IOS 9:ats

Apple's focus on security is understandable, and at this year's WWDC conference, Apple made a clear example of a new feature to improve the security of the system, the app Transport security.

1. What is App Transport Security.

APP Transport Security, referred to as ATS, is a new feature of IOS9. Although Apple did not mention watchOS, I believe App Transport security must also apply to Watchos2.app Transport Security's goal is to improve Apple The security of the operating system and the security of any application running on this operating system.

Network requests that transmit data based on HTTP are clear-text requests, and it goes without saying that this can be a huge security risk, and Apple's aim is that each developer must ensure that the customer's data is secure, and that the data is not important to the developer in time.

APP TransPort Security actively promotes safety by aggressively implementing a range of best security practices, and most importantly, network requests must be on a secure link. When the app TransPort security era is turned on, network transmissions automatically pass HTTPS instead of HTTP.

There are a number of other requirements to further improve security. For example, APP TransPort security requires TLS (TransPort Layer Security) 1.2 or higher. You probably don't know much about TLS, but I'm sure you've heard of SSL (secure Sockets Layer). TLS is the successor to SSL, which is a collection of cryptographic protocols that are used to enhance security on network connections.

Apple recently published an open, pioneering article technote about app Transport Security, giving developers a chance to study app Transport security. This article lists what app Transport Security expects from your app and the Web services that interact with your app.

Exception

Wait a minute. My app uses a CDN that I don't have permission to control (Content Delivery Network) and it doesn't support HTTPS. Don't worry, Apple is thinking about it for you. For app Transport Security, each application belongs to one of the 4 major categories. Let's take a look at how each big class affects the application.

Only HTTPS

If your app is only HTTPS-based servers. Your app doesn't need to make any changes. However, note that app Tranfport security requires TLS1.2 and it requires the site to use the Forward Secrecy protocol password. The certificate is also required to comply with ATS specifications. It is therefore important to carefully check that the servers that interact with your application are compliant with ATS requirements.

Mixed

It is possible for your application to work with a server that does not meet ATS requirements. In this case, you need to tell the operating system which sites are involved and then indicate in your app's info.plist file which requirements are not met.

This means that for every site that interacts with your app, the app Transport Security is not mandatory except those declared in the info.plist of your app, and everything else needs to be required. You can use a number of predefined keys values to configure exceptions (exceptions). In the Info.plist file below, we have defined 3 exceptions.

Api.insecuredomain.com

The first exception we defined tells ATS to revoke the requirement to use HTTPS when interacting with this subdomain. Note that this is only for subdomains that have been declared in the exception. It is important to understand that the Nsexceptionallowsinsecurehttploads keyword is not just related to using HTTPS. This exception indicates that all APP Transport security requirements have been revoked for that domain name.

Cdn.domain.com

It is possible that your app interacts with a server that supports HTTPS data transfer, but does not use TLS 1.2 or higher. In this case, you define an exception that indicates the minimum version of TLS that should be used. This is better and more secure than the app Transport security that completely revokes that domain name.

Thatotherdomain.com

The Nsincludessubdomains keyword tells the App Transport security that this exception applies to all subdomains of this particular domain name. This exception is further defined by extending an acceptable password list to use a password that does not support the forward secrecy (nsexceptionrequiresforwardsecrecy) protocol. For more information on forward secrecy, I recommend you to read this article Apple's technote.

Revoke

If you are creating a Web browser, then you have a bigger problem. Because you cannot know that your users are going to visit that webpage, you cannot indicate whether these pages support ATS requirements and transmit on HTTPS. In this case, there is no other option except to revoke all APP Transport Security.

It is very important that you explicitly specify to revoke the APP Transport Security. Keep in mind that app Transport security is enforced by default. In your app's info.plist, file, add a dictionary for nsapptransportsecurity key values. This dictionary should include a keyword, nsallowsarbitraryloads, and its value to be set to Yes. If you revoke the app Transport Security, here's what your app's info.plist file should look like:

With the exception of the revocation

The fourth big class is when your app revokes app Transport Security, but at the same time it defines some exceptions. This is very useful when your app takes data from a lot of servers, but also interacts with an API that you can control. In this case, specifying any load in the app's Info.plist file is allowed, but you have also specified one or more exceptions to indicate which of the app Transport security must be required. Here's what the Info.plist file should be:

Time

Apple insists that if the app is built on iOS9 or OS X El Capitan, they are automatically added to app Transport Security. This means that as long as your app is built on IOS 8 or OS X Yosemite, you don't need to make any changes to your app.

Based on the experience of previously released iOS and OSX x systems, we learned that Apple soon asked developers to use the latest SDK to create apps shortly after the official version was released. In other words, even if you don't want to comply with app Transport Security at the end of the year when iOS 9 and OS X El Capitan are released, it's likely that Apple will require developers to develop applications based on the latest SDK in the first or second quarter of 2016. So I recommend that you study the impact that app Transport Security will have on your app as soon as possible.

IOS 9:ats