Защита приложений и пользовательских данных — непростая задача. Много что может пойти не так, много мест, в которых могут быть допущены ошибки. Цель доклада — помочь разработчикам избежать этих ошибок.
Мы рассмотрим доступные механизмы защиты данных в iOS, типичные ошибки и анти-шаблоны при их использовании, и способы их избежать. Рассмотрим способы защиты данных при хранении на устройстве и при передаче по сети. Поговорим о грядущем требовании включать ATS, о Secure Enclave, о вредоносном коде (malware) и джейлбрейке.
Este documento habla sobre los microprocesadores, incluyendo cómo se miden sus velocidades en GHz, las principales marcas como Intel y AMD, y el rango de precios que van desde 20€ para los más antiguos hasta 1000€ para los más nuevos y potentes como el Intel core i7 5960k.
O documento descreve as novas regras para o preenchimento do Bloco K da EFD ICMS/IPI, que passa a exigir o controle da produção e estoque de empresas. A partir de 2017, empresas com faturamento anual acima de R$300 milhões deverão fornecer detalhes sobre estoques, produção, insumos e processos industriais. O objetivo é dar mais transparência às operações e facilitar a fiscalização sobre créditos tributários.
Este documento habla sobre los microprocesadores, incluyendo cómo se miden sus velocidades en GHz, las principales marcas como Intel y AMD, y el rango de precios que van desde 20€ para los más antiguos hasta 1000€ para los más nuevos y potentes como el Intel core i7 5960k.
O documento descreve as novas regras para o preenchimento do Bloco K da EFD ICMS/IPI, que passa a exigir o controle da produção e estoque de empresas. A partir de 2017, empresas com faturamento anual acima de R$300 milhões deverão fornecer detalhes sobre estoques, produção, insumos e processos industriais. O objetivo é dar mais transparência às operações e facilitar a fiscalização sobre créditos tributários.
Nicholas Gustilo "Clean Android: building great mobile apps"IT Event
Presentation on how to create apps using Clean Architecture (based on real examples).
Including:
- Goals of a clean architecture.
- Use of packages (folder) and naming conventions.
- List of tools and libraries used.
- Use and benefits of using RXJava when developing android application (with examples).
- Use and advantages of model-view-presenter pattern (with examples).
This document summarizes an interview with a contributor named Prof. Atulaben Bhatt. According to the summary, Prof. Bhatt is 59 years old with 35 years of experience working as a professor. She has degrees in psychology, sociology, and social anthropology. The interviewee discusses Prof. Bhatt's views on being a contributor, qualities of successful people, job satisfaction, guidance, and visions for education.
Uno de los pasos fundamentales a la hora de planificar una unidad o actividad AICLE es examinar cuál es la lengua que se precisa. Se trata de aprender igualmente la lengua, porque además será una herramienta fundamental a la hora de adquirir el contenido.
1. A Lei de Arbitragem brasileira sofreu alterações após discussões de uma Comissão de Juristas criada pelo Senado Federal para propor reformas na lei e criar um projeto de lei sobre mediação. 2. A Comissão debateu modificações para consolidar a jurisprudência do STJ e permitir maior uso da arbitragem no país. 3. As alterações visaram aperfeiçoar a lei sem prejudicar a segurança jurídica conquistada nos últimos anos.
Decide el tema que vas a trabajar: define los contenidos, objetivos y criterios de evaluación.
Identifica la lengua necesaria para trabajar dicho contenido: vocabulario, estructuras, discurso y destrezas.
Piensa en el elemento contextual que puede relacionarse con dicho tema para acercarlo a la realidad del aula.
1. O documento discute a responsabilidade da editora em relação aos vícios do produto versus a responsabilidade do autor por conceitos e referências.
2. São listados os direitos autorais da obra, proibindo reproduções totais ou parciais sem permissão por escrito do autor e editor.
3. Contém informações sobre a editora, autor, capa, produção e catalogação da obra sobre direito civil que é dividida em volumes tratando de teoria geral dos contratos e contratos em especie.
Deborah Buck is an artist, designer, and tastemaker whose eclectic style skillfully mixes high and low aesthetic elements. She founded Buck House to showcase fine art and design alongside her collection of antiques, and has designed diverse spaces including homes, offices, and art galleries that bring together pieces from different eras, places and styles into resonant wholes. Buck is widely recognized for her unique point of view that emphasizes appeal, quality and integrity in all of her design work.
O documento descreve um projeto de ensino sobre sustentabilidade envolvendo a construção de composteiras em garrafas PET, no qual estudantes aprendem sobre compostagem e criam mini-hortas. O projeto é realizado ao longo de 5 semanas com atividades práticas e teóricas sobre conceitos como sustentabilidade, compostagem e permacultura. Os alunos apresentam o resultado de seu trabalho no evento cultural Amaral Cultural 2012.
El documento explica qué es el Aprendizaje Integrado de Contenidos y Lenguas Extranjeras (AICLE). Define AICLE como la enseñanza de asignaturas como historia o geografía a través de un idioma adicional con un doble objetivo de aprender contenidos y aprender el idioma simultáneamente. También describe algunos principios básicos del AICLE como que la fluidez es más importante que la precisión gramatical y que las lecciones deben combinar contenido, comunicación, cognición y cultura.
O documento discute a necessidade de controles em empresas, principalmente controles de estoque, produção e contabilidade. Também apresenta o cronograma de implementação do eSocial e discussões sobre a reforma trabalhista no Brasil.
- A pesquisa avaliou o envolvimento dos internautas brasileiros com a votação do impeachment da presidente Dilma Rousseff na Câmara dos Deputados em abril de 2016;
- A maioria (79%) disse ter assistido toda ou a maior parte da votação e concordou com o resultado favorável ao impeachment, exceto na região Nordeste onde houve menor apoio;
- Há expectativa baixa em relação a um futuro governo Michel Temer, com poucos (8%) acreditando que será bom ou ótimo, e a maioria prefere novas elei
O documento discute os riscos do consumo excessivo de sal para a saúde, recomendando limitar a ingestão diária a no máximo 5g de sal. Explica que a maior parte do sódio consumido vem de alimentos processados e preparados com sal adicionado e incentiva a leitura dos rótulos nutricionais para escolher opções com menos sódio.
Imágenes y comentarios sobre actividades de promoción del deporte del Balonmano en nuestro Centro en una campaña del Patronato Municipal de Deportes de Berja (octubre de 2016).
The document discusses reasons for rejecting several photos for a magazine cover layout. It notes that some photos would obstruct the layout or have the page fold through the model's face. Other photos are rejected for having the model look away from the camera, having an awkward or spooked expression, or an out-of-focus shot that draws attention from the artist. The backgrounds are also seen as too busy and distracting from the model.
Audit & Corporate Governance - Professional Scepticism David Kyson
A report on professional scepticism within Audit & Corporate Governance. Focussing on disincentives and ways to promote or develop professional scepticism within the work place.
Ahora si que no tengo dudas. los reyes magos existenasunzapata3
Los Reyes Magos existen y son los que traen regalos a los niños en Navidad. Según la historia que le cuenta el padre a su hija Blanca, los Reyes Magos querían llevar regalos a todos los niños del mundo pero no podían hacerlo ellos mismos. Dios les ayudó designando a los padres como sus pajes para que fueran ellos los que entregaran los regalos en nombre de los Reyes Magos. De esta forma, todos los niños del mundo podrían recibir regalos en Navidad.
Nicholas Gustilo "Clean Android: building great mobile apps"IT Event
Presentation on how to create apps using Clean Architecture (based on real examples).
Including:
- Goals of a clean architecture.
- Use of packages (folder) and naming conventions.
- List of tools and libraries used.
- Use and benefits of using RXJava when developing android application (with examples).
- Use and advantages of model-view-presenter pattern (with examples).
This document summarizes an interview with a contributor named Prof. Atulaben Bhatt. According to the summary, Prof. Bhatt is 59 years old with 35 years of experience working as a professor. She has degrees in psychology, sociology, and social anthropology. The interviewee discusses Prof. Bhatt's views on being a contributor, qualities of successful people, job satisfaction, guidance, and visions for education.
Uno de los pasos fundamentales a la hora de planificar una unidad o actividad AICLE es examinar cuál es la lengua que se precisa. Se trata de aprender igualmente la lengua, porque además será una herramienta fundamental a la hora de adquirir el contenido.
1. A Lei de Arbitragem brasileira sofreu alterações após discussões de uma Comissão de Juristas criada pelo Senado Federal para propor reformas na lei e criar um projeto de lei sobre mediação. 2. A Comissão debateu modificações para consolidar a jurisprudência do STJ e permitir maior uso da arbitragem no país. 3. As alterações visaram aperfeiçoar a lei sem prejudicar a segurança jurídica conquistada nos últimos anos.
Decide el tema que vas a trabajar: define los contenidos, objetivos y criterios de evaluación.
Identifica la lengua necesaria para trabajar dicho contenido: vocabulario, estructuras, discurso y destrezas.
Piensa en el elemento contextual que puede relacionarse con dicho tema para acercarlo a la realidad del aula.
1. O documento discute a responsabilidade da editora em relação aos vícios do produto versus a responsabilidade do autor por conceitos e referências.
2. São listados os direitos autorais da obra, proibindo reproduções totais ou parciais sem permissão por escrito do autor e editor.
3. Contém informações sobre a editora, autor, capa, produção e catalogação da obra sobre direito civil que é dividida em volumes tratando de teoria geral dos contratos e contratos em especie.
Deborah Buck is an artist, designer, and tastemaker whose eclectic style skillfully mixes high and low aesthetic elements. She founded Buck House to showcase fine art and design alongside her collection of antiques, and has designed diverse spaces including homes, offices, and art galleries that bring together pieces from different eras, places and styles into resonant wholes. Buck is widely recognized for her unique point of view that emphasizes appeal, quality and integrity in all of her design work.
O documento descreve um projeto de ensino sobre sustentabilidade envolvendo a construção de composteiras em garrafas PET, no qual estudantes aprendem sobre compostagem e criam mini-hortas. O projeto é realizado ao longo de 5 semanas com atividades práticas e teóricas sobre conceitos como sustentabilidade, compostagem e permacultura. Os alunos apresentam o resultado de seu trabalho no evento cultural Amaral Cultural 2012.
El documento explica qué es el Aprendizaje Integrado de Contenidos y Lenguas Extranjeras (AICLE). Define AICLE como la enseñanza de asignaturas como historia o geografía a través de un idioma adicional con un doble objetivo de aprender contenidos y aprender el idioma simultáneamente. También describe algunos principios básicos del AICLE como que la fluidez es más importante que la precisión gramatical y que las lecciones deben combinar contenido, comunicación, cognición y cultura.
O documento discute a necessidade de controles em empresas, principalmente controles de estoque, produção e contabilidade. Também apresenta o cronograma de implementação do eSocial e discussões sobre a reforma trabalhista no Brasil.
- A pesquisa avaliou o envolvimento dos internautas brasileiros com a votação do impeachment da presidente Dilma Rousseff na Câmara dos Deputados em abril de 2016;
- A maioria (79%) disse ter assistido toda ou a maior parte da votação e concordou com o resultado favorável ao impeachment, exceto na região Nordeste onde houve menor apoio;
- Há expectativa baixa em relação a um futuro governo Michel Temer, com poucos (8%) acreditando que será bom ou ótimo, e a maioria prefere novas elei
O documento discute os riscos do consumo excessivo de sal para a saúde, recomendando limitar a ingestão diária a no máximo 5g de sal. Explica que a maior parte do sódio consumido vem de alimentos processados e preparados com sal adicionado e incentiva a leitura dos rótulos nutricionais para escolher opções com menos sódio.
Imágenes y comentarios sobre actividades de promoción del deporte del Balonmano en nuestro Centro en una campaña del Patronato Municipal de Deportes de Berja (octubre de 2016).
The document discusses reasons for rejecting several photos for a magazine cover layout. It notes that some photos would obstruct the layout or have the page fold through the model's face. Other photos are rejected for having the model look away from the camera, having an awkward or spooked expression, or an out-of-focus shot that draws attention from the artist. The backgrounds are also seen as too busy and distracting from the model.
Audit & Corporate Governance - Professional Scepticism David Kyson
A report on professional scepticism within Audit & Corporate Governance. Focussing on disincentives and ways to promote or develop professional scepticism within the work place.
Ahora si que no tengo dudas. los reyes magos existenasunzapata3
Los Reyes Magos existen y son los que traen regalos a los niños en Navidad. Según la historia que le cuenta el padre a su hija Blanca, los Reyes Magos querían llevar regalos a todos los niños del mundo pero no podían hacerlo ellos mismos. Dios les ayudó designando a los padres como sus pajes para que fueran ellos los que entregaran los regalos en nombre de los Reyes Magos. De esta forma, todos los niños del mundo podrían recibir regalos en Navidad.
Неочевидные детали при запуске HTTPS в OK.Ru / Андрей Домась (Одноклассники)Ontico
В этом году мы перевели наш портал на HTTPS. Это оказалось непростой задачей. Основными проблемами явились рост нагрузки, увеличение Round Trip Times (RTT) и Mixed Content. Мы опробовали различные известные механизмы, призванные нивелировать эти проблемы, но, как оказалось на практике, все они скрывают в себе особенности. Эти особенности стоило знать заранее, но их не удалось почерпнуть из открытых источников.
В этом докладе мы хотим поделиться сложностями, с которыми мы столкнулись, а также тем, к каким выводам в итоге пришли. Надеемся, что набитые нами шишки будут полезны тем проектам, которые только планируют переход на HTTPS.
Cisco Threat Defense (Cisco Stealthwatch)Cisco Russia
• Введение
• Обзор системы Cisco Stealthwatch
• Архитектура и развертывание Stealthwatch
• Начало работы с системой Stealthwatch
• Модель тревог
• Резюме
Использование Web Application Firewall вызвано желанием снизить существующие угрозы со стороны атак, направленных на эксплуатацию уязвимостей в Web-приложениях. Однако, как и все созданное человек, WAF имеет недостатки, которые позволяют воспользоваться уязвимостями даже на самых защищенных серверах…
Denis Radin - "Applying NASA coding guidelines to JavaScript or airspace is c...IT Event
The document discusses NASA code guidelines that can be applied to JavaScript development. It outlines 10 rules for writing reliable JavaScript code, including doing one thing per function, limiting control flow constructs, avoiding dynamic memory allocation, adding assertions, limiting scope, and compiling with all warnings enabled. The guidelines are presented alongside images related to space exploration and aviation to illustrate the importance of writing stable code for critical systems.
Sara Harkousse - "Web Components: It's all rainbows and unicorns! Is it?"IT Event
Web components are a tale of four w3c specifications. They are a hot topic now. We’ve all seen big headlines, for instance, “The Web Components revolution”, “Web Components are a game changer”, “A Tectonic Shift for Web Development”, … and so many others. They are certainly exciting and promising, nevertheless, there are some factors holding them back such as performance issues and lack of browser support. Some features seems to be more hassle than they’re worth. In this talk you’ll examine web components from a pragmatic stand point. So if you want to start using web components in production, come to learn what features can you use today. Actually, despite the still short browser support, some of web components features seems to be the best choice to start with . The assessment you’ll learn is the reflection of my personal research and work on my spare time and also feedbacks from my co-workers.
Max Voloshin - "Organization of frontend development for products with micros...IT Event
While our product was growing our team came to need to implement microservices. Later it became obvious that our approaches on organization of frontend development should be rethought and significantly improved.
The report contains our team's solutions for simple and comfortable frontend product development with microservices. Also, this talk is about how we along with the way updated frontend framework, separated frontend and backend, solved internalization problem and started using Docker for front end tasks.
Roman Romanovsky, Sergey Rak - "JavaScript в IoT "IT Event
I've been surprised how easy it is today to program hardware containing Wi-Fi module and start receiving data from a chosen sensor (those perceiving motion, light or sound, etc.). Without a line in C++, all in JavaScript solely.
Together with Sergey, we'll elaborate more on how any frontend engineer can easily jumpstart his journey within the Internet of Things.
Konstantin Krivlenia - "Continuous integration for frontend"IT Event
Do you want to know what is the continuous integration? how does make a controlled code when team is growing, maintain quality of code and be calm after the release. Don't be afraid to use ruthless refactoring and don't break the product features. I am glad to share with you how it make.
Illya Klymov - "Vue.JS: What did I swap React for in 2017 and why?"IT Event
The world of frontend development is changing rapidly. No one stays at the top for a long time. Just yesterday we saw the triumph of React, but today Angular2 treads on its heels. Why have I chosen Vue in 2017? Why not to use a usual React? Have the Chinese managed to create a "silver bullet"? In this report we'll consider these questions and we'll find out why Vue is at the top among JS-frameworks on GitHub and whether it's worth chosing it.
Evgeny Gusev - "A circular firing squad: How technologies drag frontend down"IT Event
Twitterati rules today's world of frontend: popularity equals life. On the one hand, this is good: you can write your own application without spending money and ""rock the world."" And on the other hand — now the frontend world is like a line of the famous song: ""There are nine million bicycles ..."" Is it good or bad? That's what is going to be figured out.
What is a life cycle of technology and is the world really ruled by secret backstage; do React developers really have the highest salaries? In what direction the frontend world goes? In this session, listeners of the talk will see the most interesting examples of frameworks and hear the answers to these and other questions.
Vladimir Grinenko - "Dependencies in component web done right"IT Event
We live in a component-based world. Complex components are based on simple ones. This implies the need to express dependencies between them. Most existing methods have notable disadvantages: hardcode, refactoring complexity, large amount of manual work and so on. Let’s fix it!
Dmitry Bartalevich - "How to train your WebVR"IT Event
Nowadays frontend developer is quite bored - news about new JS-based language aren't exciting, just like about new frameworks. And one day, while writing another logic of the another component or, Jesus Christ, bug fixing IE9, you can find absolutely charming create - WebVR.
In my lecture I'm going to share some secred knowledge about its behaviour, training tools, as well as gained experience.
Nowadays, there are many tips how start your project following the "Offline First" principle. But how add a support offline mode for applications that have already been released? What tactics and architectural approaches are used? What technologies and libraries are looking for? What storages are needed for implementation of pull/push strategies?
James Allardice - "Building a better login with the credential management API"IT Event
Login pages are probably the single type of page that users on the web interact with more than any other. In recent years the sign in experience has changed with the advent of federation via social networks, but whether a user has to type an email address and password or click a link and be redirected via Facebook, the process still interrupts the journey. The Credential Management API, designed by Mike West at Google, is an attempt to help streamline this process at the user agent level. This talk will investigate the new API and explore how we can use it to progressively enhance customer journeys in the apps we build.
Fedor Skuratov "Dark Social: as messengers change the market of social media ...IT Event
– Dark Social. Email, messengers, dark Internet.
– 3 billion in messengers from where all these people undertook and that they do there.
– The whole world – Wechat, and people in it Chinese. As the Asian model wins the West.
– Telegram-channels. As ordinary function not of the most popular messenger caused the real alarm in Russia.
– What’s next? Where the market in a year will come.
Андрей Зайчиков "Архитектура распределенных кластеров NoSQL на AWS"IT Event
Мы рассмотрим важные особенности построения архитектуры распреденных кластеров NoSQL с использованием ресурсов Amazon Web Services, мы затронем такие аспекты как: архитектура гео распределенных кластеров, оптимизация производительности, выбор основных опций для деплоймента и ряд других аспектов. В докладе мы сконцентрируемся на таких популярных базах данных, как Cassandra, MongoDB и некоторых других.
Алексей Рагозин "Java и linux борьба за микросекунды"IT Event
Java используется для широкого спектра приложений, некоторые из них могут иметь жёсткие требования по времени отклика.
Но если речь идёт про сотни микросекунд, годится ли Java, в принципе, для таких задач?
Доклад осветит практические аспекты разработки решений с малым временем отклика на платформе Java + Linux
Volodymyr Lyubinets "Introduction to big data processing with Apache Spark"IT Event
In this talk we’ll explore Apache Spark — the most popular cluster computing framework right now. We’ll look at the improvements that Spark brought over Hadoop MapReduce and what makes Spark so fast; explore Spark programming model and RDDs; and look at some sample use cases for Spark and big data in general.
This talk will be interesting for people who have little or no experience with Spark and would like to learn more about it. It will also be interesting to a general engineering audience as we’ll go over the Spark programming model and some engineering tricks that make Spark fast.
Опубликовав в своём блоге знаменитую заметку о переезде с PostgreSQL на MySQL, Uber наделал много шума в постгресовом сообществе. Для многих из разработчиков PostgreSQL это стало толчком к осознанию несовершенства постгресового табличного движка (который пока всё ещё один). В данном докладе будет разобран пост Uber’а глазами разработчика PostgreSQL. Я расскажу с какими пунктами «обвинения» я согласен, с какими не согласен, а с какими – согласен частично. Также я разберу разработки сообщества в данном направлении и то, насколько они, на мой взгляд, позволяют преодолеть указанные недостатки.
Александр Крашенинников "Hadoop High Availability: опыт Badoo"IT Event
Инфраструктура Hadoop – популярное решение для таких задач, как распределённое хранение данных и вычисления Map/Reduce на кластере. Хорошая масштабируемость и развитая экосистема подкупают и обеспечивают Hadoop’у прочное место в инфраструктуре различных информационных систем. Но чем больше ответственности возлагается на этот компонент, тем важнее обеспечивать его отказоустойчивость и high availability.
Leonid Vasilyev "Building, deploying and running production code at Dropbox"IT Event
Reproducible builds, fast and safe deployment process together with self-healing services form the basis of stable and maintainable infrastructure. In this talk I’d like to cover, from the Site Reliability Engineering (SRE) perspective, how Dropbox addresses above challenges, what technologies are used and what lessons were learnt during implementation process.
Анатолий Пласковский "Миллионы карточных платежей за месяц, или как потерять ...IT Event
Этот доклад – история организации и проведения «боевой стрельбы». Я расскажу о том, как реализовать нагрузочное тестирование реальными платежами без перерывов в работе системы. А также о том, как такой эксперимент может внезапно подорожать на 10 тысяч евро.
Mete Atamel "Resilient microservices with kubernetes"IT Event
Talk description: Creating a single microservice is a well understood problem. Creating a cluster of load-balanced microservices that are resilient and self-healing is not so easy. Managing that cluster with rollouts and rollbacks, scaling individual services on demand, securely sharing secrets and configuration among services is even harder.
5. iOS Data Protection (1)
❖ Различные классы защиты
❖ Шифрование файлов
❖ Keychain для хранения паролей и ключей
❖ Шифрование может быть “привязано” к
пасскоду
❖ Шифрование резервных копий
18. jà* 3“2à…%",2ü *ëà““ ƒà?,2/?
// Create a new file with a given protection class
FileManager.default.createFile(atPath: path,
contents: data,
attributes: [FileAttributeKey.protectionKey.rawValue:
FileProtectionType.complete])
// Change protection class on an existing file
FileManager.default.setAttributes([.protectionKey: FileProtectionType.complete],
ofItemAtPath: path)
// Write Data object to a file and set given protection class
data.write(to: url,
options: .completeFileProtection)
19. jà* 3“2à…%",2ü *ëà““ ƒà?,2/?
let attributes = [
kSecAttrAccessible: kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
// ...
] as NSDictionary
SecItemAdd(attributes as CFDictionary, nil)
20. iOS Data Protection (2)
❖ Secure Enclave
❖ Touch ID
❖ LocalAuthentication
❖ Keychain ACLs
21. Secure Enclave
❖ Встроенный защищенный со-процессор
❖ Отдельная ОС, secure boot
❖ A7+(iPhone 5s и новее)
❖ Отвечает за Touch ID, проверку пасскода,
шифрование данных, Keychain ACL
22. Touch ID " bàøåì
Cð,ë%›å…,,?
LocalAuthentication
Framework
Keychain Access
Control Lists
23. LocalAuthentication
let context = LAContext()
if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics,
error: nil)
{
context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics,
localizedReason: <# Reason #>) {
(success, error) in
if success {
<# User authentication successful #>
}
}
}
24. Keychain ACL
Задаёт условия при которых данные из Keychain будут
возвращены:
❖ kSecAccessControlUserPresence
❖ kSecAccessControlTouchIDAny
❖ kSecAccessControlTouchIDCurrentSet
❖ kSecAccessControlDevicePasscode
❖ kSecAccessControlOr, kSecAccessControlAnd
25. Keychain ACL
let acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
.touchIDCurrentSet,
nil)
let attributes = [
kSecAttrAccessControl: acl!,
// ...
] as NSDictionary
SecItemAdd(attributes as CFDictionary, nil)
27. Keychain ACL
let acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
[.touchIDCurrentSet, .applicationPassword],
nil)
let context = LAContext()
context.setCredential("my-secret-password".data(using: .utf8),
type: .applicationPassword)
let attributes = [
kSecAttrAccessControl: acl!,
kSecUseAuthenticationContext: context
// ...
] as NSDictionary
SecItemAdd(attributes as CFDictionary, nil)
28. Ò,C,÷…/å %ø,K*,
❖ Хранение паролей/конфиденциальной информации
в NSUserDefaults/UserDefaults, SQLite (например
через CoreData), и т.п.
❖ Использование NSFileProtectionNone/
kSecAttrAccessibleAlways
❖ “Утечка” паролей/конфиденциальной информации
в логи
❖ Пароли/конфиденциальная информация на
скриншотах
32. iTunes Backup
❖ <app>/Documents включается в бэкап
❖ <app>/Library/Caches и <app>/tmp не включаются в
бэкап
❖ NSURLIsExcludedFromBackupKey исключает файл из
бэкапа
❖ Из зашифрованного бэкапа можно извлечь записи
Keychain, кроме тех, для которых установлен класс
…ThisDeviceOnly
33. File Sharing
❖ Доступ к “песочнице” приложения
❖ Был включен по умолчанию до iOS 8.3
❖ Все еще включен по умолчанию в бета-версиях iOS
❖ В iOS 8.4+ включен только для приложений с
UIFileSharingEnabled
34. jà* ƒà?,2,2ü äà……/å?
❖ Data Protection не поможет защитить данные вне
устройства
❖ Используйте дополнительный уровень шифрования
❖ Например, SQLCipher
❖ Или SQLite Encryption Extension
❖ Ключ/пароль от БД храните в Keychain с
надежным классом защиты
36. Transport Layer Security
❖ TLS (для TCP) и DTLS (для UDP) являются
стандартами для защиты данных при передаче по
сети
❖ Проблема: (D)TLS зависит от сертификатов
37. qåð2,ô,*à2/
❖ iOS 10 содержит 172 доверенных сертификата
❖ https://support.apple.com/en-us/HT207177
❖ iOS “верит” всем сертификатам, подписанным
любым из этих сертификатов
38. Certificate Pinning
❖ Ограничивает список доверенных сертификатов для
данного хоста/сервиса
❖ “Сертификат сервера abc.com имеет отпечаток 01 23
45 …”
❖ “Сертификат сервера def.com выпущен Let's
Encrypt”
❖ Требует аккуратного обращения — можно невзначай
“сломать” клиентов
39. Certificate Pinning
❖ Легко допустить ошибки
❖ Реализация в AFNetworking, например, случайно
отключила валидацию сертификатов
❖ https://datatheorem.github.io/TrustKit/
40. Certificate Transparency
❖ Журналирует выпущенные сертификаты
❖ Не позволяет удалить сертификат из журнала
❖ Клиент может проверить есть ли сертификат сервера
в CT
❖ https://www.certificate-transparency.org/
41. App Transport Security
В теории:
❖ Блокирует небезопасные соединения
❖ Позволяет создавать исключения
На практике:
42. App Transport Security
❖ С Января 2017 исключения потребуют обоснования и
дополнительного рассмотрения при подаче в
AppStore
❖ NSAllowsArbitraryLoads
❖ NSAllowsArbitraryLoadsForMedia
❖ NSAllowsArbitraryLoadsInWebContent
❖ NSExceptionAllowsInsecureHTTPLoads
❖ NSExceptionMinimumTLSVersion
❖ SFSafariViewController не требует исключений
43. App Transport Security
❖ Поддержка ATS требует изменений на сервере
❖ Действительный сертификат ключа RSA (2048 бит и
более) или ECC (256 бит и более), SHA-256
❖ TLS 1.2
❖ ECDHE
❖ https://developer.apple.com/