App Transport Security

Platforms: iOS 9.0 and later, OS X v10.11 and later

Summary:
l   Secure connections between App and back end
l   Https exclusively
l   default strong Internet security in iOS and OS X apps and in app extensions

Protocol: TLS 1.2 and later

Certificates:
l   SHA-2 256 bits
l   ECC 256 bits
l   RSA 2048 bits

Forward secrecy (FS):
l   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
l   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
l   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
l   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
l   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
l   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
l   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
l   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
l   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
l   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
l   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

When the backend server does not follow ATS rules (Eg Using lower level of Transport Layer Securiy, http protocol or self-signed etc. ), it should make a whitelist. It only needs to revise the file of "Info.plist",
Here are some sample settings:


l   Allowing Lowered Security
It can specify protocol, which is lower than TSL v1.2, or which is not supported FS
<key>NSAppTransportSecurity</key>
<dict>
        <key>NSExceptionDomains</key>
        <dict>
                <key>your_server.example.com</key>
                <dict>
                        <key>NSThirdPartyExceptionMinimumTLSVersion</key>
        <string>TLSv1.0</string>
                        <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
                        <false/>
                </dict>
        </dict>
</dict>


l   Allowing Http, Self-signed (Insecure connection)
<key>NSAppTransportSecurity</key>
<dict>
        <key>NSExceptionDomains</key>
        <dict>
                <key>your_server.example.com</key>
                <dict>
                        <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
                        <true/>
                </dict>
        </dict>
</dict>

l   Turn off ATS
<key>NSAppTransportSecurity</key>
<dict>
 <key>NSAllowsArbitraryLoads</key>
 <true/>
</dict>


P.S. If the domain which cannot be controlled by the developer, it needs a parameter of  "NSThirdPartyException". I do not know what is different. But it is work for me.

Reference:

https://developer.apple.com/library/prerelease/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)