You can now watch Apple’s ‘Behind the Scenes of iOS Security’ presentation from this year’s Black Hat Conference in its entirety. A video of the talk, featuring the company’s head of security engineering Ivan Krstic, has been posted to the official Black Hat YouTube page.
Apple’s presence at the conference was a nice change of pace, as the firm typically skips the event. Krstic covered a wide range of topics, including the technologies his team uses in services like HomeKit and iCloud Keychain that handle exceptionally sensitive user data.
With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS security mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to iOS 10.
HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user’s home, the ability to unlock a user’s Mac from an Apple Watch, and the user’s passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.
Data Protection is the cryptographic system protecting user data on all iOS devices. We will discuss the Secure Enclave Processor present in iPhone 5S and later devices and explain how it enabled a new approach to Data Protection key derivation and brute force rate limiting within a small TCB, making no intermediate or derived keys available to the normal Application Processor.
Traditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated mitigation techniques. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT a more difficult target.
In addition to its presentation, Apple also made headlines at Black Hat by announcing a new bug bounty program. The program will initially be invitation-only, and pay out between $25k and $200K for demonstrable exploits, depending on their severity and location.
Source: Black Hat