{"id":12121,"date":"2015-08-28T10:20:00","date_gmt":"2015-08-28T14:20:00","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=12121"},"modified":"2015-10-13T17:28:16","modified_gmt":"2015-10-13T21:28:16","slug":"shipping-an-app-with-app-transport-security","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2015\/08\/28\/shipping-an-app-with-app-transport-security\/","title":{"rendered":"Shipping an App With App Transport Security"},"content":{"rendered":"

Tim Ekl<\/a> (tweet<\/a>):<\/p>\r\n

\r\n

This article is aimed at a different purpose: to look at the different speed bumps that can show up while building an app alongside ATS, and to explain how to get around them. There are lots of great little tricks that have only cropped up in OS X release notes or on Stack Overflow, or that can only be discovered by building a sample app.<\/p>\r\n

[…]<\/p>\r\n

With this more extensive ATS dictionary in our app’s Info.plist, we turn the\r\n“allows insecure HTTP loads” flag back off for the example.com<\/code> domain and all\r\nits subdomains. When our app makes any connection to a host in that domain,\r\nthen, we’ll be receiving the full protection of ATS.<\/p>\r\n

This exception mechanism can handle even more complex scenarios. For example,\r\nconsider what might happen if most servers in example.com<\/code> were correctly\r\nsecured with HTTPS, but one server – say, insecure.example.com<\/code> – wasn’t yet\r\nfully ATS-compatible. We can handle this by defining another more specific\r\nexception for just that host[…]<\/p>\r\n

[…]<\/p>\r\n

In both of these error cases, we can set the environment variable\r\nCFNETWORK_DIAGNOSTICS<\/code> to 1<\/code><\/strong> in order to get more information on the console\r\nabout the failure. After turning this variable on in our app’s scheme, you’ll\r\nnotice a new log line with a path to a diagnostic file; this file, in turn, is\r\nfilled with information about all the actions the CFNetwork layer is taking on\r\nbehalf of your app’s networking code.<\/p>\r\n

[…]<\/p>\r\n

If you have access to an OS X machine running 10.11 or later, the\r\ncommand-line utility nscurl<\/code> provides some basic ATS debugging capabilities<\/strong>.<\/p>\r\n<\/blockquote>\r\n

Tristan Emrich<\/a>:<\/p>\r\n

While Google remains committed<\/a> to industry-wide adoption of HTTPS, there isn’t always full compliance on third party ad networks and custom creative code served via our systems. To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short term fix<\/a> is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully.<\/p><\/blockquote>\r\n

Note that this allows all<\/em> HTTP requests to succeed, not just ones pertaining to Google ads.<\/p>\r\n

Nick Heer<\/a>:<\/p>\r\n

So in a year where malware-laden ads are becoming increasingly frequent<\/a>, Google’s response is not to convert their ad network to HTTPS, but rather to tell developers to reduce the security of their apps.<\/p><\/blockquote>\r\n

Google update<\/a>:<\/p>\r\n

To be clear, developers should only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful.<\/p><\/blockquote>\r\n

Previously: App Transport Security<\/a>.<\/p>\r\n

Update (2015-09-23): Keith Harrison<\/a>:<\/p>\r\n

So did Apple change the ATS policy between the public and GM releases? It sure seems like it. Luckily I have the CFNetwork debug logs from the device for both the failing GM test and the successful public release test. I have filed a bug (22763438) with Apple to see if they can explain what is happening. If I learn something that changes how we need to use ATS I will update here.<\/p>\r\n

[…]<\/p>\r\n

A clue to what might be happening is in this Apple Developer forum thread<\/a>. It seems there is\/was a bug where setting NSExceptionRequiresForwardSecrecy had a side effect of relaxing the SHA-256 signature requirement. Maybe Apple has relaxed the requirement so as not to break any Apps that now depend on the undocumented side effect of disabling forward secrecy.<\/p><\/blockquote>\r\n

Update (2015-10-13): Tim Ekl<\/a>:<\/p>\r\n

\r\n

ATS requirements apply at every step of a redirect. If you have a server rewriting URLs or otherwise redirecting to a different location, both that redirector and the new destination must meet ATS\u2019s requirements.<\/p>\r\n

It\u2019s not possible to add dynamic ATS exceptions. Every exception must be given in your app\u2019s Info.plist up front.<\/p>\r\n

Playgrounds and SFSafariViewController both ignore ATS. The latter can be a great way to show user-generated Web content, such as in a social media app.<\/p>\r\n<\/blockquote>","protected":false},"excerpt":{"rendered":"

Tim Ekl (tweet): This article is aimed at a different purpose: to look at the different speed bumps that can show up while building an app alongside ATS, and to explain how to get around them. There are lots of great little tricks that have only cropped up in OS X release notes or on […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[354,56,51,31,1137,30,1199,476,355,48,581,96],"class_list":["post-12121","post","type-post","status-publish","format-standard","hentry","category-technology","tag-advertising","tag-debugging","tag-google","tag-ios","tag-ios-9","tag-mac","tag-mac-os-x-10-11","tag-networking","tag-privacy","tag-security","tag-ssltls","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=12121"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12121\/revisions"}],"predecessor-version":[{"id":12531,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12121\/revisions\/12531"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=12121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=12121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=12121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}