Update of App Transport Security, in Chinese and English, apptransport

Update of App Transport Security, in Chinese and English, apptransport
This section is defined by myself and has no plagiarism. The English part of this section is excerpted from official documents and summarized by myself. Poor translation. Please refer to App Transport Security (translated as app Transmission Security for the time being) what is ATS?

App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You shoshould adopt ATS as soon as possible, regardless of whether you're creating a new app or updating an existing one.

ATS provides a good standard for secure connections between apps and the backend. ATS prevents additional message leaks and provides secure and standardized behaviors. At the same time, the interaction between iOS 9 and OS X v10.11 is provided at the earliest. Developers should adopt ATS as soon as possible, whether creating or updating apps.

If you're developing a new app, you shoshould use HTTPS exclusively. if you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. in addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. if you try to make a connection that doesn't follow this requirement, an error is thrown. if your app needs to make a request to an insecure domain, you have to specify this domain in your app'sInfo.plistFile

If you are developing a new application, you should only use the HTTPS protocol. If you already have an app, you should try to Use HTTPS now and change the remaining part as soon as possible. In addition, TLS 1.2 of forward secrecy must be used for communication through high-level APIs. If you try to establish a connection that does not conform to the standard, an error will be thrown. If your app needs to send requests to an unreliable domain, you must specify this domain in your plist file.

ATS requirements:

All connections usingNSURLConnection,CFURL, OrNSURLSessionAPIs use App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will be fail.

AllNSURLConnection,CFURL or NSURLSessionAPI Versions later than iOS9.0 or OS X 10.00 use the ATS standard behavior for compilation. connections that do not meet ATS requirements will fail.

These are the App Transport Security requirements:

ATS meets the following requirements:

• The server must support at least Transport Layer Security (TLS) protocol version 1.2. It must be a version later than TLS protocol 1.2.

• Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.) must be the Connection encryption that provides forward secrecy (view the following encryption Rules)

• Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.

  Invalid certificates result in a hard failure and no connection. The certificate must use SHA256 or a better signature hash algorithm. You can use a 2048bit key, RSA key, or ECCkey.

These are the accepted ciphers:

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

If your connect not apply to the requirements, you will get the error followed:

If the connection does not meet the requirements, the following error will be reported:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL,-9802)

 

How to set ATS with HTTPS not apply to ATS? (Set HTTPS protocol that does not meet the requirements)

<key>NSAppTransportSecurity</key><dict><key>NSExceptionDomains</key><dict><key>api.circletable.com</key><dict><key>NSIncludesSubdomains</key>                <true/><key>NSExceptionRequiresForwardSecrecy</key>   <false/>                                <key>NSExceptionAllowsInsecureHTTPLoads</key>  <true/></dict></dict></dict>

 

NSIncludesSubdomains is set to YES, indicating that both the subdomain name and the parent domain name use the same settings.

NSExceptionRequiresForwardSecrecy is NO. If the current HTTPS does not support ForwardSecrecy, the modification function is disabled.

If NSExceptionAllowInsecureHTTPLoads is set to YES, the domain name is allowed to access the wrong domain name caused by a certificate without a certificate or self-signed, expired, or mismatched host name.

 

 

How and when to disable ATS? (When do I not use ATS? How do I cancel ATS)

The following error is returned when you directly use http requests in iOS 9.

App Transport Security has blocked a cleartext HTTP (http: //) resource load since it is insecure. Temporary exceptions can be configured via your app's Info. plist file.

To support Http, add the following fields to info. plist:

<key>NSAppTransportSecurity</key><dict>    <key>NSAllowsArbitraryLoads</key>    <true/></dict>

NSAllowsAritraryLoads indicates disabling ATS

 

The property keys (configurable attributes)

 

Keys	Type
NSAppTransportSecurity	Dictionary
NSAllowsArbitraryLoads	Boolean
NSExceptionDomains	Dictionary
<domain-name-for-exception-as-string>	Dictionary
NSExceptionMinimumTLSVersion	String
NSExceptionRequiresForwardSecrecy	Boolean
NSExceptionAllowsInsecureHTTPLoads	Boolean
NSIncludesSubdomains	Boolean
NSThirdPartyExceptionMinimumTLSVersion	String
NSThirdPartyExceptionRequiresForwardSecrecy	Boolean
NSThirdPartyExceptionAllowsInsecureHTTPLoads	Boolean

 

NSAppTransportSecurity

A dictionary containing the settings for overriding default App Transport Security behaviors. The top level key for the app's Info. plist file.

A dictionary used to override ATS standard behaviors, which contains ATS settings. In the plist file of the app, It is the top-level setting directory.

NSAllowsArbitraryLoads

A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. listed domains use the settings specified for that domain. the default value of NO requires the default App Transport Security behavior for all connections.

A boolean value. This value can be used to disable ATS for any fields not added in the NSExceptionDomains dictionary. The default value is NO, indicating that all connections must adopt the ATS standard.

NSExceptionDomains

A dictionary of App Transport Security exceptions for specific domains. Each key is a string containing the domain name for the specified tions.

Stores the dictionary of special ATS. Each key value is a string containing a special domain name.

<Domain-name-for-exception-as-string>

A dictionary of exceptions for the named domain. The name of the key is the name of the domain-for example, www.apple.com.

A dictionary that stores special domains. The key value is a domain name.

NSExceptionMinimumTLSVersion

A string that specifies a minimum TLS version for connections. Valid values are: TLS v1.0, TLS v1.1, TLS v1.2.

TLSV1.2 is the default value.

A string with the minimum TLS version number. Valid values: TLSv1.0, TLSv1.1, and TLSv1.2. the default value is TLS v1.2.

NSExceptionRequiresForwardSecrecy

A Boolean value for overriding the requirement that the domain support forward secrecy using ciphers.

YESIs the default value and limits the ciphers to those shown in Default Behavior.

Setting the valueNOAdds the following the list of accepted ciphers:

• TLS_RSA_WITH_AES_256_GCM_SHA384

• TLS_RSA_WITH_AES_128_GCM_SHA256

• TLS_RSA_WITH_AES_256_CBC_SHA256

• TLS_RSA_WITH_AES_256_CBC_SHA

• TLS_RSA_WITH_AES_128_CBC_SHA256

• TLS_RSA_WITH_AES_128_CBC_SHA

 

NSExceptionAllowsInsecureHTTPLoads

A Boolean value for overriding the requirement that all connections use HTTPS. use this key to access domains with no certificate, or with an error for a self-signed, expired, or hostname-mismatch certificate.

NOIs the default value.

NSIncludesSubdomains

A Boolean value for applying the overrides to all subdomains of the top-level domain.

NOIs the default value.

NSThirdPartyExceptionMinimumTLSVersion

A versionNSExceptionMinimumTLSVersionUsed when the domain is an app service that is not controlled by the developer.

NSThirdPartyExceptionRequiresForwardSecrecy

A versionNSExceptionRequiresForwardSecrecyUsed when the domain is an app service that is not controlled by the developer.

NSThirdPartyExceptionAllowsInsecureHTTPLoads

A version of NSExceptionAllowsInsecureHTTPLoads used when the domain is an app service that is not controlled by the developer.

Referencehttp: // ste. vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/http://www.neglectedpotential.com/2015/06/working-with-apples-application-transport-security/https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.htmlhttps://developer.apple.com/library/prerelease/ios/releasenotes/DeveloperTools/RN-Xcode/Chapters/xc7_release_notes.html#//apple_ref/doc/uid/TP40001051-CH5-SW1