What is App Transport Security ?
From iOS 9.0 and OS X 10.11 onwards Apple introduces a security feature called App Transport Security, which is enabled in apps by default. When ATS is enabled Apps will support only HTTPS connection to web servers, HTTP connections will fail with the following error in console.
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
To enable HTTP connections we need to configure the following keys in the App Info.plist file. This will disable ATS and HTTP connections will work as expected.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
ATS is enabled by default in NSURLSession class and its APIS, the older NSURLConnection class also enforces ATS when you link against the iOS9.0 SDK or later.
if we are link our App against a SDK older than 1OS 9.0, ATS is disabled and the NSAppTransportSecurity key will be ignored.
By introducing Apple enforces the following security concerns.
There are some requirements to completely support ATS.
Depending upon the web servers and their capabilities we can have different configurations in the App Info.plist files.
For example.
To support ATS generally but allow HTTP connection to a specific server that does not support HTTPS, we can have the following config.
NSAppTransportSecurity
NSExceptionDomains
"media-server.example.com"
NSExceptionAllowsInsecureHTTPLoads = YES
To use a secure connection to a Web server that uses an older version of TLS and does not support Forward Secrecy , we can use the following config.
NSAppTransportSecurity
NSExceptionDomains
"less-secure.example.com"
NSExceptionRequiresForwardSecrecy = NO
NSExceptionMinimumTLSVersion = "TLSv1.0"
To support ATS connections to the domain that we control , while allowing HTTP connections to all other URLS we can use the following config.
NSAppTransportSecurity
NSExceptionDomains
"domain-i-control.example.com"
NSExceptionAllowsInsecureHTTPLoads = NO
NSExceptionRequiresForwardSecrecy = YES
NSExceptionMinimumTLSVersion = "TLSv1.2"
"other-domain-i-control.example.com"
NSExceptionAllowsInsecureHTTPLoads = NO
NSExceptionRequiresForwardSecrecy = YES
NSExceptionMinimumTLSVersion = "TLSv1.2"
NSAllowsArbitraryLoads = YES
Debugging ATS Connections
1. First come option to debug a network problem is by using some packet sniffing tool like Burp Suite. (refer: https://portswigger.net/burp/)
2. In mac we can also use some inbuilt tools like tcpdump. To debug some high level protocols like HTTP we can use tcpflow.
To install tcpflow use the following link.
http://macappstore.org/tcpflow/
3. To do iOS Packet Tracing, we can use “Remote Virtual Interface”. Please refer the following link.
4. If we are using ATS support the data will not be directly visible in the above packet sniffing tools. We need to use “CFNetwork Diagnostic Logging”.
Please refer the link
https://developer.apple.com/library/ios/qa/qa1887/_index.html#//apple_ref/doc/uid/DTS40015177
5. In some cases it's useful to connect to a server and issue it commands for testing purposes. If the protocol is being used is TLS, your best option is the s_client subcommand of the openssl tool. An example command is given below.
openssl s_client -connect www.apple.com:443
Please refer: https://developer.apple.com/library/ios/technotes/tn2232/_index.html#//apple_ref/doc/uid/DTS40012884
6. Using the nscurl tool to diagnose ATS Connection Issues
In OS X v10.11 and later, you can use the /usr/bin/nscurl tool to help diagnose connection issues due to App Transport Security.
The command line
/usr/bin/nscurl --ats-diagnostics https://apple.com
The most of the above contents are referred from the following Apple’s technical documentation.
https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html
From iOS 9.0 and OS X 10.11 onwards Apple introduces a security feature called App Transport Security, which is enabled in apps by default. When ATS is enabled Apps will support only HTTPS connection to web servers, HTTP connections will fail with the following error in console.
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
To enable HTTP connections we need to configure the following keys in the App Info.plist file. This will disable ATS and HTTP connections will work as expected.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
ATS is enabled by default in NSURLSession class and its APIS, the older NSURLConnection class also enforces ATS when you link against the iOS9.0 SDK or later.
if we are link our App against a SDK older than 1OS 9.0, ATS is disabled and the NSAppTransportSecurity key will be ignored.
By introducing Apple enforces the following security concerns.
- HTTP will be disabled by default
- HTTPS is not strong enough
- HTTPS must have “forward secrecy enabled”
There are some requirements to completely support ATS.
- The App HTTP connections must use HTTPS.
- The Transport Layer Security version must be TLS 1.2
- TLS connection cipher suite must support forward secrecy (FS)
- The leaf certificate must be signed with either RSA key with length 2048 bits or ECC key with size of atlas 256 bits
Depending upon the web servers and their capabilities we can have different configurations in the App Info.plist files.
For example.
To support ATS generally but allow HTTP connection to a specific server that does not support HTTPS, we can have the following config.
NSAppTransportSecurity
NSExceptionDomains
"media-server.example.com"
NSExceptionAllowsInsecureHTTPLoads = YES
To use a secure connection to a Web server that uses an older version of TLS and does not support Forward Secrecy , we can use the following config.
NSAppTransportSecurity
NSExceptionDomains
"less-secure.example.com"
NSExceptionRequiresForwardSecrecy = NO
NSExceptionMinimumTLSVersion = "TLSv1.0"
To support ATS connections to the domain that we control , while allowing HTTP connections to all other URLS we can use the following config.
NSAppTransportSecurity
NSExceptionDomains
"domain-i-control.example.com"
NSExceptionAllowsInsecureHTTPLoads = NO
NSExceptionRequiresForwardSecrecy = YES
NSExceptionMinimumTLSVersion = "TLSv1.2"
"other-domain-i-control.example.com"
NSExceptionAllowsInsecureHTTPLoads = NO
NSExceptionRequiresForwardSecrecy = YES
NSExceptionMinimumTLSVersion = "TLSv1.2"
NSAllowsArbitraryLoads = YES
Debugging ATS Connections
1. First come option to debug a network problem is by using some packet sniffing tool like Burp Suite. (refer: https://portswigger.net/burp/)
2. In mac we can also use some inbuilt tools like tcpdump. To debug some high level protocols like HTTP we can use tcpflow.
To install tcpflow use the following link.
http://macappstore.org/tcpflow/
3. To do iOS Packet Tracing, we can use “Remote Virtual Interface”. Please refer the following link.
4. If we are using ATS support the data will not be directly visible in the above packet sniffing tools. We need to use “CFNetwork Diagnostic Logging”.
Please refer the link
https://developer.apple.com/library/ios/qa/qa1887/_index.html#//apple_ref/doc/uid/DTS40015177
5. In some cases it's useful to connect to a server and issue it commands for testing purposes. If the protocol is being used is TLS, your best option is the s_client subcommand of the openssl tool. An example command is given below.
openssl s_client -connect www.apple.com:443
Please refer: https://developer.apple.com/library/ios/technotes/tn2232/_index.html#//apple_ref/doc/uid/DTS40012884
6. Using the nscurl tool to diagnose ATS Connection Issues
In OS X v10.11 and later, you can use the /usr/bin/nscurl tool to help diagnose connection issues due to App Transport Security.
The command line
/usr/bin/nscurl --ats-diagnostics https://apple.com
The most of the above contents are referred from the following Apple’s technical documentation.
https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html