Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security, privacy and cryptography at WWDC19

Avatar for vixentael vixentael
June 14, 2019
Programming
1
780

Security, privacy and cryptography at WWDC19

Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. This is my recap what developers should know and use from now.

Read my blog post at WWDC by Sundell:
https://wwdcbysundell.com/2019/anastasiia-voitova-on-security/

Other talks and videos:
https://github.com/vixentael/my-talks
Avatar for vixentael

vixentael

June 14, 2019
Tweet

More Decks by vixentael

See All by vixentael
Using YubiKey and FIDO U2F for secure authentication
Avatar for vixentael vixentael
0
2.1k
Data is a new security boundary
Avatar for vixentael vixentael
0
6.7k
Cryptographic protection of ML models
Avatar for vixentael vixentael
0
3.2k
e2ee != security != privacy
Avatar for vixentael vixentael
0
2.4k
Maintaining cryptographic library for 12 languages
Avatar for vixentael vixentael
1
4.2k
10 lines of encryption, 1500 lines of key management
Avatar for vixentael vixentael
2
1.9k
Data encryption: CyberKids edition
Avatar for vixentael vixentael
0
700
"Defense in depth": trench warfare principles for building secure distributed applications
Avatar for vixentael vixentael
3
960
Workshop: Secure Software Development: From Rookie to Hardcore in 90 Minutes
Avatar for vixentael vixentael
1
1.2k

Other Decks in Programming

See All in Programming
最速Green Tea 🍵 Garbage Collector
Avatar for kuro kuro_kurorrr
1
150
データと事例で振り返るDevin導入の"リアル" / The Realities of Devin Reflected in Data and Case Studies
Avatar for r-kagaya rkaga
3
2.6k
Golangci-lint v2爆誕: 君たちはどうすべきか
Avatar for logica / Takuto Nagami logica0419
1
280
Flutterでllama.cppをつかってローカルLLMを試してみた
Avatar for sakuraidayo sakuraidayo
0
150
note の Elasticsearch 更新系を支える技術
Avatar for chov(Kohei T) tchov
9
3.6k
Serving TUIs over SSH with Go
Avatar for Carlos Alexandro Becker caarlos0
0
760
CRUD から CQRS へ ~ 分離が可能にする柔軟性
Avatar for Takashi Kawae tkawae
0
100
AI時代のリアーキテクチャ戦略 / Re-architecture Strategy in the AI Era
Avatar for dachi023 dachi023
0
130
設計の本質:コード、システム、そして組織へ / The Essence of Design: To Code, Systems, and Organizations
Avatar for nrs nrslib
10
3.9k
医療系ソフトウェアのAI駆動開発
Avatar for kouki.miura koukimiura
1
140
状態と共に暮らす:ステートフルへの挑戦
Avatar for ypresto ypresto
3
1.3k
個人開発の学生アプリが企業譲渡されるまで
Avatar for akidon0000 akidon0000
2
1.2k

Featured

See All Featured
Side Projects
Avatar for Sacha Greif sachag
453
42k
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
159
23k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
172
14k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
29
940
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
280
13k
Done Done
Avatar for chrislema chrislema
184
16k
Designing for humans not robots
Avatar for Tammie Lister tammielis
253
25k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
133
9.3k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
30
2k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
33
6.6k
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
23
1.6k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
251
21k

Transcript

  1. Security, privacy and crypto @vixentael at #wwdc19

  2. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training

  3. Bespoke data security solutions and security engineering.

  4. @vixentael

  5. @vixentael PRIVACY

  6. @vixentael

  7. developer.apple.com/app-store/review/rejections/ @vixentael apple.com/ios/app-store/principles-practices/

  8. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

  9. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j

  10. @vixentael PRIVACY POLICY UPDATE https://developer.apple.com/news/?id=06032019j new apps – now existing

    apps – 3 September

  11. @vixentael WATCHOS

  12. @vixentael NOISE

  13. @vixentael SIGN IN, SIGN UP developer.apple.com/documentation/watchkit/ authenticating_users_on_apple_watch

  14. @vixentael HOMEKIT

  15. @vixentael

  16. @vixentael theverge.com/2019/6/3/18646453/apple-homekit-support-smart- home-security-routers-wwdc-2019

  17. @vixentael SIGN IN WITH APPLE

  18. @vixentael

  19. @vixentael

  20. @vixentael

  21. @vixentael https://developer.apple.com/news/?id=06032019j https://twitter.com/hybridcattt/status/1139253619637854208

  22. @vixentael MACOS

  23. @vixentael https://developer.apple.com/documentation/authenticationservices/ asauthorizationsinglesignonprovider ASAuthorizationSingleSignOnProvider

  24. @vixentael https://developer.apple.com/documentation/localauthentication/lapolicy/ lapolicydeviceownerauthenticationwithwatch?language=objc LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch

  25. @vixentael TLS CERTIFICATES https://twitter.com/BasileBailey/status/1136017729842962432 https://support.apple.com/en-us/HT210176 • TLS 1.3 welcome •

    RSA keys >= 2048 bits • no SHA-1 anymore • ExtendedKeyUsage required • max 825 days

  26. @vixentael • Endpoint security framework • App notarization, Gatekeeper, quarantine

    • new permissions 701: Advances in macOS Security FOR MACOS DEVS

  27. @vixentael https://theevilbit.github.io/posts/getting_root_with_benign_appstore_apps/ @patrickwardle THREE WORDS TO RUIN AN APPLE ENGINEER'S

    DAY: 'PATRICK WARDLE DISCLOSURE'

  28. @vixentael PRIVACY

  29. @vixentael IOS & MACOS PRIVACY UPDS • prevents macApps from

    taking screenshots https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take- screenshots • prevents iOS apps from tracking location https://krausefx.com/blog/ios-privacy-detectlocation-an-easy-way-to-access-the- users-ios-location-data-without-actually-having-access

  30. @vixentael IOS & MACOS PRIVACY UPDS

  31. @vixentael FIND MY

  32. @vixentael wired.com/story/apple-find-my-cryptography-bluetooth/

  33. @vixentael blog.cryptographyengineering.com/2019/06/05/how-does-apple- privately-find-your-offline-devices/ wired.com/story/apple-find-my-cryptography-bluetooth/

  34. @vixentael CRYPTO

  35. @vixentael developer.apple.com/documentation/cryptokit/

  36. @vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

  37. @vixentael developer.apple.com/documentation/cryptokit/

  38. @vixentael https://twitter.com/veorq/status/660028363449454592

  39. @vixentael

  40. @vixentael

  41. @vixentael wired.com/story/apple-find-my-cryptography-bluetooth/

  42. @vixentael developer.apple.com/documentation/cryptokit/ - CryptoKit is based on corecrypto (C, FIPS

    140-2 compliant) - should be fast on ARM - high level API - modern crypto (AES GCM, Chacha20, ECC) CRYPTOKIT

  43. @vixentael https://speakerdeck.com/vixentael/use-cryptography-dont-learn-it

  44. @vixentael developer.apple.com/documentation/cryptokit/ - crypto-library, you need to work hard to

    make entire app - key management is still dev’s pain CRYPTOKIT

  45. @vixentael https://github.com/cossacklabs/themis

  46. @vixentael

  47. @vixentael

  48. • 708: Designing for Privacy • 709: Cryptography and Your

    Apps • 703: All About Notarization • 706: Introducing Sign In with Apple • 701: Advances in macOS Security • 702: System Extensions and DriverKit • 504: What’s New in Authentication, Safari, and WebKit

  49. @vixentael product engineer in security and cryptography OSS maintainer: Themis,

    Acra cryptographic tools, security engineering, datasec training github.com/vixentael/my-talks wwdcbysundell.com/2019/ anastasiia-voitova-on-security/

  50. Security Basics SECURITY WORKSHOPS Enterprise Secure Architecture Secure Web apps

    Secure Software Development Secure Mobile apps