0 Replies
      Latest reply on Jun 15, 2016 3:05 AM by rtrouton
      rtrouton Level 1 Level 1 (0 points)

        Lucia Ballard - Secure Transports Engineering Manager

        Simon Cooper - Trusted Execution Engineering Manager



        Network Security on iOS

        Cryptography APIs

        Platform security on macOS



        Secure Communications (iOS)



        HTTPS is the new HTTP

        - Confidentiality

        - Data integrity

        - Not all HTTPS is created equal.



        Current standards:



        For NSURLSession and NSURLConnection APIs



        - Use TLSv1.2

        - Strong crypto - AES-128 and certificates signed with SHA-2

        - Forward secrecy - ECDHE



        Exceptions - global or for particular domains



        App Transport Security Enforcement



        Enforced at the end of 2016 for MAS apps

        Reasonable justification required for most exceptions



        Example - communicating with a specific third-party service, which isn't (yet) compliant.



        New exceptions to make it easier:



        - Streaming media using AVFoundation

        - Web content exception using WKWebView



        Watch video for plist key to use for WKWebView.



        RC4 now disabled by default

        SSLv3 disabled in Secure Transport



        Other algorithms are starting to show their age and are being deprecated:



        - SHA-1

        - 3DES



        Now is the time to upgrade your servers to drop dependencies on the deprecated algorithms.



        Strong TLS is not enough

        Certificate ensures that you're talking to the right server.



        Certificate Transparency



        Public verifiable lots of issued certificates

        Anyone can submit a certificate to a log



        Client can check for proof that the certificate has been logged



        In the certificate itself

        Via OCSP

        Third item listed (By checking with the CA? watch video)





        You can require Certificate Transparency through App Transport Security



        Proofs from at least two logs

        More info available at certificate-transparency.org: https:// www. certificate-transparency. org



        Certificate Transparency does not replace revocation



        Recommended practice - OCSP stapling: https:// en. wikipedia .org /wiki /OCSP_stapling



        Benefits of using OCSP stapling



        Reliable, quick revocation information

        Protects user privacy

        Deliver certificate transparency proofs

        Widely supported and backwards-compatible

        - Fully supported on all Apple platforms





        Cryptographic improvements



        SecKey and smart cards



        SecKey Improvements



        API for asymmetric keys

        - Unification of macOS and iOS API

        - Support for coming operations



        Replacement for CDSA



        System support for cryptographic devices



        Smart cards, USB crypto tokens



        Out of the box integration with system services

        - Token content available via keychain



        More info available, watch video





        How software is delivered (macOS)



        Get apps from the MAS

        Get Developer ID-signed apps outside the MAS

        Use Xcode to build apps

        Use traditional Unix tools to build apps



        Developer ID:



        Allows signed apps to be delivered outside the MAS

        Usually downloaded

        Developer ID Signing Identity

        Developer ID-signed apps treated specially by Gatekeeper



        iCloud for Developer ID



        Developer ID can now use iCloud features



        iCloud-enabled apps can now be delivered outside of the MAS



        Developer ID-signed apps can now share data with iOS iCloud-enabled apps



        iCloud Development testing can begin today.



        iCloud Deployment

        - Testing coming in upcoming seeds

        - Distribution using GM tools






        What is Gatekeeper?



        Controls which software is allowed to run on your Mac



        - MAS (Mac App Store)

        - MAS and identified developers

        - Anywhere



        Changes to Gatekeeper in Sierra



        - MAS

        - MAS and identified developers



        Can still open anyway



        Allow from anywhere can still be enabled via the command line



        Repacking problem

        Gatekeeper enhancement to accomodate



        Correctly signed apps may reference unsigned external resources (code, libraries, plug-ins, HTML content, Python scripts, AppleScripts, etc.) The unsigned external resources may be malicious.



        Not affected:



        - From the MAS

        - In a signed Apple installer package







        Disk image (.dmg)

        ISO disk image

        Other archive format



        Apple needs help from developers to address this issue.



        - Switch to using disk image

        - Disk images can now be signed

        - .dmg signing available if using 10.11.5 or later



        Use the codesign command line tool

        Signatures are embedded

        Backwards compatible with older OS versions



        Distributing an app bundle?



        Distribute via the MAS

        Signed ZIP or disk image

        Signed installer package



        Adding personalization or licensing information

        Use extended attribute on bundle root - see TN2206 - developer .apple .com /library /mac /technotes /tn2206 /_index.html

        Sign a personalized disk image



        Gatekeeper enhancement to address repacking problem



        Gatekeeper path randomization

        Supplements existing Gatekeeper protections



        No change for MAS apps

        No change for previously run apps



        Applies to newly-downloaded apps

        Applies to apps on unsigned disk images



        When the app is launched from an unsigned disk image, the app is randomly relocated to another place on the filesystem. This breaks the app's ability to locate and access the external resource.



        This behavior does not occur if you run from a signed disk image.



        See complete list of session and lab notes here: