Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

KKBOX WWDC17 Security - Antony

3,364 views

Published on

KKTIX iOS 工程師 Antony 分享
影片位置 https://youtu.be/lA9CDWekfLE
相關 Sessions
- [Your Apps and Evolving Network Security Standards] (https://developer.apple.com/videos/wwdc2017/videos/play/wwdc2017/701/)
- [Advances in Networking, Part 1] (https://developer.apple.com/videos/wwdc2017/videos/play/wwdc2017/707/)
- [Advances in Networking, Part 2] (https://developer.apple.com/videos/wwdc2017/videos/play/wwdc2017/709/)
- [What's new in Apple Pay & Wallet] (https://developer.apple.com/videos/wwdc2017/videos/play/wwdc2017/714/)
- [Privacy and Your Apps] (https://developer.apple.com/videos/wwdc2017/videos/play/wwdc2017/702/)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

KKBOX WWDC17 Security - Antony

  1. 1. WWDC 2017 讀書會 2017/07/21 - Antony Chuang
  2. 2. Outline • Your Apps and Evolving Network Security Standards • Privacy and Your Apps • Advances in Networking • What's new in Apple Pay Wallet
  3. 3. • Your Apps and Evolving Network Security Standards • Privacy and Your Apps • Advances in Networking • What's new in Apple Pay Wallet
  4. 4. Your Apps and Evolving Network Security Standards • Best Practices • App Transport Security • Transport Layer Security
  5. 5. Your Apps and Evolving Network Security Standards Best Practices
  6. 6. Your Apps and Evolving Network Security Standards Best Practices
  7. 7. Your Apps and Evolving Network Security Standards Best Practices - Revocation Online Certificate Status Protocol (OCSP)
  8. 8. Your Apps and Evolving Network Security Standards Best Practices - Revocation Online Certificate Status Protocol (OCSP) • Additional network connection • Compromises user privacy • Requires app opt-in
  9. 9. Your Apps and Evolving Network Security Standards Best Practices - Revocation Online Certificate Status Protocol Stapling (OCSP Stapling)
  10. 10. Your Apps and Evolving Network Security Standards Best Practices - Revocation Online Certificate Status Protocol Stapling (OCSP Stapling) • Slow adoption • Malicious server
  11. 11. Your Apps and Evolving Network Security Standards Best Practices - Revocation Certificate Transparency Log
  12. 12. Your Apps and Evolving Network Security Standards Best Practices - Revocation Certificate Transparency Log • Reduced privacy compromise • Automatic updating • Faster connections Certificate in iOS: https://support.apple.com/en-us/HT204132
  13. 13. Your Apps and Evolving Network Security Standards Best Practices - Trust Removals • SHA-1 signed certificates for TLS • Certificates using <2048-bit RSA for TLS
  14. 14. Your Apps and Evolving Network Security Standards Best Practices - Trust Removals • Not affect - Root certificates - Enterprise-distributed certificates - User-installed certificates - Client certificates • Affect - InvalidCertChain (-9807) SSL errors with URLSession
  15. 15. Your Apps and Evolving Network Security Standards Best Practices - Trust Removals
  16. 16. Your Apps and Evolving Network Security Standards Best Practices - What to Do Now? • Check implementations, libraries, and servers • Avoid ATS exceptions
  17. 17. Your Apps and Evolving Network Security Standards App Transport Security - Update • Exceptions narrow down to per domain • Exceptions expansion beyond WebKit (Certificate Transparency requirement) - AVFoundation loads - WebView request - Local network connection
  18. 18. Your Apps and Evolving Network Security Standards ATS-Compliant Services
  19. 19. Your Apps and Evolving Network Security Standards Transport Later Security
  20. 20. Your Apps and Evolving Network Security Standards Enable TLS 1.3 Beta • Not on by default • iOS https://developer.apple.com/go/?id=tls13-mobile-profile • macOS defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1
  21. 21. • Your Apps and Evolving Network Security Standards • Privacy and Your Apps • Advances in Networking • What's new in Apple Pay Wallet
  22. 22. Privacy and Your Apps
  23. 23. Privacy and Your Apps Prompting with Purpose - iOS 10
  24. 24. Privacy and Your Apps Prompting with Purpose - iOS 11
  25. 25. Privacy and Your Apps Prompting with Purpose - Location
  26. 26. Privacy and Your Apps Prompting with Purpose - Location Support When In Use location authorization • NSLocationWhenInUseUsageDescription • NSLocationAlwaysAndWhenInUseUsageDescription
  27. 27. Privacy and Your Apps Prompting with Purpose - Location When In Use location authorization undefined in iOS 10
  28. 28. Privacy and Your Apps Prompting with Purpose - Location When In Use location and Always authorization both defined in iOS 10
  29. 29. Privacy and Your Apps Photo Library access in iOS 11 • Image picker without prompting for access • Write only support • Authorization will be reset on upgrade
  30. 30. Privacy and Your Apps Photo Library write only access in iOS 11 NSPhotoLibraryAddUsageDescription • UIImageWriteToSavedPhotosAlbum • UISaveVideoAtPathToSavedPhotosAlbum
  31. 31. Privacy and Your Apps Core NFC NFCReaderUsageDescription • Scan for nearby NFC tags • In the foreground
  32. 32. Privacy and Your Apps Microphone - Watch OS • Recording allowed to continue in the background • Recording possible without the built-in modal UI • Requires microphone authorization • Indicator on watch face
  33. 33. Safari and other apps get their own cookies and website data Clearing website data in Safari also clears the data in your app Privacy and Your Apps Safari View Controller
  34. 34. Privacy and Your Apps On-Device Processing • CoreML • VisionKit • ARKit • NLP
  35. 35. Privacy and Your Apps DeviceCheck • iOS, tvOS • Per device, per developer data stored by Apple • Two bits and a timestamp
  36. 36. Privacy and Your Apps DeviceCheck Update bit state
  37. 37. Privacy and Your Apps DeviceCheck Request to Apple to query bit state
  38. 38. Privacy and Your Apps DeviceCheck Response from Apple with the bit state
  39. 39. Privacy and Your Apps DeviceCheck • Handle resold or transferred devices • Relevancy based on age • Part of your app logic not sole source
  40. 40. • Your Apps and Evolving Network Security Standards • Privacy and Your Apps • Advances in Networking • What's new in Apple Pay Wallet
  41. 41. Advances in Networking • Explicit Congestion Notification • IPv6 • Networking stack changes • New Network Extension facilities • Multipath protocols for multipath devices • URLSession
  42. 42. Advances in Networking Explicit Congestion Notification
  43. 43. Advances in Networking IPv6
  44. 44. Advances in Networking IPv6
  45. 45. Advances in Networking Networking stack changes
  46. 46. Advances in Networking New Network Extension facilities
  47. 47. Advances in Networking New Network Extension facilities -NEHotspotConfiguration
  48. 48. Advances in Networking New Network Extension facilities -NEHotspotConfiguration
  49. 49. Advances in Networking New Network Extension facilities -NEHotspotConfiguration
  50. 50. Advances in Networking New Network Extension facilities - NEDNSProxyProvider • Receives the system’s DNS query messages • Handles them as it wishes - Can send to recursive resolver of its choice - Can send using protocol of its choice ‣ DNS over TLS ‣ DNS over HTTP
  51. 51. Advances in Networking Multipath protocols for multipath devices
  52. 52. Advances in Networking Multipath protocols for multipath devices • Triggered by Marginal Wi-Fi • “Fittest Wins Out” contest between Wi-Fi and Cell • Wi-Fi has head start over Cell • On a flow by flow basis, at flow setup time
  53. 53. Advances in Networking Multipath TCP • Built on top of TCP - Reliability - Congestion control • Seamless handover from Wi-Fi to Cell • Chooses optimal interface for latency-sensitive flows
  54. 54. Advances in Networking Multipath TCP • MPTCP schedules traffic across the interfaces • One “TCP subflow” per interface • MPTCP creates/destroys subflows
  55. 55. Advances in Networking Multipath TCP in Siri • Implemented since iOS 7 for Siri • User feedback (time to first word) 20% faster in the 95th percentile • 5x reduction in network failures
  56. 56. Advances in Networking Multipath TCP in iOS11 • Server support • Multipath service types - Handover Mode - Interactive Mode • URLSession API
  57. 57. Advances in Networking Multipath TCP - Server support
  58. 58. Advances in Networking Multipath service types in iOS 11 • Handover Mode for high reliability • Interactive Mode for low latency
  59. 59. Advances in Networking Multipath service types - Handover • Reliability for persistent connections • Minimal cell usage • Available in Beta 1
  60. 60. Advances in Networking Multipath service types - Interactive • Low latency for low-volume interactive flows • Wi-Fi and cellular • Available in an upcoming Beta
  61. 61. Advances in Networking URLSession support
  62. 62. Advances in Networking Multipath service types - Aggregation • Combines link capacities • Available through developer settings • Starting in an upcoming Beta
  63. 63. Advances in Networking URLSession - Current • Failure causes by weak connectivity - NSURLErrorNotConnectedToInternet - NSURLErrorCannotConnectToHost • Manual retry by user or monitor condition by SCNetworkReachability
  64. 64. Advances in Networking URLSession • New URLSessionConfiguration property var waitsForConnectivity: Bool • New URLSessionTaskDelegate method urlSession(_:taskIsWaitingForConnectivity:) - optional
  65. 65. Advances in Networking URLSession • Recommendation - Always enable waitsForConnectivity • Exception - Requests that must be completed immediately, like transaction
  66. 66. Advances in Networking URLSession
  67. 67. Advances in Networking URLSessionTask Scheduling API
  68. 68. Advances in Networking URLSessionTask Scheduling API • New URLSessionTask property var earliestBeginDate: Date? • New URLSessionTaskDelegate method called only when earliestBeginDate been set urlSession(_:task:willBeginDelayedRequest:completionHandler:) - optional
  69. 69. Advances in Networking URLSessionTask Scheduling API
  70. 70. Advances in Networking URLSessionTask Scheduling API New property for better scheduling by system var countOfBytesClientExpectsToSend: Int64 var countOfBytesClientExpectsToReceive: Int64 NSURLSessionTransferSizeUnknown if cannot be estimated
  71. 71. Advances in Networking URLSessionTask Progress URLSessionTask implements ProgressReporting protocol class URLSessionTask : NSObject, NSCopying, ProgressReporting public var progress: Progress { get }
  72. 72. Advances in Networking URLSessionTask Progress Progress state management methods change URLSessionTask state
  73. 73. Advances in Networking URLSession Enhancements • ProgressReporting • Brotli compression - Requires HTTPS (TLS) • Public Suffix List updates
  74. 74. • Your Apps and Evolving Network Security Standards • Privacy and Your Apps • Advances in Networking • What's new in Apple Pay Wallet
  75. 75. What's new in Apple Pay Wallet Apple Pay for Donations • Accept donations for your nonprofit simply and securely • Available within apps and on the web • New donation button style • https://developer.apple.com/support/apple-pay- nonprofits/
  76. 76. What's new in Apple Pay Wallet Apple Pay Make Purchasing Easier
  77. 77. What's new in Apple Pay Wallet Other Benefits Of Apple Pay • Reduction in chargebacks • No need to handle or store credit card numbers • Trusted user experience
  78. 78. What's new in Apple Pay Wallet Apple Pay - Buttons
  79. 79. What's new in Apple Pay Wallet Apple Pay - Inline Setup • Apple Pay setup is now offered automatically • Simply present an Apple Pay sheet to a user without cards • Users are returned to your Apple Pay purchase immediately after setup • Still faster than a typical manual checkout
  80. 80. What's new in Apple Pay Wallet Apple Pay - Payment Errors • Payment instrument failed to process • Billing address didn’t match • Email address was invalid • Postal address had an incorrect ZIP • Telephone was missing an area code
  81. 81. What's new in Apple Pay Wallet Apple Pay - Payment Errors
  82. 82. What's new in Apple Pay Wallet Apple Pay - Custom Errors • Gracefully handle invalid or incorrect data directly in Apple Pay • Display custom error messages • Direct users to the specific fields that need correction
  83. 83. What's new in Apple Pay Wallet Apple Pay - Custom Errors
  84. 84. What's new in Apple Pay Wallet Apple Pay - Custom Errors
  85. 85. What's new in Apple Pay Wallet Apple Pay - Custom Errors
  86. 86. What's new in Apple Pay Wallet Apple Pay - Custom Errors
  87. 87. What's new in Apple Pay Wallet Apple Pay - Custom Errors New callback
  88. 88. What's new in Apple Pay Wallet Wallet NFC passes • NFC passes let you send customer information over • NFC Only encrypted NFC passes supported from iOS 11 • Register for NFC passes at developer.apple.com/apple- pay
  89. 89. What's new in Apple Pay Wallet Wallet Sharing • Passes can now be opted out of sharing • Useful for single use items like loyalty cards or tickets
  90. 90. Thank you

×