HTTP is a plaintext protocol. As such, it creates inherent security and privacy concerns when used by applications. Apple, for instance has (finally) decided to start treating the secure alternative, HTTPS, as the de facto Web protocol for iOS mobile apps. At WWDC16, Apple pointed out that enabling HTTPS doesn’t necessarily mean that you’re secure. There are many ways in which HTTPS can be improperly configured. Thus, resulting in the use of insecure connections.
What Is Application Transport Security (ATS)?
ATS was introduced by Apple in iOS 9 as a built-in utility to protect network communications. Out-of-the-box, ATS enforces a TLS configuration with the following criteria:
- Apps can only connect to servers using the TLS 1.2 protocol.
- Apps can only connect to servers providing strong ciphers.
- Strong ciphers are described as AES128+ and SHA2+
- Apps must connect to servers using perfect forward secrecy (PFS). However, Apple has stated that they’ll allow exceptions to this (for now).
At Cigital, we test many iOS 9 apps. We’ve observed that most developers tend to disable ATS completely (via the Info.plist, using “Allowing Arbitrary Loads”). While this is currently acceptable to Apple, they’ve announced that at the end of 2016 they will no longer allow it.
Enforcement Is Coming
With the start of 2017, applications with ATS exceptions will require a valid reason for Apple to grant an exception. Acceptance will be at Apple’s discretion during App Store review. Therefore, app developers should begin planning for this now—if you haven’t already.
Engineering teams should start working with architectural and infrastructure teams to discuss how and when to implement secure server-side TLS configuration.
Diagnosing Connectivity Problems
Once you’ve enabled server-side TLS, you can check your configuration and identify compatibility issues. Go about this by using nscurl on an OSX/macOS system. For example, using www.cigital.com as the target domain:
This returns the following output:
Starting ATS Diagnostics Configuring ATS Info.plist keys anddisplaying the result of HTTPS loads tohttps://www.cigital.com. Atest will"PASS"ifURLSession:task:didCompleteWithError:returnsanil error. Use'--verbose'toview the ATS dictionaries used andtodisplay the error received inURLSession:task:didCompleteWithError:. ================================================================================ DefaultATS Secure Connection --- ATS DefaultConnection Result:PASS --- ================================================================================ Allowing Arbitrary Loads --- Allow All Loads Result:PASS --- ================================================================================ Configuring TLS exceptions forwww.cigital.com --- TLSv1.2 Result:PASS --- --- TLSv1.1 Result:PASS --- --- TLSv1.0 Result:PASS --- ================================================================================ Configuring PFS exceptions forwww.cigital.com --- Disabling Perfect Forward Secrecy Result:PASS --- ================================================================================ Configuring PFS exceptions andallowing insecure HTTP forwww.cigital.com --- Disabling Perfect Forward Secrecy andAllowing Insecure HTTP Result:PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled forwww.cigital.com --- TLSv1.2with PFS disabled Result:PASS --- --- TLSv1.1with PFS disabled Result:PASS --- --- TLSv1.0with PFS disabled Result:PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled andinsecure HTTP allowed forwww.cigital.com --- TLSv1.2with PFS disabled andinsecure HTTP allowed Result:PASS --- --- TLSv1.1with PFS disabled andinsecure HTTP allowed Result:PASS --- --- TLSv1.0with PFS disabled andinsecure HTTP allowed Result:PASS --- ================================================================================
In this instance, the key output is as follows:
DefaultATS Secure Connection --- ATS DefaultConnection Result:PASS ---
This output shows that the server supports the default ATS connection. Thus, ATS will work out-of-the-box for this host. Your application will now be able to communicate to this host securely (without disabling ATS). If the output says FAIL, something is misconfigured and the issue requires further diagnosis.
Alternatively, developers can set the CFNETWORK_DIAGNOSTICS environment variable to 1 within the Xcode project. This captures networking-based debug logging which too can help diagnose ATS connection issues.
What If I Can't Enable Strong TLS Right Now?
There are numerous exception types available within ATS, most of which have legitimate use cases. Here are some examples:
- NSAllowArbitraryLoads – Disables ATS policy enforcement. Allows apps to connect via insecure HTTPS channels and via HTTP.
- NSExceptionAllowsInsecureHTTPLoads – Allows connections to this domain via the HTTP protocol.
- NSExceptionMinimumTLSVersion – Lowers the TLS minimum version required from 1.2 to the value declared.
- NSExceptionRequiresForwardSecrecy – Disables the requirement for PFS.
- NSAllowsArbitraryLoadsInMedia – Used for streaming remote media via AVFoundation.
- This was not available until iOS 10.
- NSAllowsArbitraryLoadsInWebContent – Used for accessing and displaying Web content through WKWebView objects.
- This was not available until iOS 10.
- NSThirdPartyExceptionAllowsInsecureHTTPLoads – See above, but for third-party domains.
- NSThirdPartyExceptionRequiresForwardSecrecy – See above, but for third-party domains.
- NSThirdPartyExceptionMinimumTLSVersion – See above, but for third-party domains.
What About Domains I Don't Own?
Many applications communicate with third-party domains in addition to the domains under the same ownership as the application itself. In this scenario, you can disable ATS for a specific domain, declaring also that it is a third-party domain. Here’s how to achieve this:
<key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>www.cigital.com</key> <dict> <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key> <true/> </dict> </dict> </dict>
In this scenario, NSThirdPartyExceptionAllowsInsecureHTTPLoads is set to true. This allows HTTP connections for the www.cigital.com host.
It is also advisable to speak to your third-party vendors and ask them to upgrade their infrastructure to support ATS where possible. Of course, exceptions (such as those seen above) will require justification during App Store review. It’s important to bear this in mind.
Summing it up.
ATS enforcement is looming. As such, start planning support for ATS now in order to meet the deadline. Don’t panic if you’re finding that you can’t enable ATS globally. There are justifiable exceptions that Apple will consider. However, make an attempt to plan your release dates accordingly to compensate for any push-back from Apple.
When possible, also strive to comply with ATS configuration rather than relying on exceptions. This avoids unnecessary delays when going live, and most importantly provides greater security to the app and its users.