Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, privacy and cryptography at WWDC19

vixentael
June 14, 2019
Programming
1
520

Security, privacy and cryptography at WWDC19

Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. This is my recap what developers should know and use from now.

Read my blog post at WWDC by Sundell:
https://wwdcbysundell.com/2019/anastasiia-voitova-on-security/

Other talks and videos:
https://github.com/vixentael/my-talks

vixentael

June 14, 2019
Tweet

More Decks by vixentael

See All by vixentael
Data is a new security boundary
vixentael
0
2.9k
Cryptographic protection of ML models
vixentael
0
2.2k
e2ee != security != privacy
vixentael
1
1.9k
Maintaining cryptographic library for 12 languages
vixentael
1
3k
10 lines of encryption, 1500 lines of key management
vixentael
2
1.3k
Data encryption: CyberKids edition
vixentael
0
460
"Defense in depth": trench warfare principles for building secure distributed applications
vixentael
3
760
Workshop: Secure Software Development: From Rookie to Hardcore in 90 Minutes
vixentael
1
920
"A death by thousand cuts"
vixentael
1
240

Other Decks in Programming

See All in Programming
Construindo APIs resilientes: práticas de versionamento e documentação
monicaribeiro
0
140
CircleCIでChatGPTにエラーの解説を頼んでみた
mfunaki
PRO
0
200
NSSpain 2023: An overview of different approaches to share code across platforms
terhechte
0
130
Domain-Driven Design (Tutorial)
hschwentner
13
18k
OpenTelemetryのバックエンドを作ってparquetと戯れている話
mrasu
0
300
CDK Day 2023 - Configure cross-account deployment using CDK
hassaku63
0
160
Node-RED in Industrial IoT
kazuhitoyokoi
0
570
拡張機能でええんちゃう?
maepon
0
220
CSS Subgridが遂に全ブラウザ対応。新時代のグリッドデザインを学ぼう
tonkotsuboy_com
6
6.9k
Next.js × AWS App Runner × AWS AppSyncで進めるクライアントファーストのWEB開発
okaharuna
6
3.1k
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
800
マイクロサービス環境におけるToilを削減するTerraformの活用 in DMMプラットフォーム
pospome
1
230

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.6k
Agile that works and the tools we love
rasmusluckow
323
20k
Code Review Best Practice
trishagee
53
13k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
41
12k
Faster Mobile Websites
deanohume
296
29k
A Philosophy of Restraint
colly
195
15k
Clear Off the Table
cherdarchuk
81
300k
4 Signs Your Business is Dying
shpigford
172
21k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Building an army of robots
kneath
300
41k
Building Applications with DynamoDB
mza
87
5.2k
The Pragmatic Product Professional
lauravandoore
23
4k

Transcript

  1. Security, privacy and crypto
    @vixentael
    at #wwdc19

    View Slide

  2. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training

    View Slide

  3. Bespoke data security solutions
    and security engineering.

    View Slide

  4. @vixentael

    View Slide

  5. @vixentael
    PRIVACY

    View Slide

  6. @vixentael

    View Slide

  7. developer.apple.com/app-store/review/rejections/ @vixentael
    apple.com/ios/app-store/principles-practices/

    View Slide

  8. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j

    View Slide

  9. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j

    View Slide

  10. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j
    new apps – now
    existing apps – 3 September

    View Slide

  11. @vixentael
    WATCHOS

    View Slide

  12. @vixentael
    NOISE

    View Slide

  13. @vixentael
    SIGN IN,
    SIGN UP
    developer.apple.com/documentation/watchkit/
    authenticating_users_on_apple_watch

    View Slide

  14. @vixentael
    HOMEKIT

    View Slide

  15. @vixentael

    View Slide

  16. @vixentael
    theverge.com/2019/6/3/18646453/apple-homekit-support-smart-
    home-security-routers-wwdc-2019

    View Slide

  17. @vixentael
    SIGN IN
    WITH APPLE

    View Slide

  18. @vixentael

    View Slide

  19. @vixentael

    View Slide

  20. @vixentael

    View Slide

  21. @vixentael
    https://developer.apple.com/news/?id=06032019j
    https://twitter.com/hybridcattt/status/1139253619637854208

    View Slide

  22. @vixentael
    MACOS

    View Slide

  23. @vixentael
    https://developer.apple.com/documentation/authenticationservices/
    asauthorizationsinglesignonprovider
    ASAuthorizationSingleSignOnProvider

    View Slide

  24. @vixentael
    https://developer.apple.com/documentation/localauthentication/lapolicy/
    lapolicydeviceownerauthenticationwithwatch?language=objc
    LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

    View Slide

  25. @vixentael
    TLS CERTIFICATES
    https://twitter.com/BasileBailey/status/1136017729842962432
    https://support.apple.com/en-us/HT210176
    • TLS 1.3 welcome
    • RSA keys >= 2048 bits
    • no SHA-1 anymore
    • ExtendedKeyUsage required
    • max 825 days

    View Slide

  26. @vixentael
    • Endpoint security framework
    • App notarization, Gatekeeper, quarantine
    • new permissions
    701: Advances in macOS Security
    FOR MACOS DEVS

    View Slide

  27. @vixentael
    https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/
    @patrickwardle
    THREE WORDS TO RUIN AN APPLE ENGINEER'S
    DAY: 'PATRICK WARDLE DISCLOSURE'

    View Slide

  28. @vixentael
    PRIVACY

    View Slide

  29. @vixentael
    IOS & MACOS PRIVACY UPDS
    • prevents macApps from taking screenshots
    https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take-
    screenshots
    • prevents iOS apps from tracking location
    https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the-
    users-ios-location-data-without-actually-having-access

    View Slide

  30. @vixentael
    IOS & MACOS PRIVACY UPDS

    View Slide

  31. @vixentael
    FIND MY

    View Slide

  32. @vixentael
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View Slide

  33. @vixentael
    blog.cryptographyengineering.com/2019/06/05/how-does-apple-
    privately-find-your-offline-devices/
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View Slide

  34. @vixentael
    CRYPTO

    View Slide

  35. @vixentael
    developer.apple.com/documentation/cryptokit/

    View Slide

  36. @vixentael
    https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

    View Slide

  37. @vixentael
    developer.apple.com/documentation/cryptokit/

    View Slide

  38. @vixentael
    https://twitter.com/veorq/status/660028363449454592

    View Slide

  39. @vixentael

    View Slide

  40. @vixentael

    View Slide

  41. @vixentael
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View Slide

  42. @vixentael
    developer.apple.com/documentation/cryptokit/
    - CryptoKit is based on corecrypto (C, FIPS 140-2
    compliant)
    - should be fast on ARM
    - high level API
    - modern crypto (AES GCM, Chacha20, ECC)
    CRYPTOKIT

    View Slide

  43. @vixentael
    https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

    View Slide

  44. @vixentael
    developer.apple.com/documentation/cryptokit/
    - crypto-library, you need to work hard to make entire
    app
    - key management is still dev’s pain
    CRYPTOKIT

    View Slide

  45. @vixentael
    https://github.com/cossacklabs/themis

    View Slide

  46. @vixentael

    View Slide

  47. @vixentael

    View Slide

  48. • 708: Designing for Privacy
    • 709: Cryptography and Your Apps
    • 703: All About Notarization
    • 706: Introducing Sign In with Apple
    • 701: Advances in macOS Security
    • 702: System Extensions and DriverKit
    • 504: What’s New in Authentication, Safari, and WebKit

    View Slide

  49. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training
    github.com/vixentael/my-talks
    wwdcbysundell.com/2019/
    anastasiia-voitova-on-security/

    View Slide

  50. Security
    Basics
    SECURITY
    WORKSHOPS
    Enterprise Secure
    Architecture
    Secure Web apps
    Secure Software
    Development
    Secure Mobile apps

    View Slide