CODEWITHSUNDEEP
ioscordovasslhttpstls1.2
systempuntoout
systempuntoout

Reputation: 74134

Why iOS 13.x below the 13.4 version is still using TLS 1.0/1.1 and how to force it to use TLS 1.2 and above?

We are doing some research on our inbound TLS traffic and we are currently seeing a small percentage of iOS 13.x below the 13.4 version that are still using TLS 1.0 or TLS 1.1 .

Do you know why this recent OS is still using these deprecated protocols and how to force it to use at least the TLS 1.2 version?

Upvotes: 1

Views: 876

Answers (1)

cerkiner
cerkiner

Reputation: 1956

According to Cordova documentation, there is a way to control and force minimum version but it also states the minimum TLS version defaults to 'TLSv1.2'. Furthermore, this only applies to the main Cordova webview, and does not apply to an InAppBrowser webview or opening links in the system web browser.

From the config.xml file, Cordova automatically converts and tags to the appropriate Application Transport Security (ATS) directives.

The and tags support these three attributes below, which have their equivalents in ATS:

  1. minimum-tls-version (String, defaults to 'TLSv1.2')
  2. requires-forward-secrecy (Boolean, defaults to 'true')
  3. requires-certificate-transparency (Boolean, defaults to 'false', new in iOS 10)

example:

<access origin='https://cordova.apache.org' minimum-tls-version='TLSv1.1' requires-forward-secrecy='false' requires-certificate-transparency='true' />

In iOS 10 and above, the tag supports these three attributes below, when paired with the origin wildcard *. These attributes also have their equivalents in ATS:

  1. allows-arbitrary-loads-for-media (Boolean, defaults to 'false', new in iOS 10. New in [email protected], fixed to use the proper attribute name). The old attribute allows-arbitrary-loads-in-media is now deprecated.
  2. allows-arbitrary-loads-in-web-content (Boolean, defaults to 'false', new in iOS 10)
  3. allows-local-networking (Boolean, defaults to 'false', new in iOS 10)

example:

<access origin='*' allows-arbitrary-loads-for-media='true' allows-arbitrary-loads-in-web-content='true' allows-local-networking='true' />

Source: https://cordova.apache.org/docs/en/9.x/guide/appdev/whitelist/

Upvotes: 2

Related Questions