security and your apps - apple developer · 2016-07-08 · app transport security by default, apps...
TRANSCRIPT
![Page 1: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/1.jpg)
© 2015 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple.
#WWDC15
Security and Your Apps
Ivan Krstic Security and Privacy StrategyPierre-Olivier Martel Sandbox Engineering ManagerAndrew Whalley Core OS Security Engineering
System Frameworks
Session 706
![Page 2: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/2.jpg)
Device Security
iOS: Secure enclave, touch ID, secure boot chain, data protectionOS X: FileVault, app sandbox, system integrity protection, …Keychain, MDM
![Page 3: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/3.jpg)
Network Security
HTTPS, TLS, “lock icon”In 2015, TLS is a minimum baseline
![Page 4: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/4.jpg)
TLS Is Not Enough
Many servers still default to TLSv1.0, from 1999Newest version is TLSv1.2 from 2008, with a number of cryptographic improvements to the protocol
![Page 5: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/5.jpg)
TLSv1.2 Is Not Enough
Compromise of a server key lets you decrypt all TLS traffic that was encrypted in the pastWith forward secrecy, a server key compromise only lets an attacker decrypt future traffic • Mitigates bulk recording of encrypted network data
TLS supports forward secrecy through specific cipher suites
![Page 6: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/6.jpg)
“People have entrusted us with their most personal information. We owe them nothing less than the best protections that we can possibly provide by harnessing the technology at our disposal. We must get this right. History has shown us that sacrificing our right to privacy can have dire consequences.”–Tim Cook, February 2015
![Page 7: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/7.jpg)
App Transport Security
By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connectionsTLS connections require compliance with best practices• TLSv1.2 with forward secrecy, no known-insecure cryptographic primitives (RC4 encryption,
SHA-1 certificate signatures), and key size requirements (2048 bits for RSA, 256 bits for EC)
Exceptions can be declared in your Info.plist on a case-by-case basis, or as a complete override if necessary
![Page 8: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/8.jpg)
System Integrity Protection
Pierre-Olivier MartelSandbox Engineering Manager
![Page 9: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/9.jpg)
Defense In Depth
![Page 10: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/10.jpg)
Defense In Depth
Security is about layers
![Page 11: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/11.jpg)
Defense In Depth
Security is about layersOne layer failing shouldn’t defeat all security
![Page 12: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/12.jpg)
Defense In Depth
Security is about layersOne layer failing shouldn’t defeat all security
![Page 13: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/13.jpg)
Defense In Depth
Security is about layersOne layer failing shouldn’t defeat all securityRely on multiple layers of protection with different properties• Delay the advance of an attacker• Reduce the attack surface
![Page 14: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/14.jpg)
Defense In DepthThe origins
Sebastien de Vauban (1633–1707)Military Expert for the King of France
![Page 15: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/15.jpg)
Defense In DepthThe origins
![Page 16: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/16.jpg)
Defense In DepthThe OS X model
![Page 17: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/17.jpg)
Defense In DepthThe OS X model
Developer ID and Gatekeeper
Sandbox
POSIX
Keychain
![Page 18: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/18.jpg)
Defense In DepthThe OS X model
Developer ID and Gatekeeper
Sandbox
POSIX
Keychain
![Page 19: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/19.jpg)
Defense In DepthThe OS X model
Developer ID and Gatekeeper
Sandbox
POSIX
Keychain
![Page 20: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/20.jpg)
Defense In DepthThe OS X model
Developer ID and Gatekeeper
Sandbox
POSIX
Keychain
![Page 21: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/21.jpg)
Defense In DepthThe OS X model
Developer ID and Gatekeeper
Sandbox
POSIX
Keychain
![Page 22: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/22.jpg)
Defense In DepthThe OS X model
Developer ID and Gatekeeper
Sandbox
POSIX
Keychain
![Page 23: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/23.jpg)
OS X Security ModelThe power of root
![Page 24: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/24.jpg)
OS X Security ModelThe power of root
Most Macs are single-user systems, where the user has administrativeprivileges by default
![Page 25: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/25.jpg)
OS X Security ModelThe power of root
Most Macs are single-user systems, where the user has administrativeprivileges by defaultRoot hidden behind a single—often weak—password
![Page 26: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/26.jpg)
OS X Security ModelThe power of root
Most Macs are single-user systems, where the user has administrativeprivileges by defaultRoot hidden behind a single—often weak—password
![Page 27: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/27.jpg)
OS X Security ModelThe power of root
Most Macs are single-user systems, where the user has administrativeprivileges by defaultRoot hidden behind a single—often weak—password
![Page 28: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/28.jpg)
OS X Security ModelThe power of root
Most Macs are single-user systems, where the user has administrativeprivileges by defaultRoot hidden behind a single—often weak—passwordRoot can disable all security measures on the device
![Page 29: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/29.jpg)
OS X Security ModelThe power of root
Most Macs are single-user systems, where the user has administrativeprivileges by defaultRoot hidden behind a single—often weak—passwordRoot can disable all security measures on the deviceAny piece of malware is one password or vulnerability away from taking full control of the device
![Page 30: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/30.jpg)
OS X Security ModelThe missing layer
Limit the power of rootProtect the system by default, on disk and at runtimeProvide a configuration mechanism that can’t be automatically compromised by root
![Page 31: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/31.jpg)
System Integrity Protection
Security policy applying to every process, including privileged code running unsandboxedExtends additional protections to system components on disk and at runtimeSystem binaries can only be modified by Apple Installer and Software Update, and no longer permit runtime attachment or code injection
![Page 32: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/32.jpg)
System Integrity ProtectionDeveloper impact
No impact on Mac AppStore applicationsPotential impact for non-AppStore applications• Modifying system binaries or framework• Installing content in system locations• Inspecting memory state of system processes• Injecting libraries into system processes
![Page 33: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/33.jpg)
Key Aspects
Filesystem protectionsRuntime protectionsKernel extensionsConfiguration mechanism
![Page 34: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/34.jpg)
Platform PolicyFilesystem protections
Installer marks system locations with special flagKernel stops processes from• Writing to protected files or directories• Writing to block devices backing protected content• Mounting over protected content
Only applies to boot and root volumes
![Page 35: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/35.jpg)
Platform PolicyFilesystem protections
System only Available to developers
/System [~]/Library
/bin /usr /sbin /usr/local
/Applications
System Migration will move 3rd-party content out of system locations after upgrading
![Page 36: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/36.jpg)
Platform PolicyRuntime protections
Injecting code into a process is equivalent to modifying the binary on diskProcesses are marked restricted by the kernel• Main executable is protected on disk• Main executable is signed with Apple-private entitlements
![Page 37: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/37.jpg)
Platform PolicyRestricted processes
![Page 38: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/38.jpg)
Platform PolicyRestricted processes
task_for_pid() / processor_set_tasks() fail with EPERM
![Page 39: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/39.jpg)
Platform PolicyRestricted processes
task_for_pid() / processor_set_tasks() fail with EPERMMach special ports are reset on exec(2)
![Page 40: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/40.jpg)
Platform PolicyRestricted processes
task_for_pid() / processor_set_tasks() fail with EPERMMach special ports are reset on exec(2)dyld environment variables are ignored
![Page 41: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/41.jpg)
Platform PolicyRestricted processes
task_for_pid() / processor_set_tasks() fail with EPERMMach special ports are reset on exec(2)dyld environment variables are ignoreddtrace probes unavailable
![Page 42: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/42.jpg)
Platform PolicyRestricted processes
task_for_pid() / processor_set_tasks() fail with EPERMMach special ports are reset on exec(2)dyld environment variables are ignoreddtrace probes unavailable
$> sudo lldb -n Finder (lldb) process attach --name "Finder" error: attach failed: attach failed: lost connection
![Page 43: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/43.jpg)
Platform PolicyRestricted processes
task_for_pid() / processor_set_tasks() fail with EPERMMach special ports are reset on exec(2)dyld environment variables are ignoreddtrace probes unavailable
$> sudo lldb -n Finder (lldb) process attach --name "Finder" error: attach failed: attach failed: lost connection
![Page 44: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/44.jpg)
Platform PolicyKext signing
Extensions have to be signed with a Developer ID for Kexts certificateInstall into /Library/Extensions
kext-dev-mode boot-arg is now obsolete
![Page 45: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/45.jpg)
Platform PolicyKext signing
Extensions have to be signed with a Developer ID for Kexts certificateInstall into /Library/Extensions
kext-dev-mode boot-arg is now obsolete
$> sudo nvram boot-args=‘kext-dev-mode=1’
![Page 46: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/46.jpg)
Platform PolicyKext signing
Extensions have to be signed with a Developer ID for Kexts certificateInstall into /Library/Extensions
kext-dev-mode boot-arg is now obsolete
$> sudo nvram boot-args=‘kext-dev-mode=1’
![Page 47: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/47.jpg)
Configuration Mechanism
Disable System Integrity Protection (subject to change)• Boot to Recovery OS (Command+R on boot)• Launch “Security Configuration” from the “Utilities” menu• Change configuration and apply
Configuration is stored in NVRAM• Applies to the entire machine• Persists across OS install
![Page 48: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/48.jpg)
Summary
![Page 49: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/49.jpg)
Summary
New security policy applying to every process
![Page 50: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/50.jpg)
Summary
New security policy applying to every processProtect the system by default, on disk and at runtime
![Page 51: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/51.jpg)
Summary
New security policy applying to every processProtect the system by default, on disk and at runtime• Restrict write access to system location
![Page 52: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/52.jpg)
Summary
New security policy applying to every processProtect the system by default, on disk and at runtime• Restrict write access to system location• Prevent runtime attachment and code injection into system binaries
![Page 53: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/53.jpg)
Summary
New security policy applying to every processProtect the system by default, on disk and at runtime• Restrict write access to system location• Prevent runtime attachment and code injection into system binaries
3rd-party content must be migrated out of system locations
![Page 54: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/54.jpg)
Summary
New security policy applying to every processProtect the system by default, on disk and at runtime• Restrict write access to system location• Prevent runtime attachment and code injection into system binaries
3rd-party content must be migrated out of system locationsConfiguration mechanism in the Recovery OS
![Page 55: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/55.jpg)
The Keychain and Touch ID
Andrew R. WhalleyCore OS Security Engineering
![Page 56: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/56.jpg)
Protecting Data
![Page 57: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/57.jpg)
Protecting Data
![Page 58: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/58.jpg)
Protecting Data
![Page 59: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/59.jpg)
Protecting Data
![Page 60: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/60.jpg)
Keychain
![Page 61: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/61.jpg)
Keychain
A very specialized database
![Page 62: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/62.jpg)
Keychain
A very specialized databaseEfficiently searched by attributes
![Page 63: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/63.jpg)
Keychain
A very specialized databaseEfficiently searched by attributesOptimized for small payloads
![Page 64: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/64.jpg)
The Keychain in a NutshellItem creation in Swift
![Page 65: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/65.jpg)
The Keychain in a NutshellItem creation in Swift
let secret = "top secret" let secretData = secret.dataUsingEncoding(NSUTF8StringEncoding)!
![Page 66: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/66.jpg)
The Keychain in a NutshellItem creation in Swift
let secret = "top secret" let secretData = secret.dataUsingEncoding(NSUTF8StringEncoding)! let status = SecItemAdd(attributes, nil)
let status = SecItemAdd(attributes, nil)
![Page 67: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/67.jpg)
The Keychain in a NutshellItem creation in Swift
let secret = "top secret" let secretData = secret.dataUsingEncoding(NSUTF8StringEncoding)!
let attributes = [ kSecClass as String : kSecClassGenericPassword as String, kSecAttrService as String : "myservice", kSecAttrAccount as String : "account name here", kSecValueData as String : secretData! ] let status = SecItemAdd(attributes, nil)
![Page 68: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/68.jpg)
The Keychain in a NutshellOther SecItem calls
![Page 69: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/69.jpg)
The Keychain in a NutshellOther SecItem calls
let status = SecItemCopyMatching(query, &data) let status = SecItemDelete(query) let status = SecItemUpdate(query, attributes)
![Page 70: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/70.jpg)
The Keychain in a NutshellSome considerations
![Page 71: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/71.jpg)
The Keychain in a NutshellSome considerations
Factor keychain code into a simple, testable unit
![Page 72: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/72.jpg)
The Keychain in a NutshellSome considerations
Factor keychain code into a simple, testable unit• Wrapper class
![Page 73: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/73.jpg)
The Keychain in a NutshellSome considerations
Factor keychain code into a simple, testable unit• Wrapper class
Use the highest data protection level you can
![Page 74: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/74.jpg)
The Keychain in a NutshellSome considerations
Factor keychain code into a simple, testable unit• Wrapper class
Use the highest data protection level you can• kSecAttrAccessibleWhenUnlocked default and best
![Page 75: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/75.jpg)
The Keychain in a NutshellSome considerations
Factor keychain code into a simple, testable unit• Wrapper class
Use the highest data protection level you can• kSecAttrAccessibleWhenUnlocked default and best• kSecAttrAccessibleAfterFirstUnlock for background apps
![Page 76: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/76.jpg)
The Keychain in a NutshellSome considerations
Factor keychain code into a simple, testable unit• Wrapper class
Use the highest data protection level you can• kSecAttrAccessibleWhenUnlocked default and best• kSecAttrAccessibleAfterFirstUnlock for background apps• kSecAttrAccessibleAlways will be deprecated in iOS 9
![Page 77: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/77.jpg)
The Keychain in a NutshellSome considerations
Factor keychain code into a simple, testable unit• Wrapper class
Use the highest data protection level you can• kSecAttrAccessibleWhenUnlocked default and best• kSecAttrAccessibleAfterFirstUnlock for background apps
![Page 78: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/78.jpg)
Apple Watch
![Page 79: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/79.jpg)
Reducing Password Prompts
![Page 80: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/80.jpg)
Reducing Password Prompts
![Page 81: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/81.jpg)
Reducing Password PromptsShared web credentials
![Page 82: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/82.jpg)
Safari Saved Passwords
![Page 83: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/83.jpg)
Safari Saved Passwords
![Page 84: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/84.jpg)
Websites and Apps
![Page 85: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/85.jpg)
Shared Web CredentialsSave to Safari
![Page 86: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/86.jpg)
Shared Web CredentialsSave to Safari
let username = "[email protected]" let password = SecCreateSharedWebCredentialPassword().takeRetainedValue() SecAddSharedWebCredential("www.macosforge.org", username, password){ error in // handle error }
![Page 87: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/87.jpg)
![Page 88: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/88.jpg)
![Page 89: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/89.jpg)
![Page 90: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/90.jpg)
![Page 91: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/91.jpg)
![Page 92: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/92.jpg)
![Page 93: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/93.jpg)
Shared Web CredentialsRetrieve from Safari
SecRequestSharedWebCredential("www.macosforge.org", .None) { credentials, error in if CFArrayGetCount(credentials) > 0 { let dict = unsafeBitCast(CFArrayGetValueAtIndex(credentials, 0), CFDictionaryRef.self) as Dictionary let username = dict[kSecAttrAccount as String] let password = dict[kSecSharedPassword as String] login(username, password) } }
![Page 94: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/94.jpg)
Shared Web CredentialsRetrieve from Safari
SecRequestSharedWebCredential("www.macosforge.org", .None) { credentials, error in if CFArrayGetCount(credentials) > 0 { let dict = unsafeBitCast(CFArrayGetValueAtIndex(credentials, 0), CFDictionaryRef.self) as Dictionary let username = dict[kSecAttrAccount as String] let password = dict[kSecSharedPassword as String] login(username, password) } }
![Page 95: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/95.jpg)
Associated DomainsApp entitlement
![Page 96: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/96.jpg)
{ "webcredentials": { "apps": [ "YWBN8XTPBJ.com.example.app", "YWBN8XTPBJ.com.example.app-dev" ] } }
Associated DomainsServer JSON
https://example.com/apple-app-site-association
![Page 97: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/97.jpg)
{ "webcredentials": { "apps": [ "YWBN8XTPBJ.com.example.app", "YWBN8XTPBJ.com.example.app-dev" ] },
"activitycontinuation": { "apps" : [ "YWBN8XTPBJ.com.example.app" ] },
Associated DomainsServer JSON
https://example.com/apple-app-site-association
![Page 98: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/98.jpg)
{ "webcredentials": { "apps": [ "YWBN8XTPBJ.com.example.app", "YWBN8XTPBJ.com.example.app-dev" ] },
"activitycontinuation": { "apps" : [ "YWBN8XTPBJ.com.example.app" ] },
"applinks":
Associated DomainsServer JSON
https://example.com/apple-app-site-association
![Page 99: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/99.jpg)
] },
"applinks": { "apps" : [], "details" : { "YWBN8XTPBJ.com.example.app" : [ "/example/content/*" ] } } }
Associated DomainsServer JSON
https://example.com/apple-app-site-association
![Page 100: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/100.jpg)
Associated DomainsServer JSON
https://example.com/apple-app-site-association
![Page 101: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/101.jpg)
Associated DomainsServer JSON
For iOS 9: No need to sign JSON
https://example.com/apple-app-site-association
![Page 102: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/102.jpg)
Avoiding Asking for PasswordsiCloud Keychain
![Page 103: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/103.jpg)
Avoiding Asking for PasswordsiCloud Keychain
![Page 104: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/104.jpg)
iCloud Keychain
![Page 105: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/105.jpg)
iCloud Keychain
For all passwords that can be used on multiple devices• Add kSecAttrSynchronizable to all SecItem calls
![Page 106: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/106.jpg)
iCloud Keychain
For all passwords that can be used on multiple devices• Add kSecAttrSynchronizable to all SecItem calls
A few caveats• Updating or deleting items affects item on all devices• See SecItem.h
![Page 107: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/107.jpg)
Keychain
![Page 108: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/108.jpg)
Keychain
Store all secrets in the keychain
![Page 109: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/109.jpg)
Keychain
Store all secrets in the keychainProtect them at the highest level possible
![Page 110: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/110.jpg)
Keychain
Store all secrets in the keychainProtect them at the highest level possibleUse SharedWebCredentials and iCloud Keychain
![Page 111: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/111.jpg)
Device Specific Credentials
![Page 112: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/112.jpg)
Device Specific Credentials
Examples• Limited use tokens and cookies• Encrypted messaging keys• Keys with specific protection requirements
![Page 113: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/113.jpg)
Device Specific Credentials
Examples• Limited use tokens and cookies• Encrypted messaging keys• Keys with specific protection requirements
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
![Page 114: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/114.jpg)
Device Specific Credentials
Examples• Limited use tokens and cookies• Encrypted messaging keys• Keys with specific protection requirements
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
![Page 115: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/115.jpg)
Device Specific Credentials
Examples• Limited use tokens and cookies• Encrypted messaging keys• Keys with specific protection requirements
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
kSecAttrAccessControl
![Page 116: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/116.jpg)
ArchitectureiOS security domains
Application
KeyStore
KernelUser Space
Process Separation
Security Framework
![Page 117: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/117.jpg)
ArchitectureiOS security domains
Application
KeyStore
KernelUser Space
Process Separation
Security Framework
Touch ID
Secure Enclave
![Page 118: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/118.jpg)
ArchitectureiOS security domains
Touch ID
Secure Enclave
Application Process Separation
KernelUser Space
KeyStoreSecurity Framework
![Page 119: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/119.jpg)
ArchitectureiOS security domains
Touch ID
Secure Enclave
Application Process Separation
KernelUser Space
KeyStoreSecurity Framework
![Page 120: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/120.jpg)
Touch ID
![Page 121: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/121.jpg)
Touch ID
Convenience• Don’t need to enter your
passcode all the time
![Page 122: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/122.jpg)
Touch ID
Convenience• Don’t need to enter your
passcode all the time
Security• Stronger passcode• Lock immediately
![Page 123: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/123.jpg)
Touch ID
APIs• LocalAuthentication• Keychain Access Control Lists
![Page 124: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/124.jpg)
Touch IDPseudocode
![Page 125: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/125.jpg)
Touch IDPseudocode
if PresentedFingerprintMatchesEnrolled()then DoSomething()
![Page 126: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/126.jpg)
LocalAuthentication
Application
KernelUser Space
Process Separation
Secure Enclave
Touch ID
![Page 127: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/127.jpg)
Application
KernelUser Space
Process Separation Touch ID
Secure Enclave
LocalAuthentication
![Page 128: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/128.jpg)
Application
KernelUser Space
Process Separation
Secure Enclave
Touch ID
LocalAuthentication
![Page 129: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/129.jpg)
Application
KernelUser Space
Process Separation
Secure Enclave
Touch ID
LocalAuthentication
![Page 130: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/130.jpg)
Application
KernelUser Space
Process Separation
Secure Enclave
DoSomething()
Touch ID
LocalAuthentication
![Page 131: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/131.jpg)
Application
KernelUser Space
Process Separation
Secure Enclave
DoSomething()
Touch ID
LocalAuthentication
![Page 132: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/132.jpg)
LocalAuthenticationUse cases
![Page 133: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/133.jpg)
LocalAuthenticationUse cases
Replace existing security barrier
![Page 134: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/134.jpg)
LocalAuthenticationUse cases
Replace existing security barrierAdding one when it would have been too inconvenient before
![Page 135: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/135.jpg)
LocalAuthenticationUse cases
Replace existing security barrierAdding one when it would have been too inconvenient beforeExamples
![Page 136: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/136.jpg)
LocalAuthenticationUse cases
Replace existing security barrierAdding one when it would have been too inconvenient beforeExamples• Viewing especially sensitive data
![Page 137: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/137.jpg)
LocalAuthenticationUse cases
Replace existing security barrierAdding one when it would have been too inconvenient beforeExamples• Viewing especially sensitive data• Confirming an operation
![Page 138: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/138.jpg)
LocalAuthenticationPrompt at app startup
![Page 139: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/139.jpg)
LocalAuthenticationPrompt at app startup
![Page 140: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/140.jpg)
LocalAuthenticationAllowing a previous match
let context = LAContext() context.touchIDAuthenticationAllowableReuseDuration = 30 let reasonString = "Authentication is needed for access.”
context.evaluatePolicy(.DeviceOwnerAuthenticationWithBiometrics, localizedReason: reasonString) { success, authenticationError in if success { showMainUI() } }
![Page 141: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/141.jpg)
Touch ID Enrollment Change
![Page 142: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/142.jpg)
Touch ID Enrollment Change
![Page 143: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/143.jpg)
LocalAuthenticationTouch ID enrollment change
let context = LAContext() do { try context.canEvaluatePolicy(.DeviceOwnerAuthenticationWithBiometrics) if let domainState = context.evaluatedPolicyDomainState where domainState == lastState { // Enrollment state the same } else { // Enrollment state changed } } catch { // Handle error }
![Page 144: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/144.jpg)
LocalAuthenticationTouch ID enrollment change
let context = LAContext() do { try context.canEvaluatePolicy(.DeviceOwnerAuthenticationWithBiometrics) if let domainState = context.evaluatedPolicyDomainState where domainState == lastState { // Enrollment state the same } else { // Enrollment state changed } } catch { // Handle error }
![Page 145: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/145.jpg)
LocalAuthenticationRecap of what’s new in iOS 9
![Page 146: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/146.jpg)
LocalAuthenticationRecap of what’s new in iOS 9
touchIDAuthenticationAllowableReuseDuration
• Accept a previous matchevaluatedPolicyDomainState
• Get a representation of the current set of enrolled fingersinvalidate()
• Cancel a user prompt from codeevaluateAccessControl()
• Use LocalAuthentication with Access Control Lists
![Page 147: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/147.jpg)
KeychainAccess Control Lists
![Page 148: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/148.jpg)
KeychainAccess Control Lists
Application
KernelUser Space
Process Separation
Secure Enclave
KeyStore
Touch ID
![Page 149: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/149.jpg)
KeychainAccess Control Lists
Application
KernelUser Space
Process Separation
Secure Enclave
KeyStore
Touch ID
![Page 150: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/150.jpg)
Access Control Lists
Application
KernelUser Space
Process Separation
Secure Enclave
Touch ID
KeyStore
Keychain
![Page 151: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/151.jpg)
Access Control Lists
Application
KernelUser Space
Process Separation
Secure Enclave
Touch ID
KeyStore
Keychain
![Page 152: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/152.jpg)
Access Control Lists
Application
User Space
Process Separation
Secure EnclaveKernel
Touch ID
KeyStore
Keychain
![Page 153: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/153.jpg)
Access Control Lists
Application
User Space
Process Separation
Secure EnclaveKernel
Touch ID
KeyStoreSecret
Keychain
![Page 154: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/154.jpg)
Access Control Lists
Application
User Space
Process Separation
Secure EnclaveKernel
Touch ID
KeyStoreSecret
Keychain
![Page 155: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/155.jpg)
KeychainAccess Control Lists
![Page 156: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/156.jpg)
KeychainAccess Control Lists
Add additional protection to a saved credential
![Page 157: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/157.jpg)
KeychainAccess Control Lists
Add additional protection to a saved credentialTake advantage of the Secure Enclave
![Page 158: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/158.jpg)
KeychainAccess Control Lists
Add additional protection to a saved credentialTake advantage of the Secure EnclaveExamples
![Page 159: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/159.jpg)
KeychainAccess Control Lists
Add additional protection to a saved credentialTake advantage of the Secure EnclaveExamples• Don’t require a username and password every launch
![Page 160: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/160.jpg)
KeychainAccess Control Lists
Add additional protection to a saved credentialTake advantage of the Secure EnclaveExamples• Don’t require a username and password every launch• Protect local encryption keys
![Page 161: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/161.jpg)
Keychain Item Access Control Lists
let secret = "top secret"
let secretData = secret.dataUsingEncoding(NSUTF8StringEncoding)
var error: Unmanaged<CFErrorRef>?
let acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlocked, .UserPresence, &error).takeRetainedValue()
![Page 162: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/162.jpg)
Keychain Item Access Control Lists
let secret = "top secret"
let secretData = secret.dataUsingEncoding(NSUTF8StringEncoding)
var error: Unmanaged<CFErrorRef>?
let acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlocked, .UserPresence, &error).takeRetainedValue()
![Page 163: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/163.jpg)
Keychain Item Access Control Lists
let secret = "top secret"
let secretData = secret.dataUsingEncoding(NSUTF8StringEncoding)
var error: Unmanaged<CFErrorRef>?
let acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlocked, .UserPresence, &error).takeRetainedValue()
![Page 164: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/164.jpg)
ACL Authentication Types
.UserPresence
![Page 165: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/165.jpg)
ACL Authentication Types
.UserPresence
.DevicePasscode
![Page 166: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/166.jpg)
ACL Authentication Types
.UserPresence
.DevicePasscode
.TouchIDAny
![Page 167: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/167.jpg)
ACL Authentication Types
.UserPresence
.DevicePasscode
.TouchIDAny
.TouchIDCurrentSet
![Page 168: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/168.jpg)
Touch ID and Multi Factor Authentication
![Page 169: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/169.jpg)
Touch ID and Multi Factor Authentication
Something you know
![Page 170: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/170.jpg)
Touch ID and Multi Factor Authentication
Something you know• Password
![Page 171: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/171.jpg)
Touch ID and Multi Factor Authentication
Something you know• Password
Something you have
![Page 172: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/172.jpg)
Touch ID and Multi Factor Authentication
Something you know• Password
Something you have• Physical token, smartcard
![Page 173: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/173.jpg)
Touch ID and Multi Factor Authentication
Something you know• Password
Something you have• Physical token, smartcard• iOS Device with Secure Enclave and Touch ID
![Page 174: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/174.jpg)
Touch ID and Multi Factor Authentication
Something you know• Password
Something you have• Physical token, smartcard• iOS Device with Secure Enclave and Touch IDSecAccessControlCreateFlags.TouchIDCurrentSet
![Page 175: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/175.jpg)
Access Control List Authentication TypesBeyond Touch ID
.UserPresence
.DevicePasscode
.TouchIDAny
.TouchIDCurrentSet
.ApplicationPassword
.PrivateKeyUsage
![Page 176: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/176.jpg)
ApplicationPassword
5458bdf1cfd4cb6e662fe02d87620b69c01802edb8c7fa0b0843b6245dbf5ba0fa64cc1fd26085b78620239b75e27163e4a6a88bd8a0463525a343dad1d59e784462fbf9bf7f0a4bdf8b8d517e8a3369e29dfc881a00415c3b7213927f013b60d092c4ce434a2a7af95f78fd106095ea7e43580799872de834b1162de3813da2bc031b07fa993f0338d539981fc502cb
kSecAttrAccessibleWhenUnlocked
![Page 177: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/177.jpg)
ApplicationPassword
5458bdf1cfd4cb6e662fe02d87620b69c01802edb8c7fa0b0843b6245dbf5ba0fa64cc1fd26085b78620239b75e27163e4a6a88bd8a0463525a343dad1d59e784462fbf9bf7f0a4bdf8b8d517e8a3369e29dfc881a00415c3b7213927f013b60d092c4ce434a2a7af95f78fd106095ea7e43580799872de834b1162de3813da2bc031b07fa993f0338d539981fc502cb
kSecAttrAccessibleWhenUnlocked
![Page 178: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/178.jpg)
ApplicationPassword
Passcode
5458bdf1cfd4cb6e662fe02d87620b69c01802edb8c7fa0b0843b6245dbf5ba0fa64cc1fd26085b78620239b75e27163e4a6a88bd8a0463525a343dad1d59e784462fbf9bf7f0a4bdf8b8d517e8a3369e29dfc881a00415c3b7213927f013b60d092c4ce434a2a7af95f78fd106095ea7e43580799872de834b1162de3813da2bc031b07fa993f0338d539981fc502cb
kSecAttrAccessibleWhenUnlocked
![Page 179: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/179.jpg)
ApplicationPassword
Passcode
5458bdf1cfd4cb6e662fe02d87620b69c01802edb8c7fa0b0843b6245dbf5ba0fa64cc1fd26085b78620239b75e27163e4a6a88bd8a0463525a343dad1d59e784462fbf9bf7f0a4bdf8b8d517e8a3369e29dfc881a00415c3b7213927f013b60d092c4ce434a2a7af95f78fd106095ea7e43580799872de834b1162de3813da2bc031b07fa993f0338d539981fc502cb
kSecAttrAccessibleWhenUnlocked
AES Key
![Page 180: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/180.jpg)
ApplicationPassword
Passcode
5458bdf1cfd4cb6e662fe02d87620b69c01802edb8c7fa0b0843b6245dbf5ba0fa64cc1fd26085b78620239b75e27163e4a6a88bd8a0463525a343dad1d59e784462fbf9bf7f0a4bdf8b8d517e8a3369e29dfc881a00415c3b7213927f013b60d092c4ce434a2a7af95f78fd106095ea7e43580799872de834b1162de3813da2bc031b07fa993f0338d539981fc502cb
kSecAttrAccessibleWhenUnlocked
AES Key
The secret meeting location is row 13 of Mission right after
session 706
![Page 181: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/181.jpg)
ApplicationPassword
b1a0d6c9b3b2726a886f0f103ab89154ee3fbd9e85ea27c78bcd246c6262fb29ba85ab6988b7b7758d8aecd89306ce2421eb330f900aff526a9a06fcdf040cc7c6ec5668744d792a69f9640d05a51d7e3e7185aee741c099257305b882d52e7a218c8b31a51a063458e5b80023a7ebee35da77bee232d82fbb734f04ba93951de2b8f848cd1a5c96b793f739b0d29
kSecAttrAccessibleWhenUnlocked
.ApplicationPassword
![Page 182: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/182.jpg)
ApplicationPassword
b1a0d6c9b3b2726a886f0f103ab89154ee3fbd9e85ea27c78bcd246c6262fb29ba85ab6988b7b7758d8aecd89306ce2421eb330f900aff526a9a06fcdf040cc7c6ec5668744d792a69f9640d05a51d7e3e7185aee741c099257305b882d52e7a218c8b31a51a063458e5b80023a7ebee35da77bee232d82fbb734f04ba93951de2b8f848cd1a5c96b793f739b0d29
kSecAttrAccessibleWhenUnlocked
.ApplicationPassword
Passcode AES Key
![Page 183: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/183.jpg)
a5d3c7df546db329ed9418b7f3c5120ff5572aa4e5dc691dc06cf29b156a61e1cf1ad89c4c5e2fa58bb149b83677fe627c688d6125c0256ab7a22d130af74c6062b9155c865ffa5f58708bb498b2bd4e930ecd4c2e0a213218a987456739a3bc7f5044b7967da4618d04556d769cffce249d0cec26645bee92d14c7d614a217eac1d38509673350e13c1293a8864eefa
ApplicationPassword
Passcode AES Key
kSecAttrAccessibleWhenUnlocked
.ApplicationPassword
![Page 184: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/184.jpg)
a5d3c7df546db329ed9418b7f3c5120ff5572aa4e5dc691dc06cf29b156a61e1cf1ad89c4c5e2fa58bb149b83677fe627c688d6125c0256ab7a22d130af74c6062b9155c865ffa5f58708bb498b2bd4e930ecd4c2e0a213218a987456739a3bc7f5044b7967da4618d04556d769cffce249d0cec26645bee92d14c7d614a217eac1d38509673350e13c1293a8864eefa
ApplicationPassword
Passcode AES Key
kSecAttrAccessibleWhenUnlocked
.ApplicationPassword
![Page 185: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/185.jpg)
a5d3c7df546db329ed9418b7f3c5120ff5572aa4e5dc691dc06cf29b156a61e1cf1ad89c4c5e2fa58bb149b83677fe627c688d6125c0256ab7a22d130af74c6062b9155c865ffa5f58708bb498b2bd4e930ecd4c2e0a213218a987456739a3bc7f5044b7967da4618d04556d769cffce249d0cec26645bee92d14c7d614a217eac1d38509673350e13c1293a8864eefa
ApplicationPassword
Passcode AES Key
kSecAttrAccessibleWhenUnlocked
.ApplicationPassword
Password
![Page 186: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/186.jpg)
a5d3c7df546db329ed9418b7f3c5120ff5572aa4e5dc691dc06cf29b156a61e1cf1ad89c4c5e2fa58bb149b83677fe627c688d6125c0256ab7a22d130af74c6062b9155c865ffa5f58708bb498b2bd4e930ecd4c2e0a213218a987456739a3bc7f5044b7967da4618d04556d769cffce249d0cec26645bee92d14c7d614a217eac1d38509673350e13c1293a8864eefa
ApplicationPassword
Passcode AES Key
kSecAttrAccessibleWhenUnlocked
.ApplicationPassword
Password AES Key
![Page 187: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/187.jpg)
a5d3c7df546db329ed9418b7f3c5120ff5572aa4e5dc691dc06cf29b156a61e1cf1ad89c4c5e2fa58bb149b83677fe627c688d6125c0256ab7a22d130af74c6062b9155c865ffa5f58708bb498b2bd4e930ecd4c2e0a213218a987456739a3bc7f5044b7967da4618d04556d769cffce249d0cec26645bee92d14c7d614a217eac1d38509673350e13c1293a8864eefa
The secret meeting location is row 13 of Mission right after
session 706
ApplicationPassword
Passcode AES Key
kSecAttrAccessibleWhenUnlocked
.ApplicationPassword
Password AES Key
![Page 188: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/188.jpg)
ApplicationPasswordUse cases
![Page 189: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/189.jpg)
ApplicationPasswordUse cases
Server side control of local data protection
![Page 190: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/190.jpg)
ApplicationPasswordUse cases
Server side control of local data protectionKey storage on accessories
![Page 191: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/191.jpg)
let secret = "top secret"
let secretData = secret.dataUsingEncoding(NSUTF8StringEncoding)!
var error: Unmanaged<CFErrorRef>?
let acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .ApplicationPassword, &error).takeRetainedValue()
let context = LAContext()
let password = "e693b64e405e9ddc578959b97665e750" context.setCredential(password.dataUsingEncoding(NSUTF8StringEncoding), type: .ApplicationPassword)
ApplicationPasswordExample
![Page 192: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/192.jpg)
let secret = "top secret"
let secretData = secret.dataUsingEncoding(NSUTF8StringEncoding)!
var error: Unmanaged<CFErrorRef>?
let acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .ApplicationPassword, &error).takeRetainedValue()
let context = LAContext()
let password = "e693b64e405e9ddc578959b97665e750" context.setCredential(password.dataUsingEncoding(NSUTF8StringEncoding), type: .ApplicationPassword)
ApplicationPasswordExample
![Page 193: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/193.jpg)
let secret = "top secret"
let secretData = secret.dataUsingEncoding(NSUTF8StringEncoding)!
var error: Unmanaged<CFErrorRef>?
let acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .ApplicationPassword, &error).takeRetainedValue()
let context = LAContext()
let password = "e693b64e405e9ddc578959b97665e750" context.setCredential(password.dataUsingEncoding(NSUTF8StringEncoding), type: .ApplicationPassword)
ApplicationPasswordExample
![Page 194: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/194.jpg)
ApplicationPasswordExample
let attributes = [ kSecClass as String: kSecClassGenericPassword as String, kSecAttrService as String : "myservice", kSecAttrAccount as String : "account name here", kSecValueData as String : secretData, kSecAttrAccessControl as String : acl, kSecUseAuthenticationContext as String : context ] let status = SecItemAdd(attributes, nil)
![Page 195: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/195.jpg)
Keeping Things Inside the Secure Enclave
![Page 196: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/196.jpg)
Keeping Things Inside the Secure Enclave
Application
User Space
Process Separation
Secure EnclaveKernel
Touch ID
KeyStoreSecret
![Page 197: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/197.jpg)
Keeping Things Inside the Secure EnclaveAsymmetric cryptography
![Page 198: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/198.jpg)
Keeping Things Inside the Secure EnclaveAsymmetric cryptography
Asymmetric Key Pair
![Page 199: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/199.jpg)
Keeping Things Inside the Secure EnclaveAsymmetric cryptography
Public Key Private Key
Asymmetric Key Pair
![Page 200: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/200.jpg)
Keeping More Inside the Secure Enclave
KernelUser Space Secure Enclave
KeyStore
Application Process Separation Touch ID
SecKeyGeneratePair()
![Page 201: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/201.jpg)
KernelUser Space Secure Enclave
Application Process Separation
Public Key
Keeping More Inside the Secure Enclave
KeyStore
Touch ID
Private Key
![Page 202: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/202.jpg)
KernelUser Space Secure Enclave
Application Process Separation
Public Key
Keeping More Inside the Secure Enclave
KeyStore
Touch ID
Private Key
![Page 203: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/203.jpg)
KernelUser Space Secure Enclave
Application Process Separation
Keeping More Inside the Secure Enclave
KeyStore
Touch ID
![Page 204: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/204.jpg)
Keeping More Inside the Secure Enclave
KernelUser Space Secure Enclave
Application Process Separation
KeyStore
Touch ID
SecItemCopyMatching()
![Page 205: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/205.jpg)
Keeping More Inside the Secure Enclave
KernelUser Space Secure Enclave
Application Process Separation
KeyStore
Touch ID
Private KeySecItemCopyMatching()
![Page 206: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/206.jpg)
Keeping More Inside the Secure Enclave
KernelUser Space Secure Enclave
Application Process Separation
KeyStore
Touch ID
Private KeySecItemCopyMatching()
![Page 207: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/207.jpg)
Keeping More Inside the Secure Enclave
KernelUser Space Secure Enclave
Application Process Separation
KeyStore
Touch ID
Private KeySecItemCopyMatching()
![Page 208: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/208.jpg)
KernelUser Space Secure Enclave
Application Process Separation
Keeping More Inside the Secure Enclave
KeyStore
Touch ID
![Page 209: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/209.jpg)
Keeping More Inside the Secure Enclave
Application
KernelUser Space
Process Separation
Secure Enclave
Touch ID
SecKeyRawSign() KeyStore
![Page 210: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/210.jpg)
Keeping More Inside the Secure Enclave
Application
KernelUser Space
Process Separation
Secure Enclave
Touch ID
SecKeyRawSign() KeyStoreData To Sign
![Page 211: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/211.jpg)
Keeping More Inside the Secure Enclave
Application
KernelUser Space
Process Separation
Secure Enclave
KeyStore
Touch ID
SecKeyRawSign() Data To Sign
![Page 212: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/212.jpg)
Application
KernelUser Space
Process Separation
Secure Enclave
Touch ID
KeyStore
Keeping More Inside the Secure Enclave
SecKeyRawSign() Data To Sign
![Page 213: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/213.jpg)
Application
KernelUser Space
Process Separation
Secure Enclave
Touch ID
KeyStore
Keeping More Inside the Secure Enclave
SecKeyRawSign() Data To Sign
![Page 214: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/214.jpg)
Keeping More Inside the Secure Enclave
KernelUser Space Secure Enclave
Application Process Separation
KeyStore
Touch ID
SecKeyRawSign() SignaturePrivate Key
![Page 215: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/215.jpg)
Keeping More Inside the Secure Enclave
KernelUser Space Secure Enclave
Application Process Separation
KeyStore
Touch ID
Signature Private Key
![Page 216: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/216.jpg)
Strengthening Touch ID as a Second FactorExample flow—enrollment
![Page 217: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/217.jpg)
Strengthening Touch ID as a Second FactorExample flow—enrollment
Generate keypair
![Page 218: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/218.jpg)
Strengthening Touch ID as a Second FactorExample flow—enrollment
Generate keypairSend public key to server
![Page 219: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/219.jpg)
Strengthening Touch ID as a Second FactorExample flow—enrollment
Generate keypairSend public key to serverServer records public key
![Page 220: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/220.jpg)
Strengthening Touch ID as a Second FactorExample flow—verification
![Page 221: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/221.jpg)
Strengthening Touch ID as a Second FactorExample flow—verification
Server sends a challenge
![Page 222: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/222.jpg)
Strengthening Touch ID as a Second FactorExample flow—verification
Server sends a challengeApp calls SecKeyRawSign()
![Page 223: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/223.jpg)
Strengthening Touch ID as a Second FactorExample flow—verification
Server sends a challengeApp calls SecKeyRawSign()User presents finger
![Page 224: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/224.jpg)
Strengthening Touch ID as a Second FactorExample flow—verification
Server sends a challengeApp calls SecKeyRawSign()User presents fingerApp sends signed data back to server
![Page 225: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/225.jpg)
Strengthening Touch ID as a Second FactorExample flow—verification
Server sends a challengeApp calls SecKeyRawSign()User presents fingerApp sends signed data back to serverServer verifies signature against stored public key
![Page 226: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/226.jpg)
Asymmetric Keys in the Secure Enclave
Generated private keys are• EC P256• Not extractable
Operations• SecKeyRawSign()
• SecKeyRawVerify()
![Page 227: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/227.jpg)
Summary
![Page 228: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/228.jpg)
Summary
Overview of the keychain
![Page 229: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/229.jpg)
Summary
Overview of the keychainAvoiding password prompts
![Page 230: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/230.jpg)
Summary
Overview of the keychainAvoiding password promptsTouch ID APIs
![Page 231: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/231.jpg)
Summary
Overview of the keychainAvoiding password promptsTouch ID APIs• LocalAuthentication
![Page 232: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/232.jpg)
Summary
Overview of the keychainAvoiding password promptsTouch ID APIs• LocalAuthentication• Keychain ACLs
![Page 233: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/233.jpg)
Summary
Overview of the keychainAvoiding password promptsTouch ID APIs• LocalAuthentication• Keychain ACLs
Advanced features
![Page 234: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/234.jpg)
Summary
Overview of the keychainAvoiding password promptsTouch ID APIs• LocalAuthentication• Keychain ACLs
Advanced features• App passwords
![Page 235: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/235.jpg)
Summary
Overview of the keychainAvoiding password promptsTouch ID APIs• LocalAuthentication• Keychain ACLs
Advanced features• App passwords• Secure Enclave protected private keys
![Page 236: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/236.jpg)
More Information
Technical SupportApple Developer Forumshttp://developer.apple.com/forums
Keychain Services Documentationhttp://developer.apple.com/library/mac/#documentation/Security/Conceptual/keychainServConcepts
Shared Web Credentials Referencehttp://developer.apple.com/library/ios/documentation/Security/Reference/SharedWebCredentialsRef/
![Page 237: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/237.jpg)
More Information
DocumentationiOS Security White Paperhttps://www.apple.com/business/docs/iOS_Security_Guide.pdf
iOS Security White Paperhttp://developer.apple.com/support/technical
General InquiriesPaul Danbold, Core OS [email protected]
![Page 238: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/238.jpg)
Related Sessions
Privacy and your App Pacific Heights Tuesday 2:30PM
Networking with NSURLSession Pacific Heights Thursday 9:00AM
![Page 239: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/239.jpg)
Related Labs
Security and Privacy Lab Frameworks Lab C Wednesday 9:00AM
Security and Privacy Lab Frameworks Lab B Thursday 9:00AM
![Page 240: Security and Your Apps - Apple Developer · 2016-07-08 · App Transport Security By default, apps linked against iOS 9 and OS X 10.11 cannot make unprotected HTTP connections TLS](https://reader035.vdocuments.us/reader035/viewer/2022081611/5f0aa53c7e708231d42ca3a1/html5/thumbnails/240.jpg)