About the IOS9 app Transport security related instructions and adaptation

Source: Internet
Author: User

IOS9 new app Transport Security (ATS) features, mainly to the original request when the use of HTTP, all to the TLS1.2 protocol for transmission. This also means that all HTTP protocols are forced to use the HTTPS protocol for transmission. The original text reads as follows:

APP Transport Security

app Transport Security (ATS) enforces best practices in the secure connections between a App and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; It is also on by default in IOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you ' re creating a new app or updating an existing one.

If you ' re developing a new app, you should use HTTPS exclusively. If you had an existing app, you should use HTTPS as much as can right now, and create a plan for migrating the rest O F your app as soon as possible. In addition, your communication through higher-level APIs needs to BES encrypted using TLS version 1.2 with forward secrecy . If you try to make a connection that doesn ' t follow this requirement, an error is thrown. If your app needs to make a request to a insecure domain and you have to specify this domain in your app ' s Info.plist file

If we make an HTTP request directly under IOS9, we will receive the following error message:

APP Transport Security has blocked a cleartext HTTP (/HTTP) resource load since it is insecure. Temporary exceptions can be configured via your app ' s info.plist file.

The system will tell us that the request cannot be made directly using HTTP, and a new configuration for controlling ATS is required at Info.plist:

<key>NSAppTransportSecurity</key><dict> <key>NSAllowsArbitraryLoads</key> <true /></dict>

Also namely:

The nsapptransportsecurity in this configuration is the root node of the ATS configuration, which configures the ATS settings that tell the system to go custom. While the Nsallowsaritraryloads node controls whether the ATS feature is disabled, setting Yes disables the ATS feature.

Until the previous configuration can perfectly fit the iOS9, but if you want to follow Apple's criteria and make your data more secure, then you need to continue looking down.

In fact, ATS is not only for HTTP restrictions, but also have certain requirements for HTTPS, Baidu's address as an example, if you request https://baidu.com in the app, you will receive the following error message:

Nsurlsession/nsurlconnection HTTP Load failed (Kcfstreamerrordomainssl,-9802)

Check the official information (https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/), Requests to find HTTPS need to meet the following requirements:


These is the App Transport Security requirements:


  • The Protocol Transport Security Layer (TLS) must is at least version 1.2.

  • Connection ciphers is limited to those this provide forward secrecy (see the list of ciphers below.)

  • Certificates must use at least-SHA256 fingerprint with either a 2048 bit or greater RSA key, or a-bit or greater El Liptic-curve (ECC) key.

According to the original description, it must first be based on the TLS 1.2 version protocol. Another way is to connect the encryption method to provide forward secrecy (forward secrecy?) This is not clear what is, curious cheese to find Information Bar ~), the document ROM list the supported encryption algorithm (the following table). Finally, the certificate must use at least one SHA256 fingerprint with either a 2048-bit or higher RSA key, or a 256-bit or higher ECC key. If one of the items is not met, the request is interrupted and nil is returned.

Support for Forward secrecy encryption method

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

We look at the address of Baidu just now, with the browser to open the address of Baidu, and then click the link in front of the lock icon,

You can see that it uses the TLS 1.2 version protocol, which conforms to the first convention. Then you can see that using AES_128_GCM for encryption, and using ECDHE_RSA as the key exchange mechanism, we can find the corresponding two records in the list of Forward secrecy:

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

But is not sure whether Baidu provides Forward secrecy, we open the certificate information, check the "Issuer name" and "Public key information" two,

See that the signature algorithm reads "SHA-1 with RSA Encryption". You can determine that the encryption algorithm is not included in the above two items. Therefore, Baidu is a non-compliance with ATS requirements, so returned the error. In this case, it is also necessary to configure ATS if the problem is to be resolved . The configuration is as follows:

<key>nsapptransportsecurity</key><dict ><key>nsexceptiondomains</key><dict><key>baidu.com</key><dict><key >NSIncludesSubdomains</key><true/><key>NSExceptionRequiresForwardSecrecy</key>< false/>                                 <key> nsexceptionallowsinsecurehttploads</key>                                  <true/></dict></dict></dict> 

Where Nsincludessubdomains is set to Yes indicates that the child domain name of Baidu uses the same settings. Nsexceptionrequiresforwardsecrecy for no because Baidu does not support Forwardsecrecy, so shield off the change function. The last nsexceptionallowinsecurehttploads is set to Yes, which means to allow access to the wrong domain name that does not have a certificate or a certificate that is self-signed, expired, and does not match the hostname (there seems to be no problem with Baidu's certificate here. However, you need to set this to allow access).

About the IOS9 app Transport security related instructions and adaptation

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.