Everyone is talking about the changes in MDM or the keynote, but I wanted to take some time to hit on a few sessions that are especially important to UEM engineers and architects to share some information that could make a huge difference. We’re going to cover sessions about security, the new SSO frameworks, networking, and app background refresh to name a few. I think you are going to find it to be very interesting.
Sign in with Apple
Apple has put a major emphasis on privacy and security in 2019. One of the ways they are doing that is with “Sign-In with Apple” which is very interesting as a platform. Apple will deliver the user’s full name, email address, and an identifier to applications supporting Sign-in with Apple to potentially create accounts and log them in easily. They have eliminated account creation and use a powerful API set to enable application developers to capitalize on their Apple account infrastructure to grant users access to their apps.
Apple has delivered on a few major pillars of security to build trust for their application partners:
- Verified Email Address
- Multi-factor Authentication
- On-Device intelligence powering a compelling Anti-fraud engine communicating to the application if they are a trusted user or an unknown user
Apple is making the onboarding very simple with some basic code to invoke the Sign-In with Apple button and handling the authentication events. Apple’s frameworks deliver a clean array with both iCloud keychain-saved accounts and Sign-in with Apple to put choice back in the user’s hands. Application vendors no longer need to present convoluted forms to create accounts, which delivers a positive return on user experience.
They take their API a step further by empowering applications to monitor for state changes and things that impact the current state of the user’s logins. This eliminates errors by setting expectations that applications will check the state of the user’s account before presenting any unnecessary prompts. Apple has presented some best practices to application developers to make people feel safer and protect their loyal users:
- Only Require Account Setup if Necessary
- Use the least amount of user information as possible
- Respect the email address shared by the user
- Check for Existing Accounts
- Leverage the APIs
- Implement Cross Platform for a User-Focused Experience
- Use the Real User Indicator to Protect your Users
What’s New in Authentication
Apple is completely rethinking how the authentication stack should work on their platform. Their strategy is centered around that any application on their platform that supports 3rd party “log in with” for Google, Facebook, etc. MUST now support Sign-in with Apple ID as mentioned earlier.
Apple is also furthering their strategy by telling your passwords for supported websites are insecure and can help seamlessly direct you to the application’s change password screens. They’re extending Password Autofill to MacOS and iPadOS. It was refreshing to see they will enable MacOS’ biometrics as part of this workflow to Touch ID authenticate you. Similarly, they are now support USB security keys on MacOS to elevate the security of the ever-evolving MacOS platform. One other point is they will be bringing Oauth support with their recently announced SSO framework
Introducing iPad Apps for Mac
Feature parity has been a major challenge for Apple for a long time. One of those areas was a suite of apps available on iOS, but not on MacOS. Apple will be making it easy for developers to now extend iPad Apps to the Mac for the first time. They’ve unified many of the user interface (UI) components to make iPad apps work very similar to MacOS apps.
Apple is recommending to developers to bring iPad Apps to a Mac for one of 2 reasons: (1) application that is not available on MacOS, (2) refreshing of legacy Mac Apps because of age or feature parity. Some apps aren’t good candidates because they are iPhone-only or built on mobile-centric features.
Apple has made it very easy to migrate applications and works similar to Cordova apps. It’s an iPad app on the inside, but it looks just like a Mac application. You just need to open xCode (the Apple development platform) and add the Mac deployment target and it will automatically make most of the changes that you need. You might need to exclude some unsupported frameworks, but the UI of xCode makes it very easy to debug. Many of the iOS features will translate over, but your success is reliant on making sure you are delivering the same look and feel as your other Mac apps. You just need to do your homework and update the small items like encryption and app icons, but the effort is minimal.
Cryptography and your Apps
Security is always an afterthought at WWDC. They made some nice announcements this week that will make a real difference. There is a lot of focus on reminding people about the best practices they have been preaching for the last 5-6 years. In Catalina, you can now use Apple Watch to authenticate to websites. Apple is focusing on empowering users and enhancing security together.
Developers can now leverage a private database in iCloud to encrypt and share files and data between devices and users. Apple introduced a new framework for cryptography that is raising the security posture and substantially more efficient. They now support these algorithms:
- Hash (SHA-256, 384, 512)
- Symmetric Key (AES-GCM)
- Signatures (P-256, P-384, P-512)
One of their biggest announcements was the release of a unified API for encryption and authentication, which helps eliminate many of the most popular types of attacks. They also continue to remind developers they can leverage Apple’s Secure Enclave to store their private keys for higher levels of protection. Apple now touts their new framework (CryptoKit) can mitigate and possibly eliminate many of the popular attacks present today:
- Unknown Key Share
- Signature Substitution
- Known Key Attack
- Key Re-use
- Replay Attack
- Key Compromise Impersonation
- Related Key Attacks
- Compression Attack
- Birthday Attack
One thing they surprisingly didn’t mention is that in iOS 13 and Catalina they have fully deprecated SHA-1 as referenced here: https://support.apple.com/en-us/HT210176
The new Apple guidelines for server certificates are:
- Certificates must be at least 2048-BIT
- Issuing CAs must be using SHA-2 hash as SHA-1 is no longer trusted
- DNS name must be in the SAN or will no longer work in iOS 13
Additionally, TLS server certificates issued after July 1, 2019 must:
- Contain the EKU field with id-kp-serverAuth OID
- Contain validity period of under 825 days
Advances in App Background Execution
Running apps in the background on iOS has been a sore spot for years. Simply, the CPU monitor tends to shutdown apps that we wish it wouldn’t and it hasn’t exactly been kind to us. With background execution, we worry about power consumption, performance, and the privacy aspects to background execution.
Apple recommends several best practices depending on the use case. These recommendations are based on what users expect e.g. messages should send immediately or voice notifications are for calls that are actually real and not make believe. We also need to account for things like downloading older content, which people don’t care about immediately and how muted conversations are handled. Simply, things continue to become more complex by the moment. Apple is introducing a major advancement in iOS 13 called Background Tasks. It’s going to be a huge deal! Background Tasks let’s your application schedule tasks that happen when the device is locked. It will even close the application after the tasks are complete to handle things in the most optimal way possible.
Advances in Networking
The network is a fickle thing. When it works, its crickets and when it doesn’t, its WORLD WAR 3! Apple is introducing some nice improvements over the much-maligned Wi-Fi assist. Apple is introducing “Low Data Mode” which is a new mode that reduces data usage by disabling some features like background app refresh and discretionary tasks. Developers can also get creative by enhancing their code to account for low data mode and deliver an optimal user experience. Developers can leverage the constrained and expensive properties to write more effective code.
The thing I am probably the most excited about on the network stack is introducing WebSockets into iOS 13. Developers can now update content live without having to refresh applications by essentially creating an open socket that is listening for new messages. WebSockets are one of the great modernizations of the HTTP stack and was overdue. This comes on the heels of introducing HTTP/2 and TLS 1.3 in the last few years for iOS.
Wi-Fi Assist has become much smarter in iOS 13. Wi-Fi assist now talks to the Apple network frameworks for analytics to make intelligent decisions on whether your device should be using Wi-Fi or cellular. This has been too subjective since its release and now it’s finally using its “brain.” Multipath was the last of the major announcements. Multipath is a huge step-up for their networking stack. Apple is touting several performance improvements from multipathing like improved stability for Apple Maps and reduction in stalling from Apple Music.
Bonjour can be a bit painful at times with Apple. You have DNS behavior that can be a little bit blah and reliability has been an issue. Apple is introducing their discovery proxy which communicates back to the device and to the endpoint to deal with these issues. Apple does also mention a few recommendations like being careful how you handle the domain. Apple is introducing framing protocols for their network stack, which help provide context to your network calls. You can deliver configurations via key-value pairs (KVPs) within your TCP stack to customize your send operations to provide context.
In addition, Apple is introducing improvements to their analytics. Any network person will tell you that additional data is always a great thing! A huge deal that they mentioned here first is that applications can no longer capture Wi-Fi information about your device without location services enabled, which is a nice step in the right direction to protect your privacy. One final feature they have me very excited about is optimistic DNS enabled by default. Now, your iOS device will try to connect to a site with the result of its last DNS query and then simultaneously send a DNS query. If it returns a new address, it will connect to that, which is a big help for users everywhere.
Apple ends their two-hour love affair with networking with some very good best practices which is usually my favorite part:
- iPad Apps for Mac must enable incoming server connections
- Start using rules for network reachability called constraints
- Move toward TLS 1.3
iOS is going to be a very exciting platform in 2019. I cannot wait to get started with these BETAs! Make sure you go to Apple Seed and sign up for their public BETA so you can be at the forefront of one of the bigger facelifts we have seen over the last few years. It’s time for us to elevate our game and prove that we can take advantage of the impressive changes that Apple will be releasing in September (presumably). I want to see what you guys do with it, because I have so many ideas myself and hope my friends at VMWare push them to the limits!