Oct 31, 2016

Short answer: more or less, yes.

Caveat, Google, Mozilla and Microsoft each have differing WA implementations. For Chrome, WebAssembly gets fed into the V8 TurboFan JIT:

https://ia601208.us.archive.org/16/items/vmss16/titzer.pdf

JITs are a security hole. In particular, Apple won't allow your JIT on their iOS. They've only just recently allowed you to use their Core JIT on iOS:

https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.p...

What you can do to Turbofan inside of the Chrome sandbox, you could probably do with WA.

Oct 06, 2016

Cloud Key Vault (formerly iCloud Keychain) is probably the most sophisticated service that apple or any cloud vendor offers. More details are here: https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.p... Apple set the bar pretty high with their implementation.

If its now on by default for storing ssh-key passphrases, it shows that apple thinks its blinded everyone except you, enough, that they can store it safely.

Sep 07, 2016

I found the talk (though I don't pretend to understand it all), video & slides are online if others are interested.

Behind the Scenes with iOS Security

Abstract - https://www.blackhat.com/us-16/briefings.html#behind-the-sce...

Slides - https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.p...

Video - https://www.youtube.com/watch?v=BLGFriOKz6U