IOS10 adaptation ATS (App support HTTPS via App Store review) Han Junqiang Blog

Source: Internet
Author: User
Tags rfc free ssl ssl certificate

Tag: Stop error serialize air login call reason int false


Daily Update attention :http://weibo.com/hanjunqiang Sina Weibo! iOS Developer Chat QQ Group: 446310206

One. HTTPS

In fact, HTTPS from the end of the data analysis, and HTTP is not any difference, HTTPS is to put the HTTP protocol packets into the SSL/TSL layer encryption, the TCP/IP layer constitutes a data datagram to transmit, in order to ensure the security of the transmission of data, and for the receiver, in the ssl/ When the TSL decrypts the received packets, it passes the data to the HTTP protocol layer, which is the normal HTTP data. Both HTTP and SSL/TSL are in the application layer of the OSI model. Switching from HTTP to HTTPS is a very simple process, and we need to understand a few concepts before doing a specific switching operation:

SSL/TLS

To ensure that these private data can be encrypted, Netscape designed the SSL (Secure Sockets Layer) protocol to encrypt the data transmitted by the HTTP protocol, which led to the birth of HTTPS. The current version of SSL is 3.0, defined by the IETF (Internet Engineering Task Force) in RFC 6101, and then the IETF is upgraded to SSL 3.0, so TLS (Transport Layer Security) 1.0, defined in RFC 2246. In fact, we now have HTTPS is the TLS protocol, but because SSL appears earlier, and is still supported by the browser now, so SSL is still synonymous with HTTPS, but whether it is TLS or SSL is the last century thing, The last version of SSL is 3.0, and TLS will inherit the good lineage of SSL and continue to encrypt the service for us.

    • Overview of the operating mechanism of SSL/TLS protocol

    • Graphical SSL/TLS protocol

In simple terms, SSL/TSL through four handshakes. The workflow of the SSL protocol:

Server Authentication phase:

The client sends a start message "Hello" to the server to start a new session connection;
The server determines whether a new master key needs to be generated based on the customer's information, and, if necessary, the server will contain the information required to generate the master key in response to the customer's "Hello" information;
The customer generates a master key based on the received server response information and encrypts the server's public key to the server;
The server recovers the master key and returns it to the client to authenticate the server with a master key that is authenticated with the information.

User Authentication phase:

Prior to this, the server has passed the customer certification, this phase is mainly to complete the customer certification.
The certified server sends a question to the customer, and the customer returns a (digital) signature question and its public key, thereby providing authentication to the server.

Two. App Transport Security

IOS9 new app Transport Security (ATS) features, mainly to the original request when the use of HTTP, all to the TLS1.2 protocol for transmission. This also means that all HTTP protocols are forced to use the HTTPS protocol for transmission. In IOS 9 and OS X 10.11, network access that is not HTTPS is forbidden by default. Of course, because such propulsion has a very wide impact, as a buffer, we can add a NSAppTransportSecurity dictionary to info.plist and set it to NSAllowsArbitraryLoads YES disable ATS.

However, in WWDC 16, Apple said it would continue to tighten access restrictions on normal HTTP in IOS 10 and MacOS 10.12. From January 1, 2017 onwards, all new submission apps are not allowed NSAllowsArbitraryLoads to bypass ATS restrictions by default, that is, we'd better make sure that all of the app's network requests are encrypted by HTTPS, otherwise you may have trouble applying auditing.

Three. IOS10 nsapptransportsecurity

By configuring this key in Info.plist, developers can customize the network security policy. For example:

Allow unsecured access to individual servers.
Allows unsafe web or media content access, but does not affect the entire app's ATS policy.
Enable the new security features, such as Certificate Transparency.
Support for Nsapptransportsecurity is available from Ios9.0,os X v10.11 for app and app extension.

Since Ios10.0,macos 10.12, support for the following sub-keys has been added:

    • Nsallowsarbitraryloadsinmedia
    • Nsallowsarbitraryloadsinwebcontent
    • Nsrequirescertificatetransparency
    • Nsallowslocalnetworking
ATS Configuration Basics/ats Basics

For apps using iOS9.0, OS X v10.11 SDK and above, ATS (app Transport Security) is turned on by default, Nsallowsarbitraryloads is the root key of the dictionary nsapptransportsecurity, the default value is No.

In the case of ATS enabled, all HTTP requests must be connected to HTTPS (RFC 2818). Any unsecured HTTP requests will fail. ATS uses TLS (Transport Layer Security) v1.2 (RFC 5246).

Here is the overall structure of the dictionary nsapptransportsecurity, all keys are non-mandatory:

nsapptransportsecurity:dictionary {    Nsallowsarbitraryloads:boolean    Nsallowsarbitraryloadsinmedia: Boolean    Nsallowsarbitraryloadsinwebcontent:boolean    Nsallowslocalnetworking:boolean    nsexceptiondomains:dictionary {        <domain-name-string>: Dictionary {            Nsincludessubdomains:boolean            Nsexceptionallowsinsecurehttploads:boolean            Nsexceptionminimumtlsversion:string            Nsexceptionrequiresforwardsecrecy:boolean   //Default value is YES            Nsrequirescertificatetransparency:boolean        }}}    

As you can see, all keys can be divided into two categories: primary keys, which are used to define the overall ATS strategy for the app, and sub-keys, which are the keys below the Nsexceptiondomains, which are configured separately for a domain name using these keys.

Primary keys include:

    • Nsallowsarbitraryloads

      Set to YES to unlock the ATS limit for the entire app; however, the configuration through Nsexceptiondomains is still valid. The default value is NO.
      Note: Set to YES will cause the APP Stroe to be reviewed and the developer must explain why.

    • Nsallowsarbitraryloadsinmedia

      Set to YES to remove the ATS restriction when accessing media content through the AV Foundation framework; Enable this key to make sure that the loaded media content is encrypted, such as a file protected by Fairplay, or a secure HLS stream, which does not contain sensitive personal information. The default is NO.

    • Nsallowsarbitraryloadsinwebcontent

      Set to YES to unblock the ATS limit for network requests made through Web view. Enabling this key allows the app to access any page content without affecting the app's overall ATS policy. This key value defaults to NO.

    • Nsallowslocalnetworking

      Set to YES to allow the app to load any local resource without affecting the app's overall ATS policy. The default is NO.

    • Nsexceptiondomains

      Configure ATS separately for one or more domain names.
      A separately configured domain name, by default, is subject to the full ATS limit, regardless of the value of the nsallowsarbitraryloads; need to be further configured with sub-keys

All sub-keys belong to Nsexceptiondomain. Add this primary key to Info.plist:

    • Create a dictionary for one or more domain names for ATS configuration.
    • This means that the settings that were previously made using the primary key are not valid for this domain name.

For example, setting Nsallowsarbitraryloadsinmedia to YES in time, but the domain name represented by Nsexceptiondomain still does not have access to unsafe media content.

Based on this setting, ATS can be configured for domain names to increase or decrease security. For example:

    • Setting Nsexceptionallowsinsecurehttploads to YES will cause the App Store to be reviewed, as detailed in App Store Review for ATS.
    • By configuring Nsexceptionrequiresforwardsecrecy to NO, the forward secrecy is canceled.
    • Change the minimum TLS version by configuring Nsexceptionminimumtlsversion.

Nsexceptiondomains Dictionary composition:

  • < domain name string >
    Represents the specific domain name that you want to configure. You can add multiple domain names (that is, add multiple such keys) and configure the ATS policy for them uniformly. This key corresponds to a dictionary, which contains the following sub-keys:

    • Nsincludessubdomains
      YESNO。
    • Nsexceptionallowsinsecurehttploads
      YESNO。注意,配置这个键值,将引发 App Store 的审查,开发者必须说明原因。
    • Nsexceptionminimumtlsversion
      * 指定 TLS 的最低版本,因此可以使用版本较低,有安全漏洞的 TLS 协议。注意,配置这个键值,将引发 App Store 的审查,开发者必须说明原因。
    • Nsexceptionrequiresforwardsecrecy
      NOYES。
    • Nsrequirescertificatetransparency
      YESNO。
Requirements for connecting using ATS/prerequisites for using ATS

When ATS is fully turned on, the system requires that the app's HTTPS connection must meet the following requirements:

The digital certificate must meet one of the following criteria:

  • Issued by the root certification authority embedded in the operating system

    • Issued by a root certification authority that is actively installed by the operating system administrator or user
      • The TLS version must be 1.2, and any connection that does not use or use a lower version of Tls/ssl will fail.
  • The connection must use the AES-128 or AES-256 symmetric encryption algorithm. The TLS algorithm bundle must support forward secrecy in the form of a ECDSA key exchange, and the encryption algorithm must be one of the following:

    • tls_ecdhe_ecdsa_with_aes_256_gcm_sha384
    • tls_ecdhe_ecdsa_with_aes_128_gcm_sha256
    • tls_ecdhe_ecdsa_with_aes_256_cbc_sha384
    • Tls_ecdhe_ecdsa_with_aes_256_cbc_sha
    • tls_ecdhe_ecdsa_with_aes_128_cbc_sha256
    • Tls_ecdhe_ecdsa_with_aes_128_cbc_sha
    • tls_ecdhe_rsa_with_aes_256_gcm_sha384
    • tls_ecdhe_rsa_with_aes_128_gcm_sha256
    • tls_ecdhe_rsa_with_aes_256_cbc_sha384
    • tls_ecdhe_rsa_with_aes_128_cbc_sha256
    • Tls_ecdhe_rsa_with_aes_128_cbc_sha
  • The leaf certificate signing key for the server must be one of the following:

    • RSA key of at least 2048 bits
    • At least 256 bits of ECC key
    • In addition, the hash algorithm for the server certificate must be SHA-2 and its digest length is at least 256 bits (that is, SHA-256 and above).
      The above standards may change in the future. It does not affect the compatibility of the app binary package.


APP store Review for Ats/app store approvals for ATS related items

Some configuration of ATS will cause the App Store to be audited, and the developer must explain why. These keys are:

    • Nsallowsarbitraryloads
    • Nsexceptionallowsinsecurehttploads
    • Nsexceptionminimumtlsversion

Here are some examples of reasons for reference:

    • Servers that are controlled by other agencies must be connected and do not support secure connections.
    • You must support devices that have not yet been upgraded to use a secure connection and have to access the network through a public domain name.
    • Various network content from different sources must be presented through the web, but the classes managed by Nsallowsarbitraryloadsinwebcontent are not fully used.

When submitting an audit to the app Store, developers should proactively provide enough information to explain why the app is not able to use a secure connection.

Four. Implement a secure ATS policy

<font color=red size=5>ats Related settings are not valid for iOS8 and the following systems </font>

Issues to be addressed (IOS 9, iOS10 and above) 1, in-app server network request access support HTTPS (that is, the general request) 2, WebView support any HTTP access 3, Third-party SDK access and support HTTP access is primarily about the security ATS policy around the Info.pilst configuration file

The Info.plist file is a list of XML attributes that describe the application to the operating system, and the iphone application folder contains all the important info.plist files

You may notice that some keywords are using words in other keywords but preceded by the words "thirdparty", and functionally, these keywords have the same effect as keywords that do not contain "thirdparty". And the code that is called in the actual run will completely ignore the use of the "thirdparty" keyword.

Simple and Crude solution:

--------------------------------------------

Nsexceptiondomains is set up as follows, for example, we want to exclude weibo.com this domain name from ATS validation, it can be:

key>nsapptransportsecurity</key><dict>    <key>NSExceptionDomains</key>    < dict>        <key>weibo.com</key>        <dict>            <key> nsincludessubdomains </key>            <true/>            <key> nsexceptionrequiresforwardsecrecy </key>            <false/>            <key >NSExceptionAllowsInsecureHTTPLoads</key>            <true/>        </dict>    </dict>    <key>NSAllowsArbitraryLoads</key>    <true/></dict>


Note: You need to set these three properties for each domain you want to add. If the requested network picture is HTTP, it is also the domain of the picture that needs to be set.

Attention?? This scheme is risky and may be rejected. "The domain name that needs to be accessed is a third-party server, and they do not have HTTPS correspondence" is an optional reason to audit, but this should only be for a specific domain name, not full open. If you are accessing your own server, this may not be the case.

------------------------------------------------

Implementation Scenario 1, in-app server network request access support HTTPS

Solution:

Build an HTTPS server

SSL certificate required to build HTTPS server

    1. SSL self-made certificate: called Self-signed SSL certificate, easy to be fake forgery, browser does not trust. (Audit does not pass)
    2. Free CA Certificate: Some CA agencies provide free SSL certificates, such as Wosign,starts, etc. (App Store pass out)
    3. Paid CA Certificate: More than the enterprise level and above the digital certificate.

HTTPS server satisfies the ATS default condition, and SSL certificate is authenticated by the authoritative CA institution, then when we use Xcode development, we do not need to do anything with the network, we can communicate with the server. However, when we have higher security requirements or when we build our own certificates, we need to import the certificates locally to verify them.

Using afnetworking to support HTTPS

Afnetworking is one of the most popular third-party open source libraries developed by IOS/OSX, and now iOS OC Code 90% is used with this framework network request. Afnetworking has already encapsulated the above logic code, even more perfect, in the Afsecuritypolicy file, interested in reading the code of this module; The following is the afnetworking 2.6.0 Previous versions and 3.0.0 versions based on HTTPS-enabled authentication

Steps:

    1. Create a new manager
    2. Look for the https.cer that we just dragged into the project in Mainbundle and read the relevant data
    3. Create a new afsecuritypolicy and configure it accordingly
    4. Assign this afsecuritypolicy instance to the manager

Code implementation:

Nsurl * url = [nsurl urlwithstring:@ "https://www.google.com"]; Afhttprequestoperationmanager * Requestoperationmanager = [[Afhttprequestoperationmanager alloc] InitWithBaseURL:url ];d ispatch_queue_t requestqueue = Dispatch_create_serial_queue_for_name ("Krequestcompletionqueue"); Requestoperationmanager.completionqueue = Requestqueue; Afsecuritypolicy * securitypolicy = [Afsecuritypolicy policywithpinningmode:afsslpinningmodecertificate];// Allowinvalidcertificates whether to allow invalid certificates (that is, self-built certificates), the default is no//if you need to verify your self-built certificate, you need to set it to Yessecuritypolicy.allowinvalidcertificates = Yes;//validatesdomainname If you need to verify the domain name, the default is yes;//if the domain name of the certificate does not match the domain name you requested, you need to set the entry to no; If you set no, that is, the server uses certificates issued by other trusted institutions, you can also establish a connection. This is very dangerous, it is recommended to open. Set to No, mainly used in this case: the client is requesting a subdomain, and the certificate is a different domain name. Because the domain name on the SSL certificate is independent, if the domain name registered on the certificate is www.google.com, then mail.google.com cannot be verified; Of course, the rich can register the wildcard name *.google.com, but this is still relatively expensive. If set to No, it is recommended that you add the check logic for the corresponding domain name. Securitypolicy.validatesdomainname = Yes;//validatescertificatechain Verifies the entire certificate chain, default is yes//set to YES, will return the trust of the server The certificate chain on the object is compared to the locally imported certificate, which means that if your certificate chain is this://geotrusT Global CA//Google Internet Authority g2//*.google.com//then, in addition to importing *.google.com, you need to import all the CA certificates on the certificate chain (GeoTrust Glob Al CA, Google Internet Authority G2);//If the certificate is self-built, it can be set to Yes, enhanced security, if it is a certificate issued by a trusted CA, it is recommended to turn off this authentication because the entire certificate chain one by one is not necessary (see source code) ; securitypolicy.validatescertificatechain = No;requestoperationmanager.securitypolicy = SecurityPolicy;    Another afnetworking 3.0.0 or more versions are Afhttpsessionmanager Afhttpsessionmanager * manager = [Afhttpsessionmanager manager];    NSString * Cerpath = [[NSBundle mainbundle] pathforresource:@ "server" oftype:@ "CER"];    NSData * Cerdata = [NSData Datawithcontentsoffile:cerpath];    NSLog (@ "%@", cerdata); Manager.securitypolicy = [Afsecuritypolicy policywithpinningmode:afsslpinningmodecertificate    Withpinnedcertificates:[[nsarray Alloc] initwithobjects:cerdata, nil]];    Manager.securityPolicy.allowInvalidCertificates = YES;    [Manager.securitypolicy Setvalidatesdomainname:no];    Manager.requestserializer = [Afjsonrequestserializer serializer]; Manager.responseseRializer = [Afjsonresponseserializer serializer];    nsdictionary * parameter = @{@ "username": self.username, @ "password": Self.password}; [Manager post:@ "https://192.168.1.4:9777" Parameters:parameter success:^ (Nsurlsessiondatatask * task, ID        Responseobject) {NSLog (@ "Success%@", Responseobject);        } failure:^ (Nsurlsessiondatatask * task, Nserror * error) {NSLog (@ "Failure%@", error); }] <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key>/ /set to YES to unlock the entire app's ATS limit, but the configuration via nsexceptiondomains is still valid <false/> <key>nsallowsarbitraryloadsinmed Ia</key>//Set to YES to remove ATS restrictions <true/> <key>nsallowsarbitraryloadsin when accessing media content through the Avfoundation framework Webcontent</key>//Set to YES to release ATS restrictions <true/> &LT;KEY&GT;NSALLOWSLOCALNETWORKING&L for network requests made via WebView T;/key>//Set to YES allows the app to load any local resource without affecting the app's overall ATS strategy <true/>


2. Support any HTTP access in WebView

For web browsing and video playback behavior, the Nsallowsarbitraryloadsinwebcontent key is added to IOS 10. By setting it to YES, you can make Wkwebview in your app and online videos played with avfoundation not restricted by ATS. This should also be the choice of most apps that use the relevant features. But the bad news is that this key doesn't work in IOS 9.

If the app only supports IOS 10 and has the ability to freely enter a URL for browsing, or an online video audio playback feature, simply add nsallowsarbitraryloadsinwebcontent and replace the component with Wkwebkit or Avfoundation can do it. If you still need to support IOS 9 and need access to Web pages and videos, you may only have to open nsallowsarbitraryloads and then submit the instructions, and watch the Apple auditor decide to let it pass.

In addition, when nsallowsarbitraryloads and nsallowsarbitraryloadsinwebcontent exist simultaneously, the behavior will be different depending on the system. Simply put, iOS 9 only looks at Nsallowsarbitraryloads, while iOS 10 will look at Nsallowsarbitraryloadsinwebcontent first. In IOS 10, if nsallowsarbitraryloadsinwebcontent exists, ignore nsallowsarbitraryloads and if it does not exist, follow nsallowsarbitraryloads The settings

UIWebView access to HTTP when Nsallowsarbitraryloadsinwebcontent is YES is not valid. Wkwebview Access HTTP in iOS 10 when nsallowsarbitraryloadsinwebcontent is YES, iOS 9 is not valid. If you replace Uiwebview,ios 7 with Wkwebview will not be able to use Wkwebview, can do the appropriate load, there is no special need, it will be better to switch uiwebview all to Wkwebview as soon as possible. So in order for WebView to be able to access non-HTTPS content in all versions, you can only set Nsallowsarbitraryloads to Yes.

Solution One:

Turn on Nsallowsarbitraryloads for YES, and then submit the instructions

Solution Two:

Set the Nsexceptiondomains property to access the specified domain name, and then explain it when submitted

3, third-party SDK access and support HTTP access

But it may be more practical to close the restrictions in line with the domestic situation. There are too many reasons, third-party SDKs (almost all HTTP access), partner access (they must not be required to support HTTPS)

Third-party SDK, the same need to comply with ATS rules, that is, the third-party SDK has been the risk of ATS filtering, QQ, sharing, landing functions can be normal, micro-blog landing can not be normal. Also found on the Internet some of the possible problems of the SDK, currently known to have:

    • Friends Alliance (already has the latest v1.4.0 version SDK, support HTTPS, pending verification)
    • Baidu Map

Solution One:

Update the latest SDK, access and test

Solution Two:

You can set the Nsexceptiondomains property to write the domain name that you want to exclude from mandatory validation:

Five. Summary

Turn on Nsallowsarbitraryloads for YES

Add a whitelist to the server settings for third-party access Nsexceptiondomains

Submit an Audit Note:

    • Servers that are controlled by other agencies must be connected and do not support secure connections.

    • Various network content from different sources must be presented through the web, but the classes managed by Nsallowsarbitraryloadsinwebcontent are not fully used.

Daily update attention :http://weibo.com/hanjunqiang Sina Weibo! iOS Developer Chat QQ Group: 446310206




IOS10 adaptation ATS (App support HTTPS via App Store review) Han Junqiang Blog

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.