Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, privacy and cryptography at WWDC19

Security, privacy and cryptography at WWDC19

Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. This is my recap what developers should know and use from now.

Read my blog post at WWDC by Sundell:
https://wwdcbysundell.com/2019/anastasiia-voitova-on-security/

Other talks and videos:
https://github.com/vixentael/my-talks

vixentael

June 14, 2019
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. Security, privacy and crypto
    @vixentael
    at #wwdc19

    View Slide

  2. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training

    View Slide

  3. Bespoke data security solutions
    and security engineering.

    View Slide

  4. @vixentael

    View Slide

  5. @vixentael
    PRIVACY

    View Slide

  6. @vixentael

    View Slide

  7. developer.apple.com/app-store/review/rejections/ @vixentael
    apple.com/ios/app-store/principles-practices/

    View Slide

  8. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j

    View Slide

  9. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j

    View Slide

  10. @vixentael
    PRIVACY POLICY UPDATE
    https://developer.apple.com/news/?id=06032019j
    new apps – now
    existing apps – 3 September

    View Slide

  11. @vixentael
    WATCHOS

    View Slide

  12. @vixentael
    NOISE

    View Slide

  13. @vixentael
    SIGN IN,
    SIGN UP
    developer.apple.com/documentation/watchkit/
    authenticating_users_on_apple_watch

    View Slide

  14. @vixentael
    HOMEKIT

    View Slide

  15. @vixentael

    View Slide

  16. @vixentael
    theverge.com/2019/6/3/18646453/apple-homekit-support-smart-
    home-security-routers-wwdc-2019

    View Slide

  17. @vixentael
    SIGN IN
    WITH APPLE

    View Slide

  18. @vixentael

    View Slide

  19. @vixentael

    View Slide

  20. @vixentael

    View Slide

  21. @vixentael
    https://developer.apple.com/news/?id=06032019j
    https://twitter.com/hybridcattt/status/1139253619637854208

    View Slide

  22. @vixentael
    MACOS

    View Slide

  23. @vixentael
    https://developer.apple.com/documentation/authenticationservices/
    asauthorizationsinglesignonprovider
    ASAuthorizationSingleSignOnProvider

    View Slide

  24. @vixentael
    https://developer.apple.com/documentation/localauthentication/lapolicy/
    lapolicydeviceownerauthenticationwithwatch?language=objc
    LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

    View Slide

  25. @vixentael
    TLS CERTIFICATES
    https://twitter.com/BasileBailey/status/1136017729842962432
    https://support.apple.com/en-us/HT210176
    • TLS 1.3 welcome
    • RSA keys >= 2048 bits
    • no SHA-1 anymore
    • ExtendedKeyUsage required
    • max 825 days

    View Slide

  26. @vixentael
    • Endpoint security framework
    • App notarization, Gatekeeper, quarantine
    • new permissions
    701: Advances in macOS Security
    FOR MACOS DEVS

    View Slide

  27. @vixentael
    https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/
    @patrickwardle
    THREE WORDS TO RUIN AN APPLE ENGINEER'S
    DAY: 'PATRICK WARDLE DISCLOSURE'

    View Slide

  28. @vixentael
    PRIVACY

    View Slide

  29. @vixentael
    IOS & MACOS PRIVACY UPDS
    • prevents macApps from taking screenshots
    https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take-
    screenshots
    • prevents iOS apps from tracking location
    https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the-
    users-ios-location-data-without-actually-having-access

    View Slide

  30. @vixentael
    IOS & MACOS PRIVACY UPDS

    View Slide

  31. @vixentael
    FIND MY

    View Slide

  32. @vixentael
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View Slide

  33. @vixentael
    blog.cryptographyengineering.com/2019/06/05/how-does-apple-
    privately-find-your-offline-devices/
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View Slide

  34. @vixentael
    CRYPTO

    View Slide

  35. @vixentael
    developer.apple.com/documentation/cryptokit/

    View Slide

  36. @vixentael
    https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

    View Slide

  37. @vixentael
    developer.apple.com/documentation/cryptokit/

    View Slide

  38. @vixentael
    https://twitter.com/veorq/status/660028363449454592

    View Slide

  39. @vixentael

    View Slide

  40. @vixentael

    View Slide

  41. @vixentael
    wired.com/story/apple-find-my-cryptography-bluetooth/

    View Slide

  42. @vixentael
    developer.apple.com/documentation/cryptokit/
    - CryptoKit is based on corecrypto (C, FIPS 140-2
    compliant)
    - should be fast on ARM
    - high level API
    - modern crypto (AES GCM, Chacha20, ECC)
    CRYPTOKIT

    View Slide

  43. @vixentael
    https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

    View Slide

  44. @vixentael
    developer.apple.com/documentation/cryptokit/
    - crypto-library, you need to work hard to make entire
    app
    - key management is still dev’s pain
    CRYPTOKIT

    View Slide

  45. @vixentael
    https://github.com/cossacklabs/themis

    View Slide

  46. @vixentael

    View Slide

  47. @vixentael

    View Slide

  48. • 708: Designing for Privacy
    • 709: Cryptography and Your Apps
    • 703: All About Notarization
    • 706: Introducing Sign In with Apple
    • 701: Advances in macOS Security
    • 702: System Extensions and DriverKit
    • 504: What’s New in Authentication, Safari, and WebKit

    View Slide

  49. @vixentael
    product engineer in security
    and cryptography
    OSS maintainer: Themis, Acra
    cryptographic tools, security
    engineering, datasec training
    github.com/vixentael/my-talks
    wwdcbysundell.com/2019/
    anastasiia-voitova-on-security/

    View Slide

  50. Security
    Basics
    SECURITY
    WORKSHOPS
    Enterprise Secure
    Architecture
    Secure Web apps
    Secure Software
    Development
    Secure Mobile apps

    View Slide