Reputation: 1095
iOS app communicating with https only and Apple Transport Security Impact
My question is related to Apple Transport Security (ATS) and it's impact on my configuration. I am confused as to what happens if I don't comply with it.
I have an iOS app, which communicates with a server and an API that enforces only https connections, but at the same time I have TLS1.0 with SHA256 and Cipher Suites with no Forward Secrecy enabled on my configuration.
If I then proceed to bypass ATS by:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
What confuses me in the ATS documentation is:
Disabling ATS allows connection regardless of HTTP or HTTPS configuration, allows connection to servers with lower TLS versions, and allows connection using cipher suites that do not support forward secrecy (FS).
Does that mean my app and my server will still continue to communicate over https without side-effects? i.e. the connection won't fail simply because my server always enforces https but does not comply to ATS at the moment.
In other words, do I have to immediately upgrade my server to support TLS1.2, with Forward Secrecy and the other ATS requirements? Assuming I am going to make updates to my app with iOS 9 and latest XCode.
On the other hand, I understand I should adopt ATS, but time and resources are limited at the moment.
Upvotes: 0
Views: 163
Answers (1)
Reputation: 17864
You don't have to upgrade your server immediately. You also don't have to turn off ATS completely.
Instead, you can tell ATS that your server uses TLSv1 and doesn't support FS by something like this in your info.plist:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>your.servers.domain.here</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
</dict>
</dict>
</dict>
nscurl --ats-diagnostics --verbose $YOUR_API_URL will help you figure out what you really need to specify in order to talk to your server.
Upvotes: 2
Related Questions
- The resource could not be loaded because the App Transport Security policy requires the use of a secure connection
- Test iOS app on device without apple developer program or jailbreak
- How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
- Apache Httpd can't enable TLS1.0/1.1 support with Cipher Suite Honor Order settings
- App Transport Security (ATS) and local already secure connections
- How to Enable TLS 1.2, 1.1,1.0, and SSL in iOS app?
- Will Apple reject my app if I bypass the ATS (App Transport Security) for my PhoneGap app?
- iOS 9 ATS - Disable Forward Secrecy for all domains
- App transport security issue in webview