WIXLIB

Core OS#WWDC14User Privacy on iOS and OS XSession 715David StitesApple Product Security and Privacy!Katie SkinnerApple Product Security and Privacy 2014 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple.

AgendaPrivacy and ReputationIdentifiersPrivacy Changes and FeaturesPrompting with PurposeData IsolationPrivacy Best Practices

Privacy and Reputation

Identifiers

Identifier APIsApplication Identifier[NSUUID UUID]Vendor Identifier[[UIDevice currentDevice] identifierForVendor]Advertising Identifier[[UIDevice currentDevice] identifierForAdvertising]

Identifier APIsProtecting Your User’s PrivacyWWDC 2013

Identifier APIsApplication IDVendor IDAdvertising IDScopeLifetimeBacked UpRestoresAcross DevicesAppUninstall appYesYesDeveloperUninstalldeveloper’s appsYesNoDevice“Reset Advertising ID”YesNo

Advertising IdentifierBe transparent about advertising practicesDo not cache the Advertising ID The ID can be changed via “Reset Advertising ID” button inSettings Privacy AdvertisingAdvertising Identifier will be different every time the API is called for TestFlight apps

Limit Ad TrackingLimit Ad Tracking gives customers a choice in how advertising is served[[ASIdentifierManager sharedManager] advertisingTrackingEnabled]Required to check the value of this property before using Advertising IdentifierCan be controlled by restrictions

Advertising IdentifierLimit Ad TrackingWhen the value ofadvertisingTrackingEnabled is NO,the advertising identifier is not permittedto be used to collect data for or servetargeted advertising!

Advertising IdentifierLimit Ad TrackingWhen the value ofadvertisingTrackingEnabled is NO,the advertising identifier is only permittedto be used for the purposes enumeratedin the iOS Program License Agreement Frequency capping Attribution Conversion events Estimating the number of unique users Fraud detection for advertising Debugging for advertising

Advertising IdentifierIn iTunes Connect, select how your app is using the Advertising Identifier Serve advertisements Attribute app installation with previously served advertisement Attribute an action taken to a previously served advertisement!!

iTunes Connect and Advertising IdentifierjappleseedJohn Appleseed,

iTunes Connect and Advertising IdentifierjappleseedJohn Appleseed,John Appleseed,

Privacy Changes and Features

Family SharingThere will be an increased number of accounts belonging to childrenConsider implications for your app under relevant laws Example—COPPA (Children’s Online Privacy Protection Act) in the United States!

Related Session Kids and AppsNob HillThursday 3:15PM

MAC AddressIn iOS 8, Wi-Fi scanning behavior has changed to use random, locally administratedMAC addresses Probe requests (management frame sub-type 0x4) Probe responses (management frame sub-type 0x5)The MAC address used for Wi-Fi scans may not always be the device’s real(universal) address

Safari Third Party Cookie PolicyNew setting to block all third party cookies, regardless of whether the userhas visited a site previouslyExample—foo.com iframe on apple.com won’t be able to reador write foo.com cookies

Safari Third Party Cookie Policy

Safari Third Party Cookie Policy

People PickerIn iOS 8, the people picker has a new mode that doesn’t prompt the user foraccess to ContactsIf your app already has access to Contacts, a reference to the selected contact isreturned from the address bookIf your app does not have access, the selected contact is returned as atemporary copySome of the iOS 7 people picker delegate methods may be deprecated in afuture seedhttps://developer.apple.com/library/ios/people picker sample

People PickeriOS 7 Delegate r:]

People PickeriOS 8 Properties and ntifier:]

Privacy ChangesUnderstand the impact

Prompting with Purpose

Prompting with PurposeDesign the experienceFive core principles for “prompting with purpose” Consent Transparency Context Clarity Minimization

Prompting with PurposeConsent

Prompting with PurposeConsent

Prompting with PurposeTransparency

Prompting with PurposeTransparency

Prompting with PurposeContextTie prompting to a user-initiated action

Prompting with PurposeContextTie prompting to a user-initiated action

Prompting with PurposeContextTie prompting to a user-initiated action

Prompting with PurposeClarityDistill the purpose of your request downto its essenceBe concise but include sufficient detail

Prompting with PurposeMinimizationOnly ask for what your application needs

Conveying PurposeAll consent dialogs support purpose stringsHighly encouragedOne purpose data class Location Services in iOS 8 supports twoSet in your app’s Info.plist Add localized versions in Localizable.stringsLook for “Privacy—“ keys and provide a value e.g. “Privacy—Contacts Usage Description”

Conveying PurposeXcode

Conveying PurposeXcode

New Purpose String KeysData ClassInfo.plist KeyLocation onHealth KitNSHealthKitUsageDescriptionMotion Activity (available in iOS 7)NSMotionActivityUsageDescriptionSearch for the Information Property List Key Reference in theApple Developer Library for a complete list

Privacy Settings

Directing Users to SettingsUsers may want to update their privacy settingsNew in iOS 8, your app can direct users directly to settings!

Directing Users to SettingsUsers may want to update their privacy settingsNew in iOS 8, your app can direct users directly to settings![[UIApplication sharedApplication] ngsURLString]];

Your App's Privacy Settings

Your App's Privacy Settings

Data IsolationOS mediates between application and dataTransparent to applicationExisting APIs trigger user consent Application receives no data if denied

New and Updated Data Classes in iOS endarsRemindersPhotosBluetoothMicrophoneCamera (worldwide)UpdatedMotion ActivityUpdatedHealth KitNewSocial (Facebook, Twitter, etc.)

Current Support on OS XData ClassLocationContactsCalendarsRemindersSocial (Facebook, Twitter, etc.)Status

New SupportApplies to existing applicationsNo resubmission, recompilationChanges can improve user experience

Data Isolation on OS X

OS XPermission request is handled by the OS e.g., Address Book framework[ABAddressBook sharedAddressBook][[ABPerson alloc] init].Call blocks while permission is requested from the user Wrap in a dispatch block Subsequent calls return immediately

OS XGranted access—populated objectDenied access—nil return valueFor explicit data access, the permission request is handled by the OS Sync Services Spotlight AppleScript

OS X SandboxSandboxed apps require entitlementsIf permissions change, the system may SIGKILL your appBuild with only the entitlements your app needs

Related SessionA Practical Guide to the App SandboxWWDC 2012

OS XApp Sandbox in Xcode

OS XApp Sandbox in Xcode

Data Isolation on iOS

iOSParticipation in the App Sandbox is requiredInitial access will asynchronously returnData returned to block or via delegate callNeed to handle change notifications

New APIs in iOSData TypeSystem Authorization SupportLocation-[CLLocationManager requestAlwaysAuthorization]-[CLLocationManager requestWhenInUseAuthorization]Photos-[[PhotoKit alloc] init]Camera-[AVCaptureDeviceInput deviceInputWithDevice:error:]Health Kit-[HKHealthStore :]

Location Services in iOS 8Location Services supports two differentmodes of updating device location “When In Use” “Always”Depending on which versions of iOS youtarget, you may need additional logicAllow “Reminders” to AccessYour Location While You Usethe App?Reminders that alert you when youarrive or leave need access to yourlocation.Don’t AllowAllowAllow “Weather” to AccessYour Location Even When YouAre Not Using the App?Your location is used to show localweather in the “Weather” app and inNotification Center.Don’t AllowAllow

Location Services in iOS 8“When In Use” vacy-friendly modeCannot update location in backgroundNo access to region monitoring,Significant Location Change or Visits APIDouble height status bar

Location Services in iOS 8“Always” rization]NSLocationAlwaysUsageDescriptionIncreased privacy impact for the userApp can start accessing location data inbackgroundApp has access to region monitoring, SLCand Visits APIDefault mode for applications linked toiOS 7 or prioriOS will occasionally re-prompt user foraccess to location

Location Services in iOS 8

Location Services in iOS 8NSLocationUsageDescriptionDeprecated

Location Services in iOS eDescriptionNSLocationAlwaysUsageDescription

Location Services in iOS 8CLLocationManager *manager [CLLocationManager sharedManager];[manager startUpdatingLocation];

Location Services in iOS 8CLLocationManager *manager [CLLocationManager sharedManager];if ([manager rization)]) {[manager startUpdatingLocation];} else {[manager requestWhenInUseAuthorization];}

Location Services in iOS 8CLLocationManager *manager [CLLocationManager sharedManager];if ([manager rization)]) {[manager startUpdatingLocation];} else {[manager requestAlwaysAuthorization];}

Location Services in iOS 8Triggers user consent dialogAccess to region monitoring,SLC & Visits APICan start accessing devicelocation in the backgroundiOS 7When In UseAlways iOS presents double heightstatus barApp receives authorizationstatus callbacks

Related Session What’s New in Core LocationMarinaTuesday 2:00PM

CameraAVCaptureSession *captureSession [[AVCaptureSession alloc] init];AVCaptureDevice *camera;NSError *error;!AVCaptureDevice *captureDevice TypeVideo];AVCaptureDeviceInput *captureInput [AVCaptureDeviceInputdeviceInputWithDevice:camera error:&error];!if (captureInput) {[ captureSession addInput:captureInput];// handle success, video input stream should be live} else {// handle failure}

Health KitReading dataif ([HKHealthStore isHealthDataAvailable]) {HKHealthStore *hs [[HKHealthStore alloc] init];HKObjectType *hrt ypeIdentifierHeartRate];[healthStore requestAuthorizationToShareTypes:nil readTypes:[NSSetsetWithObject:hrt] completion: (BOOL success, NSError *error) {if(success) {// attempt to query the datastore} else {// handle the failure}}];}

Health KitWriting dataHKAuthorizationStatus status [hs authorizationStatusForDataType:hrt];if (status HKAuthorizationStatusNotDetermined) {// need to prompt here} else if (authStatus HKAuthorizationStatusSharingAuthorized) {// attempt to modify data store} else {// handle failure}!

Health KitWriting data[hs saveObject:hkObject withCompletion: (BOOL success, NSError *error) {if (success) {// save the object}}];![hs deleteObject:hkObject withCompletion: (BOOL success, NSError *error) {if (success) {// delete the object}}];

TestingJust run your appTest on device The Simulator supports a subset of data classesApps can only trigger the prompt once Settings General Reset Reset Location & Privacy on iOS tccutil(1) on OS X

Test All Cases

Test All CasesPermission beingsought and deniedPermission beingsought and ted

Failing GracefullyiOS APIs help your app fail gracefully when your data access request is deniedCode should be resilient to lack of data returnedSend users to SettingsRestrictions can prevent users from changing privacy settings Enterprise and on-device restrictions

Restrictions

Restrictions

iOS Sample CodeAvailable on the iOS Developer Library today“Checking and Requesting Access to Data Classes in Privacy Settings” plecode/PrivacyPrompts/

Privacy Best Practices

Privacy Best PracticesTransparencyData collection techniquesAvoid fingerprintingData protection

TransparencyGive the user opportunity to inspect data Crashes Data stores Logging

TransparencyPrivacy policyImportant for all apps to have one, required for some app categories Apps that link against HealthKit Apps that link against HomeKit Third party keyboards KidsCan submit a link to Apple in iTunes ConnectLink visible on the App Store