Daily coverage of WWDC20.
A Swift by Sundell spin-off.

WWDC20’s major security and privacy announcements

Published at 10:30 GMT, 23 Jun 2020
Written by: Anastasiia Voitova

Have you noticed that WWDC20 has a standalone Privacy and Security category? Moreover, security and privacy-related announcements were made during the entire Keynote. Let’s go through the most interesting ones and take a look at what they might mean for both users and developers.

WWDC19 vs WWDC20

Before we start, I recommend reading my previous post from WWDC19 — since last year brought us some major new privacy and security-related APIs, such as Sign in with Apple, CryptoKit, a public Bug Bounty program (announced in autumn), and tons of other new APIs.

I’m curious about your experience with these new APIs! Feel free to ping me on Twitter and share your thoughts around:

  • Which security-related features have you started to use since WWDC19?
  • Which security features made you the most excited?
  • What do you think about this year’s announcements?

Personally I think that WWDC19 was focused on introducing new major security features, and WWDC20 was more about improving and integrating them into the user experience and Apple’s apps.

Security and privacy-related WWDC20 updates

Let’s go through the major announcements that Apple have made so far one-by-one.

Apple’s Craig Federighi talking about Apple’s new privacy-related features

iMessage

iMessage now supports threads, comments and reactions — which might now make it one of the most secure messaging apps that support complicated communication interactions.

I won’t start a discussion as to which messaging app is The Most Secure One, but seeing these changes in iMessage makes me curious how the team implemented them into their end-to-end encrypted (E2EE) data flow.

Digital car keys

Apple announced digital car keys that can be used to unlock and start your car. Use iPhone’s NFC chip to unlock your car, and simply tap a button to start it.

Users will also be able to quickly share these digital car keys using iMessage, while also being able to select restricted access options.

This update is curious because of the underlying cryptography and key management schemes. I don’t know all of the details yet, but I’ll definitely watch the Introducing Car Keys session.

However, there’s also a really scary side to this new feature. Imagine driving out to somewhere to the woods, then hiking all day, and ending up with a drained phone battery – will you still be able to open your car? It was mentioned during the keynote that digital keys will work up to 5 hours after an iPhone’s battery runs out, but I hope that cars that’ll support digital keys will still ship with physical key fobs as well.

Or imagine if a phone that has access to a car ends up being hacked!

During a conference talk in 2016, I explained how cars can be hacked via their mobile apps. Hacked iMessages might lead to leaked sensitive pictures, but hacked cars can lead to Carmaggedon.

App clips

App clips are small, lightweight applications for doing a specific task. They should improve the overall user experience of using apps, and quickly give users more context-dependent information.

At the same time, from a security standpoint, app clips represent a new potential threat vector for your app. Will companies need to hire App clips security engineers? How will app clips work under the hood, what is their threat model, how do they process sensitive data (like payments) and communicate with “standard” apps? Let’s hope that the Explore app clips session answers some of those questions.

Privacy updates

Like always, Apple cares a lot about user privacy and propagates this way of thinking literally everywhere across their products: starting from data minimization and running predictions and other Machine Learning tasks on-device instead of sending that data to the cloud, to security protections and giving users control of their data.

Among the privacy-related updates this year are:

  • Displaying a camera recording indicator on iPhones similar to the hardware light found on Macs.
  • Users can now accept or reject tracking across websites and apps.
  • Transparently sharing what kind of data any app tracks and shares with other companies.
Privacy permissions

These new privacy declarations are self-reported by developers (probably during app submission), which doesn’t sound like a very strict guideline to me. However, as @uraimo mentioned, these reports could be a useful tool for Apple in order to ban infringing apps from the AppStore.

Currently, I don’t see any changes in the Apple Review Guidelines regarding these new privacy declarations.

iOS permissions

Pushing developers towards their preferred data minimization approach, Apple introduced more APIs and ways to ask users for as little data as possible.

Permission updates include:

  • Being able to share an approximate location, instead of precise location data, with an app. Developers can ask for an approximate location by default by using NSLocationDefaultAccuracyReduced.
  • Being able to share access only to some photos instead of the whole Photo library. To achieve this, developers could use the new PHPicker class instead of UIImagePickerController in most cases.
  • Enabling developers to use AutoFill suggestions instead of requiring users to share access to their Contacts.
Get rid of alerts, user permissions smarter

HomeKit

HomeKit received privacy updates as well. HomeKit has now been open-sourced, and Apple is partnering up with Google, Amazon and other companies to work on standardized Connected Home protocols.

As usual, Apple emphasizes that HomeKit uses end-to-end encryption when handling data collected from sensors.

Safari

“Your privacy – your business.”

Safari received tons of privacy updates at WWDC20. Now users can:

  • See and disable ad trackers on websites.
  • See a “full privacy report” for each site.
  • Securely monitor if their passwords were breached.
  • Control extensions by only giving them permissions to run on a certain site, or during a certain time interval.
Safari extension tracking

API changes

Want to find out which APIs that were changed? Apple’s documentation portal has a handy mode to show all changes.

For example, CryptoKit now supports HKDF and PEM/DER serialization for asymmetric key types, and the new 1.1.0 RC1 version of CryptoKit was released right after Keynote. Yay! 🔐

Videos

There’s a lot of security and privacy-related sessions this year! However, if you were to watch just one video about security, I’d recommend this one: Secure your app: threat modeling and anti-patterns.

Secure your app: threat modeling and anti-patterns

Disclaimer: I haven't watched the videos I’m mentioning in this article yet, because at the time I’m writing, they’re not yet available. But their descriptions look very promising.

Privacy

Authentication

Car keys

Machine Learning

Permissions for photos, location, contacts

Networking

To wrap up

Oh, what a Keynote! Of course, I couldn’t mention all of the new security and privacy-related features in this article, and I’m looking forward to watching videos and learning new things during WWDC20.

Thank you, stay secure, use encryption! 🧡

Written by: Anastasiia Voitova