IOS App Transprot Security

With the release of iOS 9 and OS X EI Capitan, Apple officially introduced the concept of applying the communication security model. In short, the application communication security model requires that applications require the use of the best secure communication protocols, such as the TLS 1.2 version and the forward secrecy technology. In the near future, Apple will also update these best practices to ensure that they are at the forefront of the trend to secure network data.

After iOS 9 and OS X EI caption, ATS is turned on by default when using Nsurlsession. Unfortunately, for most developers, this would mean a big change in their development based on the new version of the operating system. The good news is that Apple has provided some optional configuration options to decide whether to turn on ATS mode, which is either on or off.

Developers can not use ATS for certain URLs, which requires nsexceptiondomains to be tagged in info.plist in the project. In the Nsexceptiondomains dictionary, you can explicitly specify a number of URLs that do not use ATS. Examples of these you can use are:

-Nsincludessubdomains

-Nsexceptionallowinsecurehttploads

-Nsexceptionrequiresforwardsecrecy

-Nsexceptionminimumtlsversion

-Nsthirdpartyexceptionallowsinsecurehttploads

-Nsthirdpartyexceptionminimumtlsversion

-Nsthirdpartyexceptionrequiresforwardsecrecy

These keywords allow us to set more granular settings for disabling ATS or some special ATS options for domain names that do not use ATS.

* * In the beta1 version of iOS 9, the above keywords are wrong and should use the following keywords: * *

-Nstemporaryexceptionallowsinsecurehttploads

-Nstemporaryexceptionrequiresforwardsecrecy

-Nstemporaryexceptionminimumtlsversion

-Nstemporarythirdpartyexceptionallowsinsecurehttploads

-Nstemporarythirdpartyexceptionminimumtlsversion

-Nstemporarythirdpartyexceptionrequiresforwardsecrecy

These keywords will definitely be replaced in the near future. If you can, you should use the first set of keywords, because Apple officially supports these keywords. Although you are using temporary keywords, it should still be available in future beta releases.

Here are some of the things developers might encounter during the development process.

Example 1 ATS is used in all cases

This is the simplest case. The only thing that needs to be done is to use nsurlsession. If your development goal is iOS 9 or OS X EI Capitan, ATS best practices will be applied to all nsurlsession-based networks.

Example 2 except for special cases, all use ATS

If you want all of your domain names, except for some that are known to not use ATS, all communications use ATS. In this case you can specify some special cases that do not use ATS, while others use ATS. For this scenario, you can use *nsexceptiondomains* to identify the domain that uses the ATS default settings. To filter out all domains or subdomains, you can create a dictionary that contains a URL that you want to exclude using ATS, and then set the value of *nsexceptionallowinsecurehttploads* to true. If you want to completely disable ATS for these domains, you can also specify more rules to limit, such as using the *nsexceptionrequiresforwardsecrecy* and *nsexceptionminimumtlsversion* keywords.

Example 3 ATS are not used except in special cases

In contrast to the previous example, you might want to use ATS in a domain that you explicitly know is supported. For example, if you are developing a Twitter client, you may need to have a hard-to-count URL that might not support ATS to load, but you want the network condition to be consistent with other requests to initiate a login request and request a Twitter server. In this case, you can set the Disable ATS as the default option, and then specify the URL that you want to use for ATS.

In this case, you need to set *nsallowarbitraryloads* to True, and then define the URLs in the *nsexceptiondomains* dictionary that require security. Each domain that needs to ensure security needs to have its own dictionary, and the *nsexceptionallowinsecurehttploads* option in the dictionary needs to be set to false.

Example 4 low-level ATS

In some cases, ATS may be used in all cases, or some, or its own URLs, but it is not fully supported for all ATS best practices. Perhaps your application server only supports TLS1.2, but it does not support the later version, so instead of setting all the domains involved to use ATS, it is better to set up to support the lower version of ATS. In this scenario, you need to create a *nsexceptiondomains* dictionary, which is a dictionary option to reuse for each domain, and then set the *nsexceptionrequiresforwardsecrecy* value to False. Similarly, if you want forward support, but require a minimum version of TLS, you can define the TLS version that your application server supports with the *nsexceptionminimumtlsversion* keyword.

Example 5 nsa-friendly mode

If you want to completely not use ATS (this mode is not recommended, and you need to fully understand its hidden dangers.) You can set the *nsallowarbitraryloads* property to True in Info.plist.

Third-party key values

You may notice that some keywords are using words in some other keywords but preceded by the words "thirdparty":

-Nsthirdpartyexceptionallowsinsecurehttploads

-Nsthirdpartyexceptionminimumtlsversion

-Nsthirdpartyexceptionrequiresforwardsecrecy

Functionally, these keywords have the same effect as keywords that do not contain "thirdparty". And the code that is called in the actual run will completely ignore the use of the "thirdparty" keyword. You should use the keywords that apply to your scene without worrying too much about them.

Certificate Transparency

Although the majority of ATS security features are available by default, Certificate Transparency must be set. If you have a certificate that supports certificate Transparency, you can check the Nsrequirescertificatetransparency keyword to use certificate Transparency. Again, if your certificate does not support certificate Transparency, this entry needs to be set to not be available.

If you need to debug some of the problems caused by using ATS, you need to set Cfnetwork_diagnostics to 1, which will print out the Nsurlsession error message including the URL accessed and the ATS error. Be sure to handle all the error messages you encounter in order to make ATS easier to improve reliability and scalability.

All of the above information is reflected in WWDC nsurlsession session . Finally, Apple emphasizes the need to escalate all the problems in the development process and to keep a close eye on possible changes in future beta releases.

Adaptation IOS9 new features: http://www.leiphone.com/news/201509/sLMiLyOsK3qzhkRJ.html

IOS App Transprot Security