How to use ATS to improve the security of your application

APP Transport Security, briefly called ATS, is a new feature of iOS9 and OS X El Capitan. The goal of App Transport security is to improve the security of your Apple operating system and the security of any app running on this operating system.

Network requests that transmit data based on HTTP are plaintext. when the app Transport security is turned on, the network transmission is automatically transmitted over HTTPS instead of HTTP.

APP Transport Security requires TLS (Transport Layer Security) 1.2 or higher.

For app Transport Security, each application belongs to one of the 4 major categories.

Only HTTPS

If your app is based on a server that supports HTTPS, then you're lucky. Your app doesn't need to make any changes. However, note that app Transport security requires TLS 1.2 and it requires the site to use a password that supports the forward secrecy protocol. The certificate is also required to comply with ATS specifications. It is therefore important to carefully check that the servers that interact with your application are compliant with ATS requirements.

Mixed

It is possible for your application to work with a server that does not meet ATS requirements. In this case, you need to tell the operating system which sites are involved and then indicate in your app's info.plist file which requirements are not met.

This means that for every site that interacts with your app, the app Transport Security is not mandatory except those declared in the info.plist of your app, and everything else needs to be required. You can use a number of predefined keys values to configure exceptions (exceptions). In the Info.plist file below, we have defined 3 exceptions.

Api.insecuredomain.com

The first exception we defined tells ATS to revoke the requirement to use HTTPS when interacting with this subdomain. Note that this is only for subdomains that have been declared in the exception. It is important to understand that the Nsexceptionallowsinsecurehttploads keyword is not just related to using HTTPS. This exception indicates that all app Transport security requirements have been revoked for that domain name.

Cdn.domain.com

It is possible that your app interacts with a server that supports HTTPS data transfer, but does not use TLS 1.2 or higher. In this case, you define an exception that indicates the minimum version of TLS that should be used. This is better and more secure than the app Transport security that completely revokes that domain name.

Thatotherdomain.com

The Nsincludessubdomains keyword tells the App Transport security that this exception applies to all subdomains of this particular domain name. This exception is further defined by extending the list of acceptable passwords that can be used to use passwords that do not support the forward secrecy (nsexceptionrequiresforwardsecrecy) protocol. Want to know more about forward secrecy, I recommend you to read this article? Apple ' s technote.

Revoke

If you are creating a Web browser, then you have a bigger problem. Because you cannot know that your users are going to visit that webpage, you cannot indicate whether these pages support ATS requirements and transmit on HTTPS. In this case, there is no other option except to revoke all APP Transport Security.

It is very important that you explicitly specify to revoke the APP Transport Security. Keep in mind that app Transport security is enforced by default. In your app's info.plist, file, add a dictionary for nsapptransportsecurity key values. This dictionary should include a keyword, nsallowsarbitraryloads, and its value to be set to Yes. If you revoke the app Transport Security, here's what your app's info.plist file should look like:

With the exception of the revocation

The fourth big class is when your app revokes app Transport Security, but at the same time it defines some exceptions. This is very useful when your app takes data from a lot of servers, but also interacts with an API that you can control. In this case, specifying any load in the app's Info.plist file is allowed, but you have also specified one or more exceptions to indicate which of the app Transport security must be required. Here's what the Info.plist file should be:

How to use ATS to improve the security of your application