0 Replies
      Latest reply on Jun 15, 2016 3:05 AM by rtrouton
      rtrouton Level 1 Level 1 (0 points)

        Lucia Ballard - Secure Transports Engineering Manager

        Simon Cooper - Trusted Execution Engineering Manager

         

         

        Network Security on iOS

        Cryptography APIs

        Platform security on macOS

         

         

        Secure Communications (iOS)

         

         

        HTTPS is the new HTTP

        - Confidentiality

        - Data integrity

        - Not all HTTPS is created equal.

         

         

        Current standards:

         

         

        For NSURLSession and NSURLConnection APIs

         

         

        - Use TLSv1.2

        - Strong crypto - AES-128 and certificates signed with SHA-2

        - Forward secrecy - ECDHE

         

         

        Exceptions - global or for particular domains

         

         

        App Transport Security Enforcement

         

         

        Enforced at the end of 2016 for MAS apps

        Reasonable justification required for most exceptions

         

         

        Example - communicating with a specific third-party service, which isn't (yet) compliant.

         

         

        New exceptions to make it easier:

         

         

        - Streaming media using AVFoundation

        - Web content exception using WKWebView

         

         

        Watch video for plist key to use for WKWebView.

         

         

        RC4 now disabled by default

        SSLv3 disabled in Secure Transport

         

         

        Other algorithms are starting to show their age and are being deprecated:

         

         

        - SHA-1

        - 3DES

         

         

        Now is the time to upgrade your servers to drop dependencies on the deprecated algorithms.

         

         

        Strong TLS is not enough

        Certificate ensures that you're talking to the right server.

         

         

        Certificate Transparency

         

         

        Public verifiable lots of issued certificates

        Anyone can submit a certificate to a log

         

         

        Client can check for proof that the certificate has been logged

         

         

        In the certificate itself

        Via OCSP

        Third item listed (By checking with the CA? watch video)

         

         

         

         

        You can require Certificate Transparency through App Transport Security

         

         

        Proofs from at least two logs

        More info available at certificate-transparency.org: https:// www. certificate-transparency. org

         

         

        Certificate Transparency does not replace revocation

         

         

        Recommended practice - OCSP stapling: https:// en. wikipedia .org /wiki /OCSP_stapling

         

         

        Benefits of using OCSP stapling

         

         

        Reliable, quick revocation information

        Protects user privacy

        Deliver certificate transparency proofs

        Widely supported and backwards-compatible

        - Fully supported on all Apple platforms

         

         

         

         

        Cryptographic improvements

         

         

        SecKey and smart cards

         

         

        SecKey Improvements

         

         

        API for asymmetric keys

        - Unification of macOS and iOS API

        - Support for coming operations

         

         

        Replacement for CDSA

         

         

        System support for cryptographic devices

         

         

        Smart cards, USB crypto tokens

         

         

        Out of the box integration with system services

        - Token content available via keychain

         

         

        More info available, watch video

         

         

         

         

        How software is delivered (macOS)

         

         

        Get apps from the MAS

        Get Developer ID-signed apps outside the MAS

        Use Xcode to build apps

        Use traditional Unix tools to build apps

         

         

        Developer ID:

         

         

        Allows signed apps to be delivered outside the MAS

        Usually downloaded

        Developer ID Signing Identity

        Developer ID-signed apps treated specially by Gatekeeper

         

         

        iCloud for Developer ID

         

         

        Developer ID can now use iCloud features

         

         

        iCloud-enabled apps can now be delivered outside of the MAS

         

         

        Developer ID-signed apps can now share data with iOS iCloud-enabled apps

         

         

        iCloud Development testing can begin today.

         

         

        iCloud Deployment

        - Testing coming in upcoming seeds

        - Distribution using GM tools

         

         

        Gatekeeper

         

         

        What is Gatekeeper?

         

         

        Controls which software is allowed to run on your Mac

         

         

        - MAS (Mac App Store)

        - MAS and identified developers

        - Anywhere

         

         

        Changes to Gatekeeper in Sierra

         

         

        - MAS

        - MAS and identified developers

         

         

        Can still open anyway

         

         

        Allow from anywhere can still be enabled via the command line

         

         

        Repacking problem

        Gatekeeper enhancement to accomodate

         

         

        Correctly signed apps may reference unsigned external resources (code, libraries, plug-ins, HTML content, Python scripts, AppleScripts, etc.) The unsigned external resources may be malicious.

         

         

        Not affected:

         

         

        - From the MAS

        - In a signed Apple installer package

         

         

        Affected:

         

         

        ZIP

        Disk image (.dmg)

        ISO disk image

        Other archive format

         

         

        Apple needs help from developers to address this issue.

         

         

        - Switch to using disk image

        - Disk images can now be signed

        - .dmg signing available if using 10.11.5 or later

         

         

        Use the codesign command line tool

        Signatures are embedded

        Backwards compatible with older OS versions

         

         

        Distributing an app bundle?

         

         

        Distribute via the MAS

        Signed ZIP or disk image

        Signed installer package

         

         

        Adding personalization or licensing information

        Use extended attribute on bundle root - see TN2206 - developer .apple .com /library /mac /technotes /tn2206 /_index.html

        Sign a personalized disk image

         

         

        Gatekeeper enhancement to address repacking problem

         

         

        Gatekeeper path randomization

        Supplements existing Gatekeeper protections

         

         

        No change for MAS apps

        No change for previously run apps

         

         

        Applies to newly-downloaded apps

        Applies to apps on unsigned disk images

         

         

        When the app is launched from an unsigned disk image, the app is randomly relocated to another place on the filesystem. This breaks the app's ability to locate and access the external resource.

         

         

        This behavior does not occur if you run from a signed disk image.

         

         

        See complete list of session and lab notes here:

        https://forums.developer.apple.com/message/142899