Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, privacy and cryptography at WWDC19

vixentael
June 14, 2019
Programming
1
620

Security, privacy and cryptography at WWDC19

Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. This is my recap what developers should know and use from now.

Read my blog post at WWDC by Sundell:
https://wwdcbysundell.com/2019/anastasiia-voitova-on-security/

Other talks and videos:
https://github.com/vixentael/my-talks

vixentael

June 14, 2019
Tweet

More Decks by vixentael

See All by vixentael
Using YubiKey and FIDO U2F for secure authentication
vixentael
0
1.1k
Data is a new security boundary
vixentael
0
4.1k
Cryptographic protection of ML models
vixentael
0
2.5k
e2ee != security != privacy
vixentael
0
2.1k
Maintaining cryptographic library for 12 languages
vixentael
1
3.4k
10 lines of encryption, 1500 lines of key management
vixentael
2
1.5k
Data encryption: CyberKids edition
vixentael
0
550
"Defense in depth": trench warfare principles for building secure distributed applications
vixentael
3
840
Workshop: Secure Software Development: From Rookie to Hardcore in 90 Minutes
vixentael
1
1k

Other Decks in Programming

See All in Programming
Folding Cheat Sheet #3
philipschwarz
PRO
0
120
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
100
"config" ってなんだ? / What is "config"?
okashoi
0
220
コーンフレークから始める モデリング会話入門
ogurotakayuki
0
280
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
180
CQRS/ES avec Symfony, c’est (trop) bien !
jeremyfreeagent
1
630
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.3k
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
180
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
430
[SF Ruby, March 2024] Rails on Wasm
palkan
0
380
try! Swift Tokyo 初参加報告LT
hinakko2
0
190
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
8
3.7k

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
237
11k
Code Reviewing Like a Champion
maltzj
513
39k
Practical Orchestrator
shlominoach
181
9.7k
What the flash - Photography Introduction
edds
64
11k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Testing 201, or: Great Expectations
jmmastey
27
6.3k
Reflections from 52 weeks, 52 projects
jeffersonlam
344
19k
Adopting Sorbet at Scale
ufuk
67
8.6k
Bash Introduction
62gerente
604
210k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
GitHub's CSS Performance
jonrohan
1023
450k
Into the Great Unknown - MozCon
thekraken
10
980

Transcript

  1. Security, privacy and crypto @vixentael at #wwdc19

  2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training

  3. Bespoke data security solutions and security engineering.

  4. @vixentael

  5. @vixentael PRIVACY

  6. @vixentael

  7. developer.apple.com/app-store/review/rejections/ @vixentael apple.com/ios/app-store/principles-practices/

  8. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

  9. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

  10. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j new apps – now existing

    apps – 3 September

  11. @vixentael WATCHOS

  12. @vixentael NOISE

  13. @vixentael SIGN IN, SIGN UP developer.apple.com/documentation/watchkit/ authenticating_users_on_apple_watch

  14. @vixentael HOMEKIT

  15. @vixentael

  16. @vixentael theverge.com/2019/6/3/18646453/apple-homekit-support-smart- home-security-routers-wwdc-2019

  17. @vixentael SIGN IN WITH APPLE

  18. @vixentael

  19. @vixentael

  20. @vixentael

  21. @vixentael https://developer.apple.com/news/?id=06032019j https://twitter.com/hybridcattt/status/1139253619637854208

  22. @vixentael MACOS

  23. @vixentael https://developer.apple.com/documentation/authenticationservices/ asauthorizationsinglesignonprovider ASAuthorizationSingleSignOnProvider

  24. @vixentael https://developer.apple.com/documentation/localauthentication/lapolicy/ lapolicydeviceownerauthenticationwithwatch?language=objc LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

  25. @vixentael TLS CERTIFICATES https://twitter.com/BasileBailey/status/1136017729842962432 https://support.apple.com/en-us/HT210176 • TLS 1.3 welcome •

    RSA keys >= 2048 bits • no SHA-1 anymore • ExtendedKeyUsage required • max 825 days

  26. @vixentael • Endpoint security framework • App notarization, Gatekeeper, quarantine

    • new permissions 701: Advances in macOS Security FOR MACOS DEVS

  27. @vixentael https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/ @patrickwardle THREE WORDS TO RUIN AN APPLE ENGINEER'S

    DAY: 'PATRICK WARDLE DISCLOSURE'

  28. @vixentael PRIVACY

  29. @vixentael IOS & MACOS PRIVACY UPDS • prevents macApps from

    taking screenshots https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take- screenshots • prevents iOS apps from tracking location https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the- users-ios-location-data-without-actually-having-access

  30. @vixentael IOS & MACOS PRIVACY UPDS

  31. @vixentael FIND MY

  32. @vixentael wired.com/story/apple-find-my-cryptography-bluetooth/

  33. @vixentael blog.cryptographyengineering.com/2019/06/05/how-does-apple- privately-find-your-offline-devices/ wired.com/story/apple-find-my-cryptography-bluetooth/

  34. @vixentael CRYPTO

  35. @vixentael developer.apple.com/documentation/cryptokit/

  36. @vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

  37. @vixentael developer.apple.com/documentation/cryptokit/

  38. @vixentael https://twitter.com/veorq/status/660028363449454592

  39. @vixentael

  40. @vixentael

  41. @vixentael wired.com/story/apple-find-my-cryptography-bluetooth/

  42. @vixentael developer.apple.com/documentation/cryptokit/ - CryptoKit is based on corecrypto (C, FIPS

    140-2 compliant) - should be fast on ARM - high level API - modern crypto (AES GCM, Chacha20, ECC) CRYPTOKIT

  43. @vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

  44. @vixentael developer.apple.com/documentation/cryptokit/ - crypto-library, you need to work hard to

    make entire app - key management is still dev’s pain CRYPTOKIT

  45. @vixentael https://github.com/cossacklabs/themis

  46. @vixentael

  47. @vixentael

  48. • 708: Designing for Privacy • 709: Cryptography and Your

    Apps • 703: All About Notarization • 706: Introducing Sign In with Apple • 701: Advances in macOS Security • 702: System Extensions and DriverKit • 504: What’s New in Authentication, Safari, and WebKit

  49. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training github.com/vixentael/my-talks wwdcbysundell.com/2019/ anastasiia-voitova-on-security/

  50. Security Basics SECURITY WORKSHOPS Enterprise Secure Architecture Secure Web apps

    Secure Software Development Secure Mobile apps