Lucia Ballard - Secure Transports Engineering Manager
Simon Cooper - Trusted Execution Engineering Manager
Network Security on iOS
Cryptography APIs
Platform security on macOS
Secure Communications (iOS)
HTTPS is the new HTTP
- Confidentiality
- Data integrity
- Not all HTTPS is created equal.
Current standards:
For NSURLSession and NSURLConnection APIs
- Use TLSv1.2
- Strong crypto - AES-128 and certificates signed with SHA-2
- Forward secrecy - ECDHE
Exceptions - global or for particular domains
App Transport Security Enforcement
Enforced at the end of 2016 for MAS apps
Reasonable justification required for most exceptions
Example - communicating with a specific third-party service, which isn't (yet) compliant.
New exceptions to make it easier:
- Streaming media using AVFoundation
- Web content exception using WKWebView
Watch video for plist key to use for WKWebView.
RC4 now disabled by default
SSLv3 disabled in Secure Transport
Other algorithms are starting to show their age and are being deprecated:
- SHA-1
- 3DES
Now is the time to upgrade your servers to drop dependencies on the deprecated algorithms.
Strong TLS is not enough
Certificate ensures that you're talking to the right server.
Certificate Transparency
Public verifiable lots of issued certificates
Anyone can submit a certificate to a log
Client can check for proof that the certificate has been logged
In the certificate itself
Via OCSP
Third item listed (By checking with the CA? watch video)
You can require Certificate Transparency through App Transport Security
Proofs from at least two logs
More info available at certificate-transparency.org: https:// www. certificate-transparency. org
Certificate Transparency does not replace revocation
Recommended practice - OCSP stapling: https:// en. wikipedia .org /wiki /OCSP_stapling
Benefits of using OCSP stapling
Reliable, quick revocation information
Protects user privacy
Deliver certificate transparency proofs
Widely supported and backwards-compatible
- Fully supported on all Apple platforms
Cryptographic improvements
SecKey and smart cards
SecKey Improvements
API for asymmetric keys
- Unification of macOS and iOS API
- Support for coming operations
Replacement for CDSA
System support for cryptographic devices
Smart cards, USB crypto tokens
Out of the box integration with system services
- Token content available via keychain
More info available, watch video
How software is delivered (macOS)
Get apps from the MAS
Get Developer ID-signed apps outside the MAS
Use Xcode to build apps
Use traditional Unix tools to build apps
Developer ID:
Allows signed apps to be delivered outside the MAS
Usually downloaded
Developer ID Signing Identity
Developer ID-signed apps treated specially by Gatekeeper
iCloud for Developer ID
Developer ID can now use iCloud features
iCloud-enabled apps can now be delivered outside of the MAS
Developer ID-signed apps can now share data with iOS iCloud-enabled apps
iCloud Development testing can begin today.
iCloud Deployment
- Testing coming in upcoming seeds
- Distribution using GM tools
Gatekeeper
What is Gatekeeper?
Controls which software is allowed to run on your Mac
- MAS (Mac App Store)
- MAS and identified developers
- Anywhere
Changes to Gatekeeper in Sierra
- MAS
- MAS and identified developers
Can still open anyway
Allow from anywhere can still be enabled via the command line
Repacking problem
Gatekeeper enhancement to accomodate
Correctly signed apps may reference unsigned external resources (code, libraries, plug-ins, HTML content, Python scripts, AppleScripts, etc.) The unsigned external resources may be malicious.
Not affected:
- From the MAS
- In a signed Apple installer package
Affected:
ZIP
Disk image (.dmg)
ISO disk image
Other archive format
Apple needs help from developers to address this issue.
- Switch to using disk image
- Disk images can now be signed
- .dmg signing available if using 10.11.5 or later
Use the codesign command line tool
Signatures are embedded
Backwards compatible with older OS versions
Distributing an app bundle?
Distribute via the MAS
Signed ZIP or disk image
Signed installer package
Adding personalization or licensing information
Use extended attribute on bundle root - see TN2206 - developer .apple .com /library /mac /technotes /tn2206 /_index.html
Sign a personalized disk image
Gatekeeper enhancement to address repacking problem
Gatekeeper path randomization
Supplements existing Gatekeeper protections
No change for MAS apps
No change for previously run apps
Applies to newly-downloaded apps
Applies to apps on unsigned disk images
When the app is launched from an unsigned disk image, the app is randomly relocated to another place on the filesystem. This breaks the app's ability to locate and access the external resource.
This behavior does not occur if you run from a signed disk image.
See complete list of session and lab notes here: