IOS9 new app Transport Security (ATS) features, mainly to the original request when the use of HTTP, all to the TLS1.2 protocol for transmission. This also means that all HTTP protocols are forced to use the HTTPS protocol for transmission. The original text reads as follows:
APP Transport Security app Transport Security (ATS) enforces best practices in the secure connections between a App and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; It is also on by default in IOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you ' re creating a new app or updating an existing one. If you ' re developing a new app, you should use HTTPS exclusively. If you had an existing app, you should use HTTPS as much as can right now, and create a plan for migrating the rest O F your app as soon as possible. In addition, your communication through higher-level APIs needs to BES encrypted using TLS version 1.2 with forward secrecy . If you try to make a connection that doesn ' t follow this requirement, an error is thrown. If your app needs to make a request to a insecure domain and you have to specify this domain in your app ' s |
If we make an HTTP request directly under IOS9, we will receive the following error message:
APP Transport Security has blocked a cleartext HTTP (/HTTP) resource load since it is insecure. Temporary exceptions can be configured via your app ' s info.plist file.
The system will tell us that the request cannot be made directly using HTTP, and a new configuration for controlling ATS is required at Info.plist:
<key>NSAppTransportSecurity</key><dict> <key>NSAllowsArbitraryLoads</key> <true /></dict>
Also namely:
The nsapptransportsecurity in this configuration is the root node of the ATS configuration, which configures the ATS settings that tell the system to go custom. While the Nsallowsaritraryloads node controls whether the ATS feature is disabled, setting Yes disables the ATS feature.
Until the previous configuration can perfectly fit the iOS9, but if you want to follow Apple's criteria and make your data more secure, then you need to continue looking down.
In fact, ATS is not only for HTTP restrictions, but also have certain requirements for HTTPS, Baidu's address as an example, if you request https://baidu.com in the app, you will receive the following error message:
Nsurlsession/nsurlconnection HTTP Load failed (Kcfstreamerrordomainssl,-9802)
Check the official information (https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/), Requests to find HTTPS need to meet the following requirements:
These is the App Transport Security requirements:
|
According to the original description, it must first be based on the TLS 1.2 version protocol. Another way is to connect the encryption method to provide forward secrecy (forward secrecy?) This is not clear what is, curious cheese to find Information Bar ~), the document ROM list the supported encryption algorithm (the following table). Finally, the certificate must use at least one SHA256 fingerprint with either a 2048-bit or higher RSA key, or a 256-bit or higher ECC key. If one of the items is not met, the request is interrupted and nil is returned.
Support for Forward secrecy encryption method
|
We look at the address of Baidu just now, with the browser to open the address of Baidu, and then click the link in front of the lock icon,
You can see that it uses the TLS 1.2 version protocol, which conforms to the first convention. Then you can see that using AES_128_GCM for encryption, and using ECDHE_RSA as the key exchange mechanism, we can find the corresponding two records in the list of Forward secrecy:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
But is not sure whether Baidu provides Forward secrecy, we open the certificate information, check the "Issuer name" and "Public key information" two,
See that the signature algorithm reads "SHA-1 with RSA Encryption". You can determine that the encryption algorithm is not included in the above two items. Therefore, Baidu is a non-compliance with ATS requirements, so returned the error. In this case, it is also necessary to configure ATS if the problem is to be resolved . The configuration is as follows:
<key>nsapptransportsecurity</key><dict ><key>nsexceptiondomains</key><dict><key>baidu.com</key><dict><key >NSIncludesSubdomains</key><true/><key>NSExceptionRequiresForwardSecrecy</key>< false/> <key> nsexceptionallowsinsecurehttploads</key> <true/></dict></dict></dict>
Where Nsincludessubdomains is set to Yes indicates that the child domain name of Baidu uses the same settings. Nsexceptionrequiresforwardsecrecy for no because Baidu does not support Forwardsecrecy, so shield off the change function. The last nsexceptionallowinsecurehttploads is set to Yes, which means to allow access to the wrong domain name that does not have a certificate or a certificate that is self-signed, expired, and does not match the hostname (there seems to be no problem with Baidu's certificate here. However, you need to set this to allow access).
About the IOS9 app Transport security related instructions and adaptation
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
