Security, privacy and cryptography at WWDC19

Security, privacy and cryptography at WWDC19

Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. This is my recap what developers should know and use from now.

Read my blog post at WWDC by Sundell:
https://wwdcbysundell.com/2019/anastasiia-voitova-on-security/

Other talks and videos:
https://github.com/vixentael/my-talks

042b7c0e45c53de46667f07de2fb2614?s=128

vixentael

June 14, 2019
Tweet

Transcript

  1. Security, privacy and crypto @vixentael at #wwdc19

  2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training
  3. Bespoke data security solutions and security engineering.

  4. @vixentael

  5. @vixentael PRIVACY

  6. @vixentael

  7. developer.apple.com/app-store/review/rejections/ @vixentael apple.com/ios/app-store/principles-practices/

  8. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

  9. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

  10. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j new apps – now existing

    apps – 3 September
  11. @vixentael WATCHOS

  12. @vixentael NOISE

  13. @vixentael SIGN IN, SIGN UP developer.apple.com/documentation/watchkit/ authenticating_users_on_apple_watch

  14. @vixentael HOMEKIT

  15. @vixentael

  16. @vixentael theverge.com/2019/6/3/18646453/apple-homekit-support-smart- home-security-routers-wwdc-2019

  17. @vixentael SIGN IN WITH APPLE

  18. @vixentael

  19. @vixentael

  20. @vixentael

  21. @vixentael https://developer.apple.com/news/?id=06032019j https://twitter.com/hybridcattt/status/1139253619637854208

  22. @vixentael MACOS

  23. @vixentael https://developer.apple.com/documentation/authenticationservices/ asauthorizationsinglesignonprovider ASAuthorizationSingleSignOnProvider

  24. @vixentael https://developer.apple.com/documentation/localauthentication/lapolicy/ lapolicydeviceownerauthenticationwithwatch?language=objc LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

  25. @vixentael TLS CERTIFICATES https://twitter.com/BasileBailey/status/1136017729842962432 https://support.apple.com/en-us/HT210176 • TLS 1.3 welcome •

    RSA keys >= 2048 bits • no SHA-1 anymore • ExtendedKeyUsage required • max 825 days
  26. @vixentael • Endpoint security framework • App notarization, Gatekeeper, quarantine

    • new permissions 701: Advances in macOS Security FOR MACOS DEVS
  27. @vixentael https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/ @patrickwardle THREE WORDS TO RUIN AN APPLE ENGINEER'S

    DAY: 'PATRICK WARDLE DISCLOSURE'
  28. @vixentael PRIVACY

  29. @vixentael IOS & MACOS PRIVACY UPDS • prevents macApps from

    taking screenshots https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take- screenshots • prevents iOS apps from tracking location https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the- users-ios-location-data-without-actually-having-access
  30. @vixentael IOS & MACOS PRIVACY UPDS

  31. @vixentael FIND MY

  32. @vixentael wired.com/story/apple-find-my-cryptography-bluetooth/

  33. @vixentael blog.cryptographyengineering.com/2019/06/05/how-does-apple- privately-find-your-offline-devices/ wired.com/story/apple-find-my-cryptography-bluetooth/

  34. @vixentael CRYPTO

  35. @vixentael developer.apple.com/documentation/cryptokit/

  36. @vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

  37. @vixentael developer.apple.com/documentation/cryptokit/

  38. @vixentael https://twitter.com/veorq/status/660028363449454592

  39. @vixentael

  40. @vixentael

  41. @vixentael wired.com/story/apple-find-my-cryptography-bluetooth/

  42. @vixentael developer.apple.com/documentation/cryptokit/ - CryptoKit is based on corecrypto (C, FIPS

    140-2 compliant) - should be fast on ARM - high level API - modern crypto (AES GCM, Chacha20, ECC) CRYPTOKIT
  43. @vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

  44. @vixentael developer.apple.com/documentation/cryptokit/ - crypto-library, you need to work hard to

    make entire app - key management is still dev’s pain CRYPTOKIT
  45. @vixentael https://github.com/cossacklabs/themis

  46. @vixentael

  47. @vixentael

  48. • 708: Designing for Privacy • 709: Cryptography and Your

    Apps • 703: All About Notarization • 706: Introducing Sign In with Apple • 701: Advances in macOS Security • 702: System Extensions and DriverKit • 504: What’s New in Authentication, Safari, and WebKit
  49. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training github.com/vixentael/my-talks wwdcbysundell.com/2019/ anastasiia-voitova-on-security/
  50. Security Basics SECURITY WORKSHOPS Enterprise Secure Architecture Secure Web apps

    Secure Software Development Secure Mobile apps