Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, privacy and cryptography at WWDC19

Security, privacy and cryptography at WWDC19

Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. This is my recap what developers should know and use from now.

Read my blog post at WWDC by Sundell:
https://wwdcbysundell.com/2019/anastasiia-voitova-on-security/

Other talks and videos:
https://github.com/vixentael/my-talks

vixentael

June 14, 2019
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. Security, privacy and crypto
    @vixentael
    at #wwdc19

    View full-size slide

  2. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training

    View full-size slide

  3. Bespoke data security solutions
    and security engineering.

    View full-size slide

  4. @vixentael
    PRIVACY

    View full-size slide

  5. developer.apple.com/app-store/review/rejections/ @vixentael
    apple.com/ios/app-store/principles-practices/

    View full-size slide

  6. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j

    View full-size slide

  7. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j

    View full-size slide

  8. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j
    new apps – now
    existing apps – 3 September

    View full-size slide

  9. @vixentael
    WATCHOS

    View full-size slide

  10. @vixentael
    NOISE

    View full-size slide

  11. @vixentael
    SIGN IN,
    SIGN UP
    developer.apple.com/documentation/watchkit/
    authenticating_users_on_apple_watch

    View full-size slide

  12. @vixentael
    HOMEKIT

    View full-size slide

  13. @vixentael
    theverge.com/2019/6/3/18646453/apple-homekit-support-smart-
    home-security-routers-wwdc-2019

    View full-size slide

  14. @vixentael
    SIGN IN
    WITH APPLE

    View full-size slide

  15. @vixentael
    https://developer.apple.com/news/?id=06032019j
    https://twitter.com/hybridcattt/status/1139253619637854208

    View full-size slide

  16. @vixentael
    MACOS

    View full-size slide

  17. @vixentael
    https://developer.apple.com/documentation/authenticationservices/
    asauthorizationsinglesignonprovider
    ASAuthorizationSingleSignOnProvider

    View full-size slide

  18. @vixentael
    https://developer.apple.com/documentation/localauthentication/lapolicy/
    lapolicydeviceownerauthenticationwithwatch?language=objc
    LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

    View full-size slide

  19. @vixentael
    TLS CERTIFICATES
    https://twitter.com/BasileBailey/status/1136017729842962432
    https://support.apple.com/en-us/HT210176
    • TLS 1.3 welcome
    • RSA keys >= 2048 bits
    • no SHA-1 anymore
    • ExtendedKeyUsage required
    • max 825 days

    View full-size slide

  20. @vixentael
    • Endpoint security framework
    • App notarization, Gatekeeper, quarantine
    • new permissions
    701: Advances in macOS Security
    FOR MACOS DEVS

    View full-size slide

  21. @vixentael
    https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/
    @patrickwardle
    THREE WORDS TO RUIN AN APPLE ENGINEER'S
    DAY: 'PATRICK WARDLE DISCLOSURE'

    View full-size slide

  22. @vixentael
    PRIVACY

    View full-size slide

  23. @vixentael
    IOS & MACOS PRIVACY UPDS
    • prevents macApps from taking screenshots
    https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take-
    screenshots
    • prevents iOS apps from tracking location
    https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the-
    users-ios-location-data-without-actually-having-access

    View full-size slide

  24. @vixentael
    IOS & MACOS PRIVACY UPDS

    View full-size slide

  25. @vixentael
    FIND MY

    View full-size slide

  26. @vixentael
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View full-size slide

  27. @vixentael
    blog.cryptographyengineering.com/2019/06/05/how-does-apple-
    privately-find-your-offline-devices/
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View full-size slide

  28. @vixentael
    CRYPTO

    View full-size slide

  29. @vixentael
    developer.apple.com/documentation/cryptokit/

    View full-size slide

  30. @vixentael
    https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

    View full-size slide

  31. @vixentael
    developer.apple.com/documentation/cryptokit/

    View full-size slide

  32. @vixentael
    https://twitter.com/veorq/status/660028363449454592

    View full-size slide

  33. @vixentael
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View full-size slide

  34. @vixentael
    developer.apple.com/documentation/cryptokit/
    - CryptoKit is based on corecrypto (C, FIPS 140-2
    compliant)
    - should be fast on ARM
    - high level API
    - modern crypto (AES GCM, Chacha20, ECC)
    CRYPTOKIT

    View full-size slide

  35. @vixentael
    https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

    View full-size slide

  36. @vixentael
    developer.apple.com/documentation/cryptokit/
    - crypto-library, you need to work hard to make entire
    app
    - key management is still dev’s pain
    CRYPTOKIT

    View full-size slide

  37. @vixentael
    https://github.com/cossacklabs/themis

    View full-size slide

  38. • 708: Designing for Privacy
    • 709: Cryptography and Your Apps
    • 703: All About Notarization
    • 706: Introducing Sign In with Apple
    • 701: Advances in macOS Security
    • 702: System Extensions and DriverKit
    • 504: What’s New in Authentication, Safari, and WebKit

    View full-size slide

  39. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training
    github.com/vixentael/my-talks
    wwdcbysundell.com/2019/
    anastasiia-voitova-on-security/

    View full-size slide

  40. Security
    Basics
    SECURITY
    WORKSHOPS
    Enterprise Secure
    Architecture
    Secure Web apps
    Secure Software
    Development
    Secure Mobile apps

    View full-size slide