What s New in Security

Similar documents
End User Devices Security Guidance: Apple ios 8

End User Devices Security Guidance: Apple OS X 10.10

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Key & Data Storage on Mobile Devices

Everything is Terrible

Enhancing Web Application Security

Deploying iphone and ipad Security Overview

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

ios Team Administration Guide (Legacy)

Mac OS X Security Checklist:

AD CS.

Guidance End User Devices Security Guidance: Apple OS X 10.9

Analyzing the Security Schemes of Various Cloud Storage Services

Ciphire Mail. Abstract

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Certificates and Application Resigning

SSL Report: ebfl.srpskabanka.rs ( )

App Distribution Guide

SBClient SSL. Ehab AbuShmais

Migrating Trend Micro Mobile Security for Enterprise (TMMS) 8.0 to TMMS 9.0 Patch 1

CRYPTOGRAPHY AS A SERVICE

HTTPS is Fast and Hassle-free with CloudFlare

Apache Milagro (incubating) An Introduction ApacheCon North America

RSA SecurID Software Token 1.3 for iphone and ipad Administrator s Guide

Guide for Generating. Apple Push Notification Service Certificate

Cleaning Encrypted Traffic

Security for Mac Computers in the Enterprise

Guidance End User Devices Security Guidance: Apple ios 7

Best Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.

Penetration Testing for iphone Applications Part 1

How to configure Mac OS X Server

SSL BEST PRACTICES OVERVIEW

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Issue 1. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

APNS Certificate generating and installation

How to generate an APNs Certificate to use the Apple MDM protocol via the portal

Deploying Management and Security Agents to Mobile Devices. Deploying Mgmt and Security Agents

Advanced Administration

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

SSL A discussion of the Secure Socket Layer

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

The safer, easier way to help you pass any IT exams. Exam : 9L OS X Server Essentials 10.8 Exam. Title : Version : Demo 1 / 6

ipad in Business Security

Using Microsoft Visual Studio API Reference

PCI Compliance Considerations

Standardizing PKI in Higher Education Apple PKI and Universal Hi-Ed Spec proposal

FileMaker. Installation and New Features Guide. for FileMaker Pro 15 and FileMaker Pro 15 Advanced

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Game Center Programming Guide

Key Management and Distribution

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

Secure Sockets Layer

VMware Horizon FLEX User Guide

IT Networks & Security CERT Luncheon Series: Cryptography

Is Your SSL Website and Mobile App Really Secure?

Zenprise Device Manager 6.1

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

WIRELESS LAN SECURITY FUNDAMENTALS

Best Practices for SIP Security

Encrypting and signing

White Paper. The risks of authenticating with digital certificates exposed

What We Do: Simplify Enterprise Mobility

How to Obtain an APNs Certificate for CA MDM

I. Configuring Digital signature certificate in Microsoft Outlook 2003:

Generating an Apple Enterprise MDM Certificate

Kony MobileFabric Messaging. Demo App QuickStart Guide. (Building a Sample Application

iphone in Business Security Overview

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Configuration Guide. BES12 Cloud

Overview. SSL Cryptography Overview CHAPTER 1

Introduction to Cryptography

Knappsack ios Build and Deployment Guide

Adobe Flash Player and Adobe AIR security

QuickStart Guide for Mobile Device Management. Version 8.6

Dashlane Security Whitepaper

Getting the most from Apple Mail

How To Package In Composer (Amd64)

ios Enterprise Deployment Overview

Administering Jive Mobile Apps

Server based signature service. Overview

Smart Card Setup Guide

HP ProtectTools Embedded Security Guide

BuzzTouch ios Push Notifications

Automatic updates for Websense data endpoints

AppConnect FAQ for MobileIron Technology Partners! AppConnect Overview

Smart Card Authentication. Administrator's Guide

Your First App Store Submission

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

Security Technical. Overview. BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4

Guidance Regarding Skype and Other P2P VoIP Solutions

IBM TRIRIGA Anywhere Version 10 Release 4. Installing a development environment

Transcription:

System Frameworks #WWDC16 What s New in Security Session 706 Lucia Ballard Secure Transports Engineering Manager Simon Cooper Trusted Execution Engineering Manager 2016 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple.

What s New in Security?

What s New in Security? Network Security

What s New in Security? Network Security Cryptography APIs

What s New in Security? Network Security Cryptography APIs Platform Security on macos

What s New in Network Security Lucia Ballard Secure Transports Engineering Manager

Secure Communications

Secure Communications HTTPS is the new HTTP Confidentiality Data integrity

Secure Communications HTTPS is the new HTTP Confidentiality Data integrity Not all HTTPS is created equal

App Transport Security Current standards

App Transport Security Current standards For NSURLSession and NSURLConnection APIs

App Transport Security Current standards For NSURLSession and NSURLConnection APIs TLS v1.2

App Transport Security Current standards For NSURLSession and NSURLConnection APIs TLS v1.2 Strong crypto AES-128 and SHA-2

App Transport Security Current standards For NSURLSession and NSURLConnection APIs TLS v1.2 Strong crypto AES-128 and SHA-2 Forward secrecy ECDHE

App Transport Security Current standards For NSURLSession and NSURLConnection APIs TLS v1.2 Strong crypto AES-128 and SHA-2 Forward secrecy ECDHE Exceptions global or for particular domains

App Transport Security Enforcement

App Transport Security Enforcement Enforced at the end of 2016

App Transport Security Enforcement Enforced at the end of 2016 Reasonable justification required for most exceptions NSAllowsArbitraryLoads NSExceptionAllowsInsecureHTTPLoads NSExceptionMinimumTLSVersion

App Transport Security Enforcement Enforced at the end of 2016 Reasonable justification required for most exceptions NSAllowsArbitraryLoads NSExceptionAllowsInsecureHTTPLoads NSExceptionMinimumTLSVersion Example Communicating with a specific third-party server

App Transport Security Enforcement Enforced at the end of 2016 Reasonable justification required for most exceptions NSAllowsArbitraryLoads NSExceptionAllowsInsecureHTTPLoads NSExceptionMinimumTLSVersion Example Communicating with a specific third-party server

App Transport Security Enforcement

App Transport Security Enforcement New exceptions to make it easier

App Transport Security Enforcement New exceptions to make it easier Streaming media using AVFoundation

App Transport Security Enforcement New exceptions to make it easier Streaming media using AVFoundation Web content using WKWebView

App Transport Security Enforcement New exceptions to make it easier Streaming media using AVFoundation Web content using WKWebView NSAppTransportSecurity : Dictionary { NSAllowsArbitraryLoads : Boolean NSAllowsArbitraryLoadsInWebContent : Boolean }

Evolving Standards Deprecation of older algorithms

Evolving Standards Deprecation of older algorithms RC4 disabled by default

Evolving Standards Deprecation of older algorithms RC4 disabled by default SSLv3 disabled in SecureTransport

Evolving Standards Deprecation of older algorithms RC4 disabled by default SSLv3 disabled in SecureTransport Other algorithms showing their age SHA-1 3DES

Evolving Standards Deprecation of older algorithms RC4 disabled by default SSLv3 disabled in SecureTransport Other algorithms showing their age SHA-1 3DES Now is the time to upgrade your servers

Certificates

Certificates Strong TLS is not enough

Certificates Strong TLS is not enough Certificate ensures that you re talking to the right server

Certificates Today

Certificates Today Certificate Authority Server Client

Certificates Today Certificate Authority Server Client

Certificates Today Certificate Authority Server Client

Certificates Today What could go wrong?

Certificates Today What could go wrong? Certificate Authority Server Client

Certificates Today What could go wrong? Certificate Authority Server Attacker s Server Client

Certificates Today What could go wrong? Certificate Authority Server Attacker s Server Client

Certificates Today What could go wrong? Certificate Authority Server Attacker s Server Client

Certificate Transparency

Certificate Transparency Public verifiable logs of issued certificates

Certificate Transparency Public verifiable logs of issued certificates Anyone can submit a certificate to a log

Certificate Transparency Public verifiable logs of issued certificates Anyone can submit a certificate to a log Client checks for proof that certificate has been logged In the certificate itself In a TLS extension Delivered via OCSP stapling

Certificate Transparency How it works

Certificate Transparency How it works Certificate Authority Server Client

Certificate Transparency How it works Certificate Authority Log Server Client

Certificate Transparency How it works Certificate Authority Log Server Client

Certificate Transparency How it works Certificate Authority Log Server Client

Certificate Transparency How it works Certificate Authority Log Server Client

Certificate Transparency How it works Certificate Authority Log Server Client

Certificate Transparency Makes attacks more difficult Certificate Authority Server Attacker s Server Client

Certificate Transparency Makes attacks more difficult Certificate Authority Server Attacker s Server Client

Certificate Transparency Makes attacks more difficult Certificate Authority Certificate rejected by client Server Attacker s Server Client

Certificate Transparency Makes attacks more difficult Certificate Authority Log Server Attacker s Server Client

Certificate Transparency Makes attacks more difficult Publicly visible Certificate Authority Log Server Attacker s Server Client

Certificate Transparency How to try it out

Certificate Transparency How to try it out You can require Certificate Transparency through App Transport Security

Certificate Transparency How to try it out You can require Certificate Transparency through App Transport Security NSAppTransportSecurity { NSExceptionDomains { example.com : { NSRequiresCertificateTransparency : YES } } }

Certificate Transparency How to try it out You can require Certificate Transparency through App Transport Security NSAppTransportSecurity { NSExceptionDomains { example.com : { NSRequiresCertificateTransparency : YES } } } Proofs required from at least two logs More information at certificate-transparency.org

Revocation Best practices

Revocation Best practices Certificate Transparency does not replace revocation

Revocation Best practices Certificate Transparency does not replace revocation Recommended practice OCSP stapling Enhancement to the Online Certificate Status Protocol (OCSP)

OCSP Certificate Authority Server Client

OCSP Certificate Authority? Server Client

OCSP Certificate Authority? Server Client

OCSP Stapling Certificate Authority Server Client

OCSP Stapling Certificate Authority? Server Client

OCSP Stapling Certificate Authority? Server Client

OCSP Stapling Certificate Authority? Server Client

Benefits of OCSP Stapling

Benefits of OCSP Stapling Reliable, quick revocation information

Benefits of OCSP Stapling Reliable, quick revocation information Protects your users privacy

Benefits of OCSP Stapling Reliable, quick revocation information Protects your users privacy Deliver certificate transparency proofs as well

Benefits of OCSP Stapling Reliable, quick revocation information Protects your users privacy Deliver certificate transparency proofs as well Widely supported and backwards-compatible Now fully supported on all Apple platforms

Summary Network security

Summary Network security Move forward to secure algorithms and ciphers TLS v1.2, forward secrecy, and SHA-2 certificates

Summary Network security Move forward to secure algorithms and ciphers TLS v1.2, forward secrecy, and SHA-2 certificates Add your certificates to certificate transparency logs

Summary Network security Move forward to secure algorithms and ciphers TLS v1.2, forward secrecy, and SHA-2 certificates Add your certificates to certificate transparency logs Enable OCSP stapling

Cryptographic Improvements SecKey and smart cards

SecKey Improvements

SecKey Improvements API for asymmetric keys Unification of macos and ios APIs Support for common operations

SecKey Improvements API for asymmetric keys Unification of macos and ios APIs Support for common operations Replacement for deprecated CDSA calls

SecKey Improvements API for asymmetric keys Unification of macos and ios APIs Support for common operations Replacement for deprecated CDSA calls Replacement for asymmetric SecTransforms

CryptoTokenKit

CryptoTokenKit System support for cryptographic devices Smart cards, USB cryptographic tokens

CryptoTokenKit System support for cryptographic devices Smart cards, USB cryptographic tokens Out-of-the-box integration with system services Token content accessible through keychain Token cryptographic operations available using SecKey API

CryptoTokenKit System support for cryptographic devices Smart cards, USB cryptographic tokens Out-of-the-box integration with system services Token content accessible through keychain Token cryptographic operations available using SecKey API More information in Security Labs

What s New in Platform Security Simon Cooper Trusted Execution Engineering Manager

What s New in Security

What s New in Security How Software is Delivered

What s New in Security How Software is Delivered Developer ID

What s New in Security How Software is Delivered Developer ID Gatekeeper

What s New in Security How Software is Delivered Developer ID Gatekeeper Software Packaging

How Software is Delivered

Software Delivery for ios

Software Delivery for ios App Store

Software Delivery for ios App Store Xcode

Software Delivery for ios App Store Xcode Enterprise programs

Software Delivery for macos

Software Delivery for macos Mac App Store

Software Delivery for macos Mac App Store Developer ID

Software Delivery for macos Mac App Store Developer ID Xcode

Developer ID

What is Developer ID?

What is Developer ID? Deliver apps outside of the App Store

What is Developer ID? Deliver apps outside of the App Store Usually downloaded

What is Developer ID? Deliver apps outside of the App Store Usually downloaded Developer ID Signing Identity

What is Developer ID? Deliver apps outside of the App Store Usually downloaded Developer ID Signing Identity Developer ID Signed Apps treated specially

icloud for Developer ID NEW

icloud for Developer ID NEW Developer ID can now use icloud features icloud Drive icloud Keychain Push Notifications VPN

icloud for Developer ID

icloud for Developer ID Deliver icloud-enabled Apps outside of the App Store

icloud for Developer ID Deliver icloud-enabled Apps outside of the App Store Developer ID apps can now share data with icloud ios apps

icloud for Developer ID Deliver icloud-enabled Apps outside of the App Store Developer ID apps can now share data with icloud ios apps Deploy back to macos 10.9

icloud for Developer ID

icloud for Developer ID icloud Development testing today

icloud for Developer ID icloud Development testing today icloud Deployment Testing in upcoming seeds Export a Developer ID-signed Application Save a copy of the application signed with your Developer ID. Distribution using GM tools

Gatekeeper

What is Gatekeeper?

What is Gatekeeper? Controls what software is allowed to run on your Mac Mac App Store Mac App Store and identified developers Anywhere

What is Gatekeeper? Controls what software is allowed to run on your Mac Mac App Store Mac App Store and identified developers Anywhere Prompts user before first run

Changes to Gatekeeper

Changes to Gatekeeper Changing the default options Mac App Store Mac App Store and identified Developers Can still open anyway

Changes to Gatekeeper

Changes to Gatekeeper Repackaging problem Gatekeeper enhancement

Repackaging Problem App Correctly Signed App Container: Zip, DMG, ISO Code or Code equivalent External Resources Libraries, plugins, HTML, Lua, Python, etc.

Repackaging Problem App Correctly Signed App Code or Code equivalent External Resources Libraries, plugins, HTML, Lua, Python, etc.

Repackaging Problem App Code or Code equivalent External Resources Libraries, plugins, HTML, Lua, Python, etc.

Repackaging Problem App External Resources

Repackaging Problem App External Resources

Repackaging Problem App External Resources

Repackaging Problem App External Resources

Repackaging Problem App Malicious Content

Repackaging Problem

Repackaging Problem Not affected From the Mac App Store In a signed Apple Installer package

Repackaging Problem

Repackaging Problem Affected ZIP Disk Images (DMGs) ISO Images Other archive formats

Repackaging Problem Affected ZIP Disk Images (DMGs) ISO Images Other archive formats Maybe affected 3rd-party installers

Repackaging Problem

Repackaging Problem Need your help

Repackaging Problem Need your help We need to protect customers

Containers ZIP, DMG, ISO App External Resources

Signing Disk Images App External Resources

Signing Disk Images Using macos 10.11.5 or later App External Resources

Signing Disk Images Using macos 10.11.5 or later Use the codesign tool App External Resources

Signing Disk Images Using macos 10.11.5 or later Use the codesign tool Signatures are embedded App External Resources

Signing Disk Images Using macos 10.11.5 or later Use the codesign tool Signatures are embedded Backwards-compatible with older OS releases App External Resources

Signing Disk Images Using macos 10.11.5 or later Use the codesign tool Signatures are embedded Backwards-compatible with older OS releases App External Resources For assistance, come to the Security Labs

Packaging Advice Do these Avoid the problem Put resources inside App Bundle App

Packaging Advice Do these Avoid the problem Put resources inside App Bundle App Internal Resources

Packaging Advice Do these

Packaging Advice Do these Distributing an App Bundle? Deliver via the Mac App Store Sign the App - Package in a Zip Archive - Verify signature before release Signed Apple Installer package

Packaging Advice Do these

Packaging Advice Do these For a container with Apps and resources Signed Disk Image Sign any content in the container Sign the disk image App External Resources Verify signatures before release

Packaging Advice

Packaging Advice Do These Adding personalization or licensing information Use extended attribute on bundle root see TN2206 Sign a personalized Disk Image

Packaging Advice Do These Do Not Do This Adding personalization or licensing information Use extended attribute on bundle root see TN2206 Modify your app after signing Deliver an app with a broken signature Use an ISO image Sign a personalized Disk Image

NEW Gatekeeper Enhancement Protecting customers

Gatekeeper Path Randomization NEW

Gatekeeper Path Randomization NEW Supplements existing Gatekeeper protections

Gatekeeper Path Randomization NEW Supplements existing Gatekeeper protections No change for Mac App Store apps

Gatekeeper Path Randomization NEW Supplements existing Gatekeeper protections No change for Mac App Store apps No change for previously run apps

Gatekeeper Path Randomization NEW Supplements existing Gatekeeper protections No change for Mac App Store apps No change for previously run apps Applies to newly downloaded apps

Gatekeeper Path Randomization NEW Supplements existing Gatekeeper protections No change for Mac App Store apps No change for previously run apps Applies to newly downloaded apps Applies to apps on unsigned Disk Images

Gatekeeper Path Randomization In a folder or Disk Image Your App Extra Resources

Gatekeeper Path Randomization When app is running Your App

Gatekeeper Path Randomization When app is running Your App

Gatekeeper Path Randomization When app is running? Your App

Gatekeeper Path Randomization Does not apply

Gatekeeper Path Randomization Does not apply User moves just the app bundle Must only move a single app bundle

Gatekeeper Path Randomization Does not apply User moves just the app bundle Must only move a single app bundle Signed Disk Images

Gatekeeper Path Randomization Does not apply User moves just the app bundle Must only move a single app bundle Signed Disk Images Signed Apple installer package

Gatekeeper Path Randomization Does not apply User moves just the app bundle Must only move a single app bundle Signed Disk Images Signed Apple installer package Apps from the Mac App Store

Summary Sign what you deliver Check the signatures are valid

More Information https://developer.apple.com/wwdc16/706

Labs Security & Privacy Lab 1 Frameworks Lab C Wednesday 9:00AM Security & Privacy Lab 2 Frameworks Lab B Thursday 9:00AM

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information