Apple Security and Privacy

Transcript

1.  ! & ✋ WWDC 2016 Caesar Wirth - June

   30, 2016

2. Providing the Best Protections 1. What makes iOS Secure 2.

   Keeping your App Secure 3. Maintaining User Privacy

3. Providing the Best Protections 1. What makes iOS Secure 2.

   Keeping your App Secure 3. Maintaining User Privacy

4. What makes iOS Secure 1. Secure Boot 2. Data Protection

   3. Sandboxing 4. Code Signing 5. Touch ID

5. What makes iOS Secure 1. Secure Boot 2. Data Protection

   3. Sandboxing 4. Code Signing 5. Touch ID

6. Data Protection » Encryption key is derived from passcode »

   Can't be opened after 10 attemps » Entangled with hardware

7. Touch ID » Same protections as passcode » Securely linked

   to Secure Enclave » Fast » Easy

8. Passcode use before Touch ID

9. Passcode use after Touch ID

10. Things To Do ✅ Use Touch ID

11. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy

12. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy

13. Keeping your App Secure Third-Party Libraries

14. Keeping your App Secure Third-Party Libraries » You are responsible

    for the third-party code you use » AFNetworking » 25k Apps Affected

15. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries

16. Keeping your App Secure App Transport Security (ATS)

17. Keeping your App Secure App Transport Security (ATS) » Enforced

    at end of 2016 » Update your servers! » TLS v1.2, forward secrecy, SHA-2 certificates

18. Keeping your App Secure App Transport Security (ATS) Not good

    enough! Explain your exceptions. eg. third-party server hasn't upgraded yet.

19. Keeping your App Secure App Transport Security (ATS) http://developer.hatenastaff.com/entry/2016/06/16/165924

20. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries ✅ Update your servers!

21. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy

22. Providing the Best Protections 1. What makes iOS Secure 2.

    Keeping your App Secure 3. Maintaining User Privacy

23. Maintaining User Privacy Focus on trends, not individuals. » Use

    anonymous identifiers » Collect aggregated data

24. Maintaining User Privacy Good Identifiers » Short-lived » Anonymous »

    Resettable » Identify Sessions, not Users

25. Maintaining User Privacy Good Identifiers // Random every time let

    sessionId = UUID() // Changes when app is uninstalled let vendorId = UIDevice.current().identifierForVendor // Only for advertising!!! let adId = ASIdentifierManager.shared().advertisingIdentifier

26. Maintaining User Privacy Data Collection » Only take data that

    is needed » eg. event happened 5, 10, 20, 30, 50+ times, rather than 86 » Data from just 10% of users gives a good average » Collect data with with aggregates

27. Maintaining User Privacy Data Collection With Aggregates 1. Begin with

    data 2. Add noise 3. Server receives privatized data 4. Compute averages

28. Maintaining User Privacy Data Collection With Aggregates How Many Hours

    Worked Last Week Original Value: 48

29. Maintaining User Privacy Data Collection With Aggregates How Many Hours

    Worked Last Week Original Value: 48 Projection: ...0000001000000...

30. Maintaining User Privacy Data Collection With Aggregates How Many Hours

    Worked Last Week Original Value: 48 Projection: ...0000001000000... Randomized: ...0100101001001...

31. Maintaining User Privacy Data Collection with Aggregates

32. Maintaining User Privacy Data Collection with Aggregates Average = 41

    hours ...0000000000100000...

33. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries ✅ Update your servers! ✅ Collect data, while protecting privacy

34. Things To Do ✅ Use Touch ID ✅ Know your

    third-party libraries ✅ Update your servers! ✅ Collect data, while protecting privacy

35. WWDC 2016 ! & ✋ Sessions let sessionUrl = "https://developer.apple.com/videos/play/wwdc2016/\(sessionId)"

    » 705 - How iOS Security Really Works » 706 - What's New in Security » 709 - Engineering Privacy for Your Users

36. Thank You!