

Slide 29 text

Maintaining User Privacy Data Collection With Aggregates How Many Hours Worked Last Week Original Value: 48 Projection: ...0000001000000...

Slide 30

Slide 30 text

Maintaining User Privacy Data Collection With Aggregates How Many Hours Worked Last Week Original Value: 48 Projection: ...0000001000000... Randomized: ...0100101001001...

Slide 31

Slide 31 text

Maintaining User Privacy Data Collection with Aggregates

Slide 32

Slide 32 text

Maintaining User Privacy Data Collection with Aggregates Average = 41 hours ...0000000000100000...

Slide 33

Slide 33 text

Things To Do ✅ Use Touch ID ✅ Know your third-party libraries ✅ Update your servers! ✅ Collect data, while protecting privacy

Slide 34

Slide 34 text

Things To Do ✅ Use Touch ID ✅ Know your third-party libraries ✅ Update your servers! ✅ Collect data, while protecting privacy

Slide 35

Slide 35 text

WWDC 2016 ! & ✋ Sessions let sessionUrl = "https://developer.apple.com/videos/play/wwdc2016/\(sessionId)" » 705 - How iOS Security Really Works » 706 - What's New in Security » 709 - Engineering Privacy for Your Users

Slide 36

Slide 36 text

Thank You!