KKBOX WWDC17 Security - Antony

Download KKBOX WWDC17 Security - Antony

Post on 22-Jan-2018

2.065 views

Category:

Technology

1 download

TRANSCRIPT

WWDC 2017 2017/07/21 - Antony ChuangOutline Your Apps and Evolving Network Security Standards Privacy and Your Apps Advances in Networking What's new in Apple Pay Wallet Your Apps and Evolving Network Security Standards Privacy and Your Apps Advances in Networking What's new in Apple Pay WalletYour Apps and Evolving Network Security Standards Best Practices App Transport Security Transport Layer SecurityYour Apps and Evolving Network Security Standards Best PracticesYour Apps and Evolving Network Security Standards Best PracticesYour Apps and Evolving Network Security Standards Best Practices - RevocationOnline Certificate Status Protocol (OCSP)Your Apps and Evolving Network Security Standards Best Practices - RevocationOnline Certificate Status Protocol (OCSP) Additional network connection Compromises user privacy Requires app opt-inYour Apps and Evolving Network Security Standards Best Practices - RevocationOnline Certificate Status Protocol Stapling (OCSP Stapling)Your Apps and Evolving Network Security Standards Best Practices - RevocationOnline Certificate Status Protocol Stapling (OCSP Stapling) Slow adoption Malicious serverYour Apps and Evolving Network Security Standards Best Practices - RevocationCertificate Transparency LogYour Apps and Evolving Network Security Standards Best Practices - RevocationCertificate Transparency Log Reduced privacy compromise Automatic updating Faster connectionsCertificate in iOS: https://support.apple.com/en-us/HT204132https://support.apple.com/en-us/HT204132Your Apps and Evolving Network Security Standards Best Practices - Trust Removals SHA-1 signed certificates for TLS Certificates using Your Apps and Evolving Network Security Standards Best Practices - Trust Removals Not affect- Root certificates - Enterprise-distributed certificates - User-installed certificates- Client certificates Affect- InvalidCertChain (-9807) SSL errors with URLSession Your Apps and Evolving Network Security Standards Best Practices - Trust RemovalsYour Apps and Evolving Network Security Standards Best Practices - What to Do Now? Check implementations, libraries, and servers Avoid ATS exceptionsYour Apps and Evolving Network Security Standards App Transport Security - Update Exceptions narrow down to per domain Exceptions expansion beyond WebKit (Certificate Transparency requirement)- AVFoundation loads- WebView request- Local network connectionYour Apps and Evolving Network Security Standards ATS-Compliant ServicesYour Apps and Evolving Network Security Standards Transport Later SecurityYour Apps and Evolving Network Security Standards Enable TLS 1.3 Beta Not on by default iOShttps://developer.apple.com/go/?id=tls13-mobile-profile macOSdefaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1https://developer.apple.com/go/?id=tls13-mobile-profile Your Apps and Evolving Network Security Standards Privacy and Your Apps Advances in Networking What's new in Apple Pay WalletPrivacy and Your AppsPrivacy and Your Apps Prompting with Purpose - iOS 10Privacy and Your Apps Prompting with Purpose - iOS 11Privacy and Your Apps Prompting with Purpose - LocationPrivacy and Your Apps Prompting with Purpose - LocationSupport When In Use location authorization NSLocationWhenInUseUsageDescription NSLocationAlwaysAndWhenInUseUsageDescriptionPrivacy and Your Apps Prompting with Purpose - LocationWhen In Use location authorization undefined in iOS 10Privacy and Your Apps Prompting with Purpose - LocationWhen In Use location and Always authorization both defined in iOS 10Privacy and Your Apps Photo Library access in iOS 11 Image picker without prompting for access Write only support Authorization will be reset on upgradePrivacy and Your Apps Photo Library write only access in iOS 11NSPhotoLibraryAddUsageDescription UIImageWriteToSavedPhotosAlbum UISaveVideoAtPathToSavedPhotosAlbumPrivacy and Your Apps Core NFCNFCReaderUsageDescription Scan for nearby NFC tags In the foregroundPrivacy and Your Apps Microphone - Watch OS Recording allowed to continue in the background Recording possible without the built-in modal UI Requires microphone authorization Indicator on watch faceSafari and other apps get their own cookies and website dataClearing website data in Safari also clears the data in your appPrivacy and Your Apps Safari View ControllerPrivacy and Your Apps On-Device Processing CoreML VisionKit ARKit NLPPrivacy and Your Apps DeviceCheck iOS, tvOS Per device, per developer data stored by Apple Two bits and a timestampPrivacy and Your Apps DeviceCheckUpdate bit statePrivacy and Your Apps DeviceCheckRequest to Apple to query bit statePrivacy and Your Apps DeviceCheckResponse from Apple with the bit statePrivacy and Your Apps DeviceCheck Handle resold or transferred devices Relevancy based on age Part of your app logic not sole source Your Apps and Evolving Network Security Standards Privacy and Your Apps Advances in Networking What's new in Apple Pay WalletAdvances in Networking Explicit Congestion Notification IPv6 Networking stack changes New Network Extension facilities Multipath protocols for multipath devices URLSessionAdvances in Networking Explicit Congestion NotificationAdvances in Networking IPv6Advances in Networking IPv6Advances in Networking Networking stack changesAdvances in Networking New Network Extension facilitiesAdvances in Networking New Network Extension facilities -NEHotspotConfigurationAdvances in Networking New Network Extension facilities -NEHotspotConfigurationAdvances in Networking New Network Extension facilities -NEHotspotConfigurationAdvances in Networking New Network Extension facilities - NEDNSProxyProvider Receives the systems DNS query messages Handles them as it wishes- Can send to recursive resolver of its choice- Can send using protocol of its choice DNS over TLS DNS over HTTPAdvances in Networking Multipath protocols for multipath devicesAdvances in Networking Multipath protocols for multipath devices Triggered by Marginal Wi-Fi Fittest Wins Out contest between Wi-Fi and Cell Wi-Fi has head start over Cell On a flow by flow basis, at flow setup timeAdvances in Networking Multipath TCP Built on top of TCP - Reliability- Congestion control Seamless handover from Wi-Fi to Cell Chooses optimal interface for latency-sensitive flowsAdvances in Networking Multipath TCP MPTCP schedules traffic across the interfaces One TCP subflow per interface MPTCP creates/destroys subflowsAdvances in Networking Multipath TCP in Siri Implemented since iOS 7 for Siri User feedback (time to first word) 20% faster in the 95th percentile 5x reduction in network failuresAdvances in Networking Multipath TCP in iOS11 Server support Multipath service types - Handover Mode- Interactive Mode URLSession APIAdvances in Networking Multipath TCP - Server supportAdvances in Networking Multipath service types in iOS 11 Handover Mode for high reliability Interactive Mode for low latencyAdvances in Networking Multipath service types - Handover Reliability for persistent connections Minimal cell usage Available in Beta 1Advances in Networking Multipath service types - Interactive Low latency for low-volume interactive flows Wi-Fi and cellular Available in an upcoming BetaAdvances in Networking URLSession supportAdvances in Networking Multipath service types - Aggregation Combines link capacities Available through developer settings Starting in an upcoming BetaAdvances in Networking URLSession - Current Failure causes by weak connectivity- NSURLErrorNotConnectedToInternet- NSURLErrorCannotConnectToHost Manual retry by user or monitor condition by SCNetworkReachabilityAdvances in Networking URLSession New URLSessionConfiguration property var waitsForConnectivity: Bool New URLSessionTaskDelegate methodurlSession(_:taskIsWaitingForConnectivity:) - optionalAdvances in Networking URLSession Recommendation- Always enable waitsForConnectivity Exception- Requests that must be completed immediately, like transactionAdvances in Networking URLSessionAdvances in Networking URLSessionTask Scheduling APIAdvances in Networking URLSessionTask Scheduling API New URLSessionTask property var earliestBeginDate: Date? New URLSessionTaskDelegate method called only when earliestBeginDate been seturlSession(_:task:willBeginDelayedRequest:completionHandler:) - optionalAdvances in Networking URLSessionTask Scheduling APIAdvances in Networking URLSessionTask Scheduling APINew property for better scheduling by systemvar countOfBytesClientExpectsToSend: Int64var countOfBytesClientExpectsToReceive: Int64NSURLSessionTransferSizeUnknown if cannot be estimatedAdvances in Networking URLSessionTask ProgressURLSessionTask implements ProgressReporting protocol class URLSessionTask : NSObject, NSCopying, ProgressReportingpublic var progress: Progress { get }Advances in Networking URLSessionTask ProgressProgress state management methods change URLSessionTask stateAdvances in Networking URLSession Enhancements ProgressReporting Brotli compression- Requires HTTPS (TLS) Public Suffix List updates Your Apps and Evolving Network Security Standards Privacy and Your Apps Advances in Networking What's new in Apple Pay WalletWhat's new in Apple Pay Wallet Apple Pay for Donations Accept donations for your nonprofit simply and securely Available within apps and on the web New donation button style https://developer.apple.com/support/apple-pay-nonprofits/What's new in Apple Pay Wallet Apple Pay Make Purchasing EasierWhat's new in Apple Pay Wallet Other Benefits Of Apple Pay Reduction in chargebacks No need to handle or store credit card numbers Trusted user experienceWhat's new in Apple Pay Wallet Apple Pay - ButtonsWhat's new in Apple Pay Wallet Apple Pay - Inline Setup Apple Pay setup is now offered automatically Simply present an Apple Pay sheet to a user without cards Users are returned to your Apple Pay purchase immediately after setup Still faster than a typical manual checkoutWhat's new in Apple Pay Wallet Apple Pay - Payment Errors Payment instrument failed to process Billing address didnt match Email address was invalid Postal address had an incorrect ZIP Telephone was missing an area codeWhat's new in Apple Pay Wallet Apple Pay - Payment ErrorsWhat's new in Apple Pay Wallet Apple Pay - Custom Errors Gracefully handle invalid or incorrect data directly in Apple Pay Display custom error messages Direct users to the specific fields that need correctionWhat's new in Apple Pay Wallet Apple Pay - Custom ErrorsWhat's new in Apple Pay Wallet Apple Pay - Custom ErrorsWhat's new in Apple Pay Wallet Apple Pay - Custom ErrorsWhat's new in Apple Pay Wallet Apple Pay - Custom ErrorsWhat's new in Apple Pay Wallet Apple Pay - Custom ErrorsNew callbackWhat's new in Apple Pay Wallet WalletNFC passes NFC passes let you send customer information over NFC Only encrypted NFC passes supported from iOS 11 Register for NFC passes at developer.apple.com/apple-payhttp://developer.apple.com/apple-payhttp://developer.apple.com/apple-payWhat's new in Apple Pay Wallet WalletSharing Passes can now be opted out of sharing Useful for single use items like loyalty cards or ticketsThank you