Friday, July 17, 2015

App Transport Security

WWDC 2015 Session 706 (video, PDF):

If you link your app against OS X El Capitan or iOS 9, by default it won’t be able to make any unprotected HTTP connections; they will simply fail, and any TLS connections that your app makes will have no adhere to these best practices that I just described. And that’s TLS 1.2 with forward secrecy. Cryptographic primitives that are known to be insecure are not allowed, and there are minimum key size requirements put in place.

Now, you may not be able to comply with all of these restrictions immediately, and that’s okay, you can specify exceptions in your Info.plist either on a case-by-case basis for each domain or as a global override. But, as an industry we have to very soon get to a point where no user information hits the network unencrypted, and we need your help.

What’s New in iOS 9:

App Transport Security (ATS) lets an app add a declaration to its Info.plist file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.

WWDC 2015 Session 711 (video, PDF):

Essentially all you have to do is declare which domain needs to load over HTTP and NSURLSession will still allow that cleartext load.

Now we also know that some of you may be supporting a general purpose web browser or another app that loads URLs based off dynamic user input, and we’ve allowed for that case.


So, do note that ATS is only active if you build against a current SDK.


NSURLSession will transfer all HTTP resources or loads URLs to HTTPS automatically.

App Transport Security Technote:

All secure http (https) connection follow the App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail.


You can specify exceptions to the default behavior in the Info.plist in your app or extension. Keys in the plist are used for specific exceptions or to turn off App Transport Security. Table 1-1 shows the keys and their types.

Blake Gentry (comments):

The ideas behind App Transport Security are great. It’s essentially HTTP Strict Transport Security for apps, making it much harder for developers to inadvertently disclose private user information. The feature that will benefit the privacy and security of millions of Apple customers. The writing is also on the wall that Apple intends to make this feature mandatory at some point, essentially deprecating plaintext HTTP altogether.

Apple, however, has yet to take their own advice. There are many OS X components and Apple apps that still do not use encryption exclusively, relying on HTTP over port 80. Here’s an example from the brand new Photos app, communicating with AWS S3 over port 80 […] So far I’ve encountered 9 separate OS X services or first-party apps that are still relying on plaintext HTTP.

See also: The Rush to “Deprecate” HTTP.

7 Comments RSS · Twitter

[…] see Michael Tsai’s roundups App Transport Security and Shipping an App With App Transport […]

[…] updated my apps to use App Transport Security. My Web server already supported HTTPS, but the software update feature, crash reporter, etc. were […]

[…] see Michael Tsai’s roundups App Transport Security and Shipping an App With App Transport […]

Leave a Comment