A talk about the new security feature App Transport Security enabled in iOS9 & OSX10.11's SDKs. What is it and what are the impacts for us developper ?
2. What ?
ATS is default security configuration to
conform to.
Apple depreciate HTTP ;)
Involve all connexions based on
NSURLConnection, CFURL, or NSURLSession
Starting iOS 9 & OS X 10.11 sdks
3. Security Requirements
The server must supporting Transport Layer Security
(TLS) protocol version 1.2.
Connection ciphers are limited to those that
provide forward secrecy (TLS_ECDHE*)
Certificates must be signed using a SHA256 or
better signature hash algorithm, with either a 2048
bit or greater RSA key or a 256 bit or greater Elliptic-
Curve (ECC) key.
4. Not Respecting Rules
= Punishment
AppTransport[71704:4475213] CFNetwork SSLHandshake failed (-9801)
AppTransport[71704:4475213] NSURLSession/NSURLConnection HTTP
load failed (kCFStreamErrorDomainSSL, -9801)
When logging network error output :
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has
occurred and a secure connection to the server cannot be made."
5. How To Check ?
Compile with iOS9||OSX10.11 sdk and check the
connexion success/logs + check code error with
securetransport.h
+ add extra log CFNETWORK_DIAGNOSTICS = 1
-> hard to analyze
In a browser to have a quick (&dirty) check
nscurl (starting 10.11 - best choice)
nscurl —ats-diagnostics —verbose https://x.co
12. Refs
Apple Technote: https://developer.apple.com/library/prerelease/ios/technotes/App-
Transport-Security-Technote/index.html
Apple Video WWDC2015 - 711 - Network with NSURLSESSION
Exemple of App Transport configuration -http://www.neglectedpotential.com/
2015/06/working-with-apples-application-transport-security/
Tips about issue with AppTransport : http://timekl.com/blog/2015/08/21/
shipping-an-app-with-app-transport-security/
Apple security Transport error code : http://www.opensource.apple.com/source/
Security/Security-55179.13/libsecurity_ssl/Security/SecureTransport.h