SmallTalk

App Transport Security

CocoaHeads ParisJeudi 09 septembre 2015 Nicolas Lauquin

What ?

ATS is default security configuration to conform to.

Apple depreciate HTTP ;)

Involve all connexions based on NSURLConnection, CFURL, or NSURLSession

Starting iOS 9 & OS X 10.11 sdks

Security Requirements

The server must supporting Transport Layer Security (TLS) protocol version 1.2.

Connection ciphers are limited to those that provide forward secrecy (TLS_ECDHE*)

Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.

Not Respecting Rules = Punishment

AppTransport[71704:4475213] CFNetwork SSLHandshake failed (-9801) AppTransport[71704:4475213] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

When logging network error output :Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."

How To Check ?

Compile with iOS9||OSX10.11 sdk and check the connexion success/logs + check code error with securetransport.h

+ add extra log CFNETWORK_DIAGNOSTICS = 1 -> hard to analyze

In a browser to have a quick (&dirty) check

nscurl (starting 10.11 - best choice) nscurl —ats-diagnostics —verbose https://x.co

Exceptions

Trick OKTo test on a ATS compliant API:

Example with IC server on OSX10.10.5

IC Server ATS KO

IC Server v2-> with certificat update

better but still KO

Configuration Info.plist

Config necessary until upgrade to El Capitan which will support TLSv1.2 & forward secrecyATS OK

Refs

Apple Technote: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html

Apple Video WWDC2015 - 711 - Network with NSURLSESSION

Exemple of App Transport configuration - http://www.neglectedpotential.com/2015/06/working-with-apples-application-transport-security/

Tips about issue with AppTransport : http://timekl.com/blog/2015/08/21/shipping-an-app-with-app-transport-security/ Apple security Transport error code : http://www.opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/Security/SecureTransport.h

CocoaHeads ParisApp Transport Security

Nicolas Lauquin nicolas@atelierdumobile.com @nlauquin