KKBOX WWDC17 Security - Antony

WWDC 2017 讀書會2017/07/21 - Antony Chuang

Outline

• Your Apps and Evolving Network Security Standards

• Privacy and Your Apps

• Advances in Networking

• What's new in Apple Pay Wallet





Your Apps and Evolving Network Security Standards

• Best Practices

• App Transport Security

• Transport Layer Security


Best Practices


Best Practices


Best Practices - RevocationOnline Certificate Status Protocol (OCSP)


Best Practices - RevocationOnline Certificate Status Protocol (OCSP)

• Additional network connection

• Compromises user privacy

• Requires app opt-in


Best Practices - RevocationOnline Certificate Status Protocol Stapling (OCSP Stapling)


Best Practices - RevocationOnline Certificate Status Protocol Stapling (OCSP Stapling)

• Slow adoption

• Malicious server


Best Practices - RevocationCertificate Transparency Log


Best Practices - Revocation

Certificate Transparency Log

• Reduced privacy compromise

• Automatic updating

• Faster connections

Certificate in iOS: https://support.apple.com/en-us/HT204132

https://support.apple.com/en-us/HT204132


Best Practices - Trust Removals

• SHA-1 signed certificates for TLS

• Certificates using <2048-bit RSA for TLS



• Not affect

- Root certificates

- Enterprise-distributed certificates

- User-installed certificates

- Client certificates

• Affect

- InvalidCertChain (-9807) SSL errors with URLSession




Best Practices - What to Do Now?

• Check implementations, libraries, and servers

• Avoid ATS exceptions


App Transport Security - Update

• Exceptions narrow down to per domain

• Exceptions expansion beyond WebKit (Certificate

Transparency requirement)

- AVFoundation loads

- WebView request

- Local network connection


ATS-Compliant Services


Transport Later Security


Enable TLS 1.3 Beta

• Not on by default

• iOS

https://developer.apple.com/go/?id=tls13-mobile-profile

• macOS

defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1

https://developer.apple.com/go/?id=tls13-mobile-profile





Privacy and Your Apps


Prompting with Purpose - iOS 10


Prompting with Purpose - iOS 11


Prompting with Purpose - Location


Prompting with Purpose - Location

Support When In Use location authorization

• NSLocationWhenInUseUsageDescription

• NSLocationAlwaysAndWhenInUseUsageDescription


Prompting with Purpose - LocationWhen In Use location authorization undefined in iOS 10


Prompting with Purpose - LocationWhen In Use location and Always authorization both defined in iOS 10


Photo Library access in iOS 11

• Image picker without prompting for access

• Write only support

• Authorization will be reset on upgrade


Photo Library write only access in iOS 11

NSPhotoLibraryAddUsageDescription

• UIImageWriteToSavedPhotosAlbum

• UISaveVideoAtPathToSavedPhotosAlbum


Core NFC

NFCReaderUsageDescription

• Scan for nearby NFC tags

• In the foreground


Microphone - Watch OS

• Recording allowed to continue in the background

• Recording possible without the built-in modal UI

• Requires microphone authorization

• Indicator on watch face

Safari and other apps get their own cookies and website data

Clearing website data in Safari also clears the data in your app


Safari View Controller


On-Device Processing

• CoreML

• VisionKit

• ARKit

• NLP


DeviceCheck

• iOS, tvOS

• Per device, per developer data stored by Apple

• Two bits and a timestamp


DeviceCheckUpdate bit state


DeviceCheckRequest to Apple to query bit state


DeviceCheckResponse from Apple with the bit state


DeviceCheck

• Handle resold or transferred devices

• Relevancy based on age

• Part of your app logic not sole source





Advances in Networking

• Explicit Congestion Notification

• IPv6

• Networking stack changes

• New Network Extension facilities

• Multipath protocols for multipath devices

• URLSession


Explicit Congestion Notification


IPv6


IPv6


Networking stack changes


New Network Extension facilities

Advances in Networking New Network Extension facilities -NEHotspotConfiguration



Advances in Networking New Network Extension facilities - NEDNSProxyProvider

• Receives the system’s DNS query messages

• Handles them as it wishes

- Can send to recursive resolver of its choice

- Can send using protocol of its choice

‣ DNS over TLS

‣ DNS over HTTP


Multipath protocols for multipath devices


Multipath protocols for multipath devices

• Triggered by Marginal Wi-Fi

• “Fittest Wins Out” contest between Wi-Fi and Cell

• Wi-Fi has head start over Cell

• On a flow by flow basis, at flow setup time


Multipath TCP

• Built on top of TCP

- Reliability

- Congestion control

• Seamless handover from Wi-Fi to Cell

• Chooses optimal interface for latency-sensitive flows


Multipath TCP

• MPTCP schedules traffic across the interfaces

• One “TCP subflow” per interface

• MPTCP creates/destroys subflows


Multipath TCP in Siri

• Implemented since iOS 7 for Siri

• User feedback (time to first word) 20% faster in the 95th percentile

• 5x reduction in network failures


Multipath TCP in iOS11

• Server support

• Multipath service types

- Handover Mode

- Interactive Mode

• URLSession API


Multipath TCP - Server support


Multipath service types in iOS 11

• Handover Mode for high reliability

• Interactive Mode for low latency


Multipath service types - Handover

• Reliability for persistent connections

• Minimal cell usage

• Available in Beta 1


Multipath service types - Interactive

• Low latency for low-volume interactive flows

• Wi-Fi and cellular

• Available in an upcoming Beta


URLSession support


Multipath service types - Aggregation

• Combines link capacities

• Available through developer settings

• Starting in an upcoming Beta


URLSession - Current

• Failure causes by weak connectivity

- NSURLErrorNotConnectedToInternet

- NSURLErrorCannotConnectToHost

• Manual retry by user or monitor condition by SCNetworkReachability


URLSession

• New URLSessionConfiguration property

var waitsForConnectivity: Bool

• New URLSessionTaskDelegate method

urlSession(_:taskIsWaitingForConnectivity:) - optional


URLSession

• Recommendation

- Always enable waitsForConnectivity

• Exception

- Requests that must be completed immediately, like transaction


URLSession


URLSessionTask Scheduling API



• New URLSessionTask property

var earliestBeginDate: Date?

• New URLSessionTaskDelegate method called only when earliestBeginDate been set

urlSession(_:task:willBeginDelayedRequest:completionHandler:) - optional





New property for better scheduling by system

var countOfBytesClientExpectsToSend: Int64

var countOfBytesClientExpectsToReceive: Int64

NSURLSessionTransferSizeUnknown if cannot be estimated


URLSessionTask Progress

URLSessionTask implements ProgressReporting protocol

class URLSessionTask : NSObject, NSCopying, ProgressReporting

public var progress: Progress { get }


URLSessionTask ProgressProgress state management methods change URLSessionTask state


URLSession Enhancements

• ProgressReporting

• Brotli compression

- Requires HTTPS (TLS)

• Public Suffix List updates





What's new in Apple Pay Wallet

Apple Pay for Donations

• Accept donations for your nonprofit simply and securely

• Available within apps and on the web

• New donation button style

• https://developer.apple.com/support/apple-pay-nonprofits/


Apple Pay Make Purchasing Easier


Other Benefits Of Apple Pay

• Reduction in chargebacks

• No need to handle or store credit card numbers

• Trusted user experience


Apple Pay - Buttons


Apple Pay - Inline Setup

• Apple Pay setup is now offered automatically

• Simply present an Apple Pay sheet to a user without cards

• Users are returned to your Apple Pay purchase immediately after setup

• Still faster than a typical manual checkout


Apple Pay - Payment Errors

• Payment instrument failed to process

• Billing address didn’t match

• Email address was invalid

• Postal address had an incorrect ZIP

• Telephone was missing an area code


Apple Pay - Payment Errors


Apple Pay - Custom Errors

• Gracefully handle invalid or incorrect data directly in Apple Pay

• Display custom error messages

• Direct users to the specific fields that need correction











New callback


Wallet

NFC passes

• NFC passes let you send customer information over

• NFC Only encrypted NFC passes supported from iOS 11

• Register for NFC passes at developer.apple.com/apple-pay

http://developer.apple.com/apple-pay

http://developer.apple.com/apple-pay


Wallet

Sharing

• Passes can now be opted out of sharing

• Useful for single use items like loyalty cards or tickets

Thank you

KKBOX WWDC17 Security - Antony

Technology