KKBOX WWDC17 Security - Antony

Download KKBOX WWDC17 Security - Antony

Post on 22-Jan-2018

2.065 views

Category:

Technology

1 download

Embed Size (px)

TRANSCRIPT

<ul><li><p>WWDC 2017 2017/07/21 - Antony Chuang</p></li><li><p>Outline</p><p> Your Apps and Evolving Network Security Standards</p><p> Privacy and Your Apps</p><p> Advances in Networking</p><p> What's new in Apple Pay Wallet</p></li><li><p> Your Apps and Evolving Network Security Standards</p><p> Privacy and Your Apps</p><p> Advances in Networking</p><p> What's new in Apple Pay Wallet</p></li><li><p>Your Apps and Evolving Network Security Standards</p><p> Best Practices</p><p> App Transport Security</p><p> Transport Layer Security</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices - RevocationOnline Certificate Status Protocol (OCSP)</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices - RevocationOnline Certificate Status Protocol (OCSP)</p><p> Additional network connection</p><p> Compromises user privacy</p><p> Requires app opt-in</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices - RevocationOnline Certificate Status Protocol Stapling (OCSP Stapling)</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices - RevocationOnline Certificate Status Protocol Stapling (OCSP Stapling)</p><p> Slow adoption</p><p> Malicious server</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices - RevocationCertificate Transparency Log</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices - Revocation</p><p>Certificate Transparency Log</p><p> Reduced privacy compromise</p><p> Automatic updating</p><p> Faster connections</p><p>Certificate in iOS: https://support.apple.com/en-us/HT204132</p><p>https://support.apple.com/en-us/HT204132</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices - Trust Removals</p><p> SHA-1 signed certificates for TLS</p><p> Certificates using </p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices - Trust Removals</p><p> Not affect</p><p>- Root certificates </p><p>- Enterprise-distributed certificates </p><p>- User-installed certificates</p><p>- Client certificates </p><p> Affect</p><p>- InvalidCertChain (-9807) SSL errors with URLSession </p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices - Trust Removals</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Best Practices - What to Do Now? </p><p> Check implementations, libraries, and servers</p><p> Avoid ATS exceptions</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>App Transport Security - Update </p><p> Exceptions narrow down to per domain</p><p> Exceptions expansion beyond WebKit (Certificate Transparency requirement)</p><p>- AVFoundation loads</p><p>- WebView request</p><p>- Local network connection</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>ATS-Compliant Services</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Transport Later Security</p></li><li><p>Your Apps and Evolving Network Security Standards </p><p>Enable TLS 1.3 Beta</p><p> Not on by default</p><p> iOS</p><p>https://developer.apple.com/go/?id=tls13-mobile-profile</p><p> macOS</p><p>defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1</p><p>https://developer.apple.com/go/?id=tls13-mobile-profile</p></li><li><p> Your Apps and Evolving Network Security Standards</p><p> Privacy and Your Apps</p><p> Advances in Networking</p><p> What's new in Apple Pay Wallet</p></li><li><p>Privacy and Your Apps</p></li><li><p>Privacy and Your Apps </p><p>Prompting with Purpose - iOS 10</p></li><li><p>Privacy and Your Apps </p><p>Prompting with Purpose - iOS 11</p></li><li><p>Privacy and Your Apps </p><p>Prompting with Purpose - Location</p></li><li><p>Privacy and Your Apps </p><p>Prompting with Purpose - Location</p><p>Support When In Use location authorization</p><p> NSLocationWhenInUseUsageDescription</p><p> NSLocationAlwaysAndWhenInUseUsageDescription</p></li><li><p>Privacy and Your Apps </p><p>Prompting with Purpose - LocationWhen In Use location authorization undefined in iOS 10</p></li><li><p>Privacy and Your Apps </p><p>Prompting with Purpose - LocationWhen In Use location and Always authorization both defined in iOS 10</p></li><li><p>Privacy and Your Apps </p><p>Photo Library access in iOS 11</p><p> Image picker without prompting for access </p><p> Write only support</p><p> Authorization will be reset on upgrade</p></li><li><p>Privacy and Your Apps </p><p>Photo Library write only access in iOS 11</p><p>NSPhotoLibraryAddUsageDescription</p><p> UIImageWriteToSavedPhotosAlbum</p><p> UISaveVideoAtPathToSavedPhotosAlbum</p></li><li><p>Privacy and Your Apps </p><p>Core NFC</p><p>NFCReaderUsageDescription</p><p> Scan for nearby NFC tags</p><p> In the foreground</p></li><li><p>Privacy and Your Apps </p><p>Microphone - Watch OS</p><p> Recording allowed to continue in the background</p><p> Recording possible without the built-in modal UI</p><p> Requires microphone authorization</p><p> Indicator on watch face</p></li><li><p>Safari and other apps get their own cookies and website data</p><p>Clearing website data in Safari also clears the data in your app</p><p>Privacy and Your Apps </p><p>Safari View Controller</p></li><li><p>Privacy and Your Apps </p><p>On-Device Processing</p><p> CoreML</p><p> VisionKit</p><p> ARKit</p><p> NLP</p></li><li><p>Privacy and Your Apps </p><p>DeviceCheck</p><p> iOS, tvOS</p><p> Per device, per developer data </p><p>stored by Apple</p><p> Two bits and a timestamp</p></li><li><p>Privacy and Your Apps </p><p>DeviceCheckUpdate bit state</p></li><li><p>Privacy and Your Apps </p><p>DeviceCheckRequest to Apple to query bit state</p></li><li><p>Privacy and Your Apps </p><p>DeviceCheckResponse from Apple with the bit state</p></li><li><p>Privacy and Your Apps </p><p>DeviceCheck</p><p> Handle resold or transferred devices</p><p> Relevancy based on age</p><p> Part of your app logic not sole source</p></li><li><p> Your Apps and Evolving Network Security Standards</p><p> Privacy and Your Apps</p><p> Advances in Networking</p><p> What's new in Apple Pay Wallet</p></li><li><p>Advances in Networking</p><p> Explicit Congestion Notification</p><p> IPv6</p><p> Networking stack changes</p><p> New Network Extension facilities</p><p> Multipath protocols for multipath devices</p><p> URLSession</p></li><li><p>Advances in Networking </p><p>Explicit Congestion Notification</p></li><li><p>Advances in Networking </p><p>IPv6</p></li><li><p>Advances in Networking </p><p>IPv6</p></li><li><p>Advances in Networking </p><p>Networking stack changes</p></li><li><p>Advances in Networking </p><p>New Network Extension facilities</p></li><li><p>Advances in Networking New Network Extension facilities -NEHotspotConfiguration</p></li><li><p>Advances in Networking New Network Extension facilities -NEHotspotConfiguration</p></li><li><p>Advances in Networking New Network Extension facilities -NEHotspotConfiguration</p></li><li><p>Advances in Networking New Network Extension facilities - NEDNSProxyProvider</p><p> Receives the systems DNS query messages</p><p> Handles them as it wishes</p><p>- Can send to recursive resolver of its choice</p><p>- Can send using protocol of its choice</p><p> DNS over TLS</p><p> DNS over HTTP</p></li><li><p>Advances in Networking </p><p>Multipath protocols for multipath devices</p></li><li><p>Advances in Networking </p><p>Multipath protocols for multipath devices</p><p> Triggered by Marginal Wi-Fi</p><p> Fittest Wins Out contest </p><p>between Wi-Fi and Cell</p><p> Wi-Fi has head start over Cell</p><p> On a flow by flow basis, at </p><p>flow setup time</p></li><li><p>Advances in Networking </p><p>Multipath TCP</p><p> Built on top of TCP </p><p>- Reliability</p><p>- Congestion control</p><p> Seamless handover from Wi-Fi to Cell</p><p> Chooses optimal interface for latency-sensitive flows</p></li><li><p>Advances in Networking </p><p>Multipath TCP</p><p> MPTCP schedules traffic across the interfaces</p><p> One TCP subflow per interface</p><p> MPTCP creates/destroys subflows</p></li><li><p>Advances in Networking </p><p>Multipath TCP in Siri</p><p> Implemented since iOS 7 for Siri</p><p> User feedback (time to first word) 20% faster in the 95th percentile</p><p> 5x reduction in network failures</p></li><li><p>Advances in Networking </p><p>Multipath TCP in iOS11</p><p> Server support</p><p> Multipath service types </p><p>- Handover Mode</p><p>- Interactive Mode</p><p> URLSession API</p></li><li><p>Advances in Networking </p><p>Multipath TCP - Server support</p></li><li><p>Advances in Networking </p><p>Multipath service types in iOS 11</p><p> Handover Mode for high reliability</p><p> Interactive Mode for low latency</p></li><li><p>Advances in Networking </p><p>Multipath service types - Handover</p><p> Reliability for persistent connections</p><p> Minimal cell usage</p><p> Available in Beta 1</p></li><li><p>Advances in Networking </p><p>Multipath service types - Interactive</p><p> Low latency for low-volume interactive flows</p><p> Wi-Fi and cellular</p><p> Available in an upcoming Beta</p></li><li><p>Advances in Networking </p><p>URLSession support</p></li><li><p>Advances in Networking </p><p>Multipath service types - Aggregation</p><p> Combines link capacities</p><p> Available through developer settings</p><p> Starting in an upcoming Beta</p></li><li><p>Advances in Networking </p><p>URLSession - Current</p><p> Failure causes by weak connectivity</p><p>- NSURLErrorNotConnectedToInternet</p><p>- NSURLErrorCannotConnectToHost</p><p> Manual retry by user or monitor condition by SCNetworkReachability</p></li><li><p>Advances in Networking </p><p>URLSession</p><p> New URLSessionConfiguration property </p><p>var waitsForConnectivity: Bool</p><p> New URLSessionTaskDelegate method</p><p>urlSession(_:taskIsWaitingForConnectivity:) - optional</p></li><li><p>Advances in Networking </p><p>URLSession</p><p> Recommendation</p><p>- Always enable waitsForConnectivity</p><p> Exception</p><p>- Requests that must be completed immediately, like transaction</p></li><li><p>Advances in Networking </p><p>URLSession</p></li><li><p>Advances in Networking </p><p>URLSessionTask Scheduling API</p></li><li><p>Advances in Networking </p><p>URLSessionTask Scheduling API</p><p> New URLSessionTask property </p><p>var earliestBeginDate: Date?</p><p> New URLSessionTaskDelegate method called only when earliestBeginDate been set</p><p>urlSession(_:task:willBeginDelayedRequest:completionHandler:) - optional</p></li><li><p>Advances in Networking </p><p>URLSessionTask Scheduling API</p></li><li><p>Advances in Networking </p><p>URLSessionTask Scheduling API</p><p>New property for better scheduling by system</p><p>var countOfBytesClientExpectsToSend: Int64</p><p>var countOfBytesClientExpectsToReceive: Int64</p><p>NSURLSessionTransferSizeUnknown if cannot be estimated</p></li><li><p>Advances in Networking </p><p>URLSessionTask Progress</p><p>URLSessionTask implements ProgressReporting protocol </p><p>class URLSessionTask : NSObject, NSCopying, ProgressReporting</p><p>public var progress: Progress { get }</p></li><li><p>Advances in Networking </p><p>URLSessionTask ProgressProgress state management methods change URLSessionTask state</p></li><li><p>Advances in Networking </p><p>URLSession Enhancements</p><p> ProgressReporting</p><p> Brotli compression</p><p>- Requires HTTPS (TLS)</p><p> Public Suffix List updates</p></li><li><p> Your Apps and Evolving Network Security Standards</p><p> Privacy and Your Apps</p><p> Advances in Networking</p><p> What's new in Apple Pay Wallet</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay for Donations</p><p> Accept donations for your nonprofit simply and securely</p><p> Available within apps and on the web</p><p> New donation button style</p><p> https://developer.apple.com/support/apple-pay-nonprofits/</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay Make Purchasing Easier</p></li><li><p>What's new in Apple Pay Wallet </p><p>Other Benefits Of Apple Pay</p><p> Reduction in chargebacks</p><p> No need to handle or store credit card numbers</p><p> Trusted user experience</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay - Buttons</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay - Inline Setup</p><p> Apple Pay setup is now offered automatically</p><p> Simply present an Apple Pay sheet to a user without cards</p><p> Users are returned to your Apple Pay purchase immediately after setup</p><p> Still faster than a typical manual checkout</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay - Payment Errors</p><p> Payment instrument failed to process</p><p> Billing address didnt match</p><p> Email address was invalid</p><p> Postal address had an incorrect ZIP</p><p> Telephone was missing an area code</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay - Payment Errors</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay - Custom Errors</p><p> Gracefully handle invalid or incorrect data directly in Apple Pay</p><p> Display custom error messages</p><p> Direct users to the specific fields that need correction</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay - Custom Errors</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay - Custom Errors</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay - Custom Errors</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay - Custom Errors</p></li><li><p>What's new in Apple Pay Wallet </p><p>Apple Pay - Custom Errors</p><p>New callback</p></li><li><p>What's new in Apple Pay Wallet </p><p>Wallet</p><p>NFC passes</p><p> NFC passes let you send customer information over</p><p> NFC Only encrypted NFC passes supported from iOS 11</p><p> Register for NFC passes at developer.apple.com/apple-pay</p><p>http://developer.apple.com/apple-payhttp://developer.apple.com/apple-pay</p></li><li><p>What's new in Apple Pay Wallet </p><p>Wallet</p><p>Sharing</p><p> Passes can now be opted out of sharing</p><p> Useful for single use items like loyalty cards or tickets</p></li><li><p>Thank you</p></li></ul>