KKBOX WWDC17 Security - Antony

WWDC 2017 讀書會
2017/07/21 - Antony Chuang

Outline
• Your Apps and Evolving Network Security Standards

• Privacy and Your Apps

• Advances in Networking

• What's new in Apple Pay Wallet

• Your Apps and Evolving Network Security Standards

• Privacy and Your Apps

• Advances in Networking

• What's new in Apple Pay Wallet

Your Apps and Evolving Network Security Standards
• Best Practices

• App Transport Security

• Transport Layer Security

Best Practices

Best Practices - Revocation
Online Certiﬁcate Status Protocol (OCSP)

Online Certiﬁcate Status Protocol (OCSP)

• Additional network connection

• Compromises user privacy

• Requires app opt-in

Online Certiﬁcate Status Protocol Stapling (OCSP Stapling)

Online Certiﬁcate Status Protocol Stapling (OCSP Stapling)

• Slow adoption

• Malicious server

Certiﬁcate Transparency Log

Certiﬁcate Transparency Log

• Reduced privacy compromise

• Automatic updating

• Faster connections

Certiﬁcate in iOS: https://support.apple.com/en-us/HT204132

Best Practices - Trust Removals
• SHA-1 signed certiﬁcates for TLS

• Certiﬁcates using <2048-bit RSA for TLS

• Not affect

- Root certificates

- Enterprise-distributed certificates

- User-installed certificates

- Client certificates

• Affect

- InvalidCertChain (-9807) SSL errors with URLSession

Best Practices - What to Do Now?
• Check implementations, libraries, and servers

• Avoid ATS exceptions

App Transport Security - Update
• Exceptions narrow down to per domain

• Exceptions expansion beyond WebKit (Certiﬁcate
Transparency requirement)

- AVFoundation loads

- WebView request

- Local network connection

ATS-Compliant Services

Transport Later Security

Enable TLS 1.3 Beta
• Not on by default

• iOS

https://developer.apple.com/go/?id=tls13-mobile-proﬁle

• macOS

defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1

Privacy and Your Apps
Prompting with Purpose - iOS 10

Prompting with Purpose - iOS 11

Prompting with Purpose - Location

Support When In Use location authorization

• NSLocationWhenInUseUsageDescription

• NSLocationAlwaysAndWhenInUseUsageDescription

When In Use location authorization undeﬁned in iOS 10

When In Use location and Always authorization both deﬁned
in iOS 10

Photo Library access in iOS 11
• Image picker without prompting for access

• Write only support

• Authorization will be reset on upgrade

Photo Library write only access in iOS 11
NSPhotoLibraryAddUsageDescription

• UIImageWriteToSavedPhotosAlbum

• UISaveVideoAtPathToSavedPhotosAlbum

Core NFC
NFCReaderUsageDescription

• Scan for nearby NFC tags

• In the foreground

Microphone - Watch OS
• Recording allowed to continue in the background

• Recording possible without the built-in modal UI

• Requires microphone authorization

• Indicator on watch face

Safari and other apps get their own cookies and website data

Clearing website data in Safari also clears the data in your app
Safari View Controller

On-Device Processing
• CoreML

• VisionKit

• ARKit

• NLP

DeviceCheck
• iOS, tvOS

• Per device, per developer data
stored by Apple

• Two bits and a timestamp

DeviceCheck
Update bit state

DeviceCheck
Request to Apple to query bit state

DeviceCheck
Response from Apple with the bit state

DeviceCheck
• Handle resold or transferred devices

• Relevancy based on age

• Part of your app logic not sole source

Advances in Networking
• Explicit Congestion Notiﬁcation

• IPv6

• Networking stack changes

• New Network Extension facilities

• Multipath protocols for multipath devices

• URLSession

Explicit Congestion Notiﬁcation

Networking stack changes

New Network Extension facilities

New Network Extension facilities -NEHotspotConﬁguration

New Network Extension facilities - NEDNSProxyProvider
• Receives the system’s DNS query messages

• Handles them as it wishes

- Can send to recursive resolver of its choice

- Can send using protocol of its choice

‣ DNS over TLS

‣ DNS over HTTP

Multipath protocols for multipath devices

Multipath protocols for multipath devices
• Triggered by Marginal Wi-Fi

• “Fittest Wins Out” contest
between Wi-Fi and Cell

• Wi-Fi has head start over Cell

• On a flow by flow basis, at
flow setup time

Multipath TCP
• Built on top of TCP

- Reliability

- Congestion control

• Seamless handover from Wi-Fi to Cell

• Chooses optimal interface for latency-sensitive ﬂows

Multipath TCP
• MPTCP schedules traffic
across the interfaces

• One “TCP subflow” per
interface

• MPTCP creates/destroys
subflows

Multipath TCP in Siri
• Implemented since iOS 7 for
Siri

• User feedback (time to ﬁrst
word) 20% faster in the 95th
percentile

• 5x reduction in network
failures

Multipath TCP in iOS11
• Server support

• Multipath service types

- Handover Mode

- Interactive Mode

• URLSession API

Multipath TCP - Server support

Multipath service types in iOS 11
• Handover Mode for high reliability

• Interactive Mode for low latency

Multipath service types - Handover
• Reliability for persistent
connections

• Minimal cell usage

• Available in Beta 1

Multipath service types - Interactive
• Low latency for low-volume
interactive ﬂows

• Wi-Fi and cellular

• Available in an upcoming Beta

URLSession support

Multipath service types - Aggregation
• Combines link capacities

• Available through developer settings

• Starting in an upcoming Beta

URLSession - Current
• Failure causes by weak connectivity

- NSURLErrorNotConnectedToInternet

- NSURLErrorCannotConnectToHost

• Manual retry by user or monitor condition by
SCNetworkReachability

URLSession
• New URLSessionConﬁguration property

var waitsForConnectivity: Bool

• New URLSessionTaskDelegate method

urlSession(_:taskIsWaitingForConnectivity:) - optional

URLSession
• Recommendation

- Always enable waitsForConnectivity

• Exception

- Requests that must be completed immediately, like
transaction

URLSession

URLSessionTask Scheduling API

• New URLSessionTask property

var earliestBeginDate: Date?

• New URLSessionTaskDelegate method called only when
earliestBeginDate been set

urlSession(_:task:willBeginDelayedRequest:completionHandler:) - optional

New property for better scheduling by system

var countOfBytesClientExpectsToSend: Int64

var countOfBytesClientExpectsToReceive: Int64

NSURLSessionTransferSizeUnknown if cannot be estimated

URLSessionTask Progress
URLSessionTask implements ProgressReporting protocol

class URLSessionTask : NSObject, NSCopying, ProgressReporting

public var progress: Progress { get }

URLSessionTask Progress
Progress state management methods change URLSessionTask state

URLSession Enhancements
• ProgressReporting

• Brotli compression

- Requires HTTPS (TLS)

• Public Suﬃx List updates

What's new in Apple Pay Wallet
Apple Pay for Donations
• Accept donations for your nonproﬁt simply and securely

• Available within apps and on the web

• New donation button style

• https://developer.apple.com/support/apple-pay-
nonproﬁts/

Apple Pay Make Purchasing Easier

Other Beneﬁts Of Apple Pay
• Reduction in chargebacks

• No need to handle or store credit card numbers

• Trusted user experience

Apple Pay - Buttons

Apple Pay - Inline Setup
• Apple Pay setup is now oﬀered automatically

• Simply present an Apple Pay sheet to a user without
cards

• Users are returned to your Apple Pay purchase
immediately after setup

• Still faster than a typical manual checkout

Apple Pay - Payment Errors
• Payment instrument failed to process

• Billing address didn’t match

• Email address was invalid

• Postal address had an incorrect ZIP

• Telephone was missing an area code

Apple Pay - Payment Errors

Apple Pay - Custom Errors
• Gracefully handle invalid or incorrect data directly in
Apple Pay

• Display custom error messages

• Direct users to the speciﬁc ﬁelds that need correction

New callback

Wallet
NFC passes

• NFC passes let you send customer information over

• NFC Only encrypted NFC passes supported from iOS 11

• Register for NFC passes at developer.apple.com/apple-
pay

Wallet
Sharing

• Passes can now be opted out of sharing

• Useful for single use items like loyalty cards or tickets

KKBOX WWDC17 Security - Antony

More Related Content

What's hot

Viewers also liked

Similar to KKBOX WWDC17 Security - Antony

More from Liyao Chen

Recently uploaded

KKBOX WWDC17 Security - Antony