Over a million developers have joined DZone.

Brace Yourselves: Application Transport Security Is Coming

ATS enforcement is looming. As such, start planning support for ATS now in order to meet the deadline.

· Security Zone

Discover how to protect your applications from known and unknown vulnerabilities.

application transport security

HTTP is a plaintext protocol. As such, it creates inherent security and privacy concerns when used by applications. Apple, for instance has (finally) decided to start treating the secure alternative, HTTPS, as the de facto Web protocol for iOS mobile apps. At WWDC16, Apple pointed out that enabling HTTPS doesn’t necessarily mean that you’re secure. There are many ways in which HTTPS can be improperly configured. Thus, resulting in the use of insecure connections.

What Is Application Transport Security (ATS)?

ATS was introduced by Apple in iOS 9 as a built-in utility to protect network communications. Out-of-the-box, ATS enforces a TLS configuration with the following criteria:

  • Apps can only connect to servers using the TLS 1.2 protocol.
  • Apps can only connect to servers providing strong ciphers.
    • Strong ciphers are described as AES128+ and SHA2+
  • Apps must connect to servers using perfect forward secrecy (PFS). However, Apple has stated that they’ll allow exceptions to this (for now).

Disabling ATS

At Cigital, we test many iOS 9 apps. We’ve observed that most developers tend to disable ATS completely (via the Info.plist, using “Allowing Arbitrary Loads”). While this is currently acceptable to Apple, they’ve announced that at the end of 2016 they will no longer allow it.

Enforcement Is Coming

With the start of 2017, applications with ATS exceptions will require a valid reason for Apple to grant an exception. Acceptance will be at Apple’s discretion during App Store review. Therefore, app developers should begin planning for this now—if you haven’t already.

Engineering teams should start working with architectural and infrastructure teams to discuss how and when to implement secure server-side TLS configuration.

Diagnosing Connectivity Problems

Once you’ve enabled server-side TLS, you can check your configuration and identify compatibility issues. Go about this by using nscurl on an OSX/macOS system. For example, using www.cigital.com as the target domain:

nscurl--ats-diagnostics https://www.cigital.com

This returns the following output:

Starting ATS Diagnostics

Configuring ATS Info.plist keys anddisplaying the result of HTTPS loads tohttps://www.cigital.com.  

Atest will"PASS"ifURLSession:task:didCompleteWithError:returnsanil error.

Use'--verbose'toview the ATS dictionaries used andtodisplay the error received inURLSession:task:didCompleteWithError:.

================================================================================

DefaultATS Secure Connection

---

ATS DefaultConnection  

Result:PASS

---

================================================================================

Allowing Arbitrary Loads

---

Allow All Loads  

Result:PASS

---

================================================================================

Configuring TLS exceptions forwww.cigital.com

---

TLSv1.2

Result:PASS

---

---

TLSv1.1

Result:PASS

---

---

TLSv1.0

Result:PASS

---

================================================================================

Configuring PFS exceptions forwww.cigital.com

---

Disabling Perfect Forward Secrecy  

Result:PASS

---

================================================================================

Configuring PFS exceptions andallowing insecure HTTP forwww.cigital.com

---

Disabling Perfect Forward Secrecy andAllowing Insecure HTTP  

Result:PASS

---

================================================================================

Configuring TLS exceptions with PFS disabled forwww.cigital.com

---

TLSv1.2with PFS disabled  

Result:PASS

---

---

TLSv1.1with PFS disabled  

Result:PASS

---

---

TLSv1.0with PFS disabled  

Result:PASS

---

================================================================================

Configuring TLS exceptions with PFS disabled andinsecure HTTP allowed forwww.cigital.com

---

TLSv1.2with PFS disabled andinsecure HTTP allowed  

Result:PASS

---

---

TLSv1.1with PFS disabled andinsecure HTTP allowed  

Result:PASS

---

---

TLSv1.0with PFS disabled andinsecure HTTP allowed  

Result:PASS

---

================================================================================

In this instance, the key output is as follows:

DefaultATS Secure Connection

---

ATS DefaultConnection  

Result:PASS

---

This output shows that the server supports the default ATS connection. Thus, ATS will work out-of-the-box for this host. Your application will now be able to communicate to this host securely (without disabling ATS). If the output says FAIL, something is misconfigured and the issue requires further diagnosis.

Alternatively, developers can set the CFNETWORK_DIAGNOSTICS environment variable to 1 within the Xcode project. This captures networking-based debug logging which too can help diagnose ATS connection issues.

What If I Can't Enable Strong TLS Right Now?

There are numerous exception types available within ATS, most of which have legitimate use cases. Here are some examples:

  • NSAllowArbitraryLoads – Disables ATS policy enforcement. Allows apps to connect via insecure HTTPS channels and via HTTP.
  • NSExceptionAllowsInsecureHTTPLoads – Allows connections to this domain via the HTTP protocol.
  • NSExceptionMinimumTLSVersion – Lowers the TLS minimum version required from 1.2 to the value declared.
  • NSExceptionRequiresForwardSecrecy – Disables the requirement for PFS.
  • NSAllowsArbitraryLoadsInMedia – Used for streaming remote media via AVFoundation.
    • This was not available until iOS 10.
  • NSAllowsArbitraryLoadsInWebContent – Used for accessing and displaying Web content through WKWebView objects.
    • This was not available until iOS 10.
  • NSThirdPartyExceptionAllowsInsecureHTTPLoads – See above, but for third-party domains.
  • NSThirdPartyExceptionRequiresForwardSecrecy – See above, but for third-party domains.
  • NSThirdPartyExceptionMinimumTLSVersion – See above, but for third-party domains.

What About Domains I Don't Own?

Many applications communicate with third-party domains in addition to the domains under the same ownership as the application itself. In this scenario, you can disable ATS for a specific domain, declaring also that it is a third-party domain. Here’s how to achieve this:

<key>NSAppTransportSecurity</key>

    <dict>

        <key>NSExceptionDomains</key>

        <dict>

            <key>www.cigital.com</key>

             <dict>

                <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>

            <true/>

        </dict>

    </dict>

</dict>

In this scenario, NSThirdPartyExceptionAllowsInsecureHTTPLoads is set to true. This allows HTTP connections for the www.cigital.com host.


It is also advisable to speak to your third-party vendors and ask them to upgrade their infrastructure to support ATS where possible. Of course, exceptions (such as those seen above) will require justification during App Store review. It’s important to bear this in mind.

Summing it up.

ATS enforcement is looming. As such, start planning support for ATS now in order to meet the deadline. Don’t panic if you’re finding that you can’t enable ATS globally. There are justifiable exceptions that Apple will consider. However, make an attempt to plan your release dates accordingly to compensate for any push-back from Apple.

When possible, also strive to comply with ATS configuration rather than relying on exceptions. This avoids unnecessary delays when going live, and most importantly provides greater security to the app and its users.

Find out how Waratek’s award-winning virtualization platform can improve your web application security, development and operations without false positives, code changes or slowing your application.

Topics:
security ,ats

Published at DZone with permission of Grant Douglas, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}