Friday, August 28, 2015

How to make http services work on iOS 9 or how to bypass App Transport Security(ATS) of iOS 9?


By default in iOS 9 if we try to load an HTTP resource in your app it's actually going to try to load the HTTPS version. If the HTTPS version is using security which Apple considers weak, or the server just doesn't support HTTPS at all, the request will fail.

But as a temporary fix for this without migrating your existing services to https is to add Pre-Domain exceptions to your applications info.plist file as below,

1) If you know all the insecure domains which you need to use in our app, then go for the below solution,

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>yourserver.com</key>
    <dict>
      <!--Include to allow subdomains-->
      <key>NSIncludesSubdomains</key>
      <true/>
      <!--Include to allow HTTP requests-->
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
      <!--Include to specify minimum TLS version-->
      <key>NSTemporaryExceptionMinimumTLSVersion</key>
      <string>TLSv1.1</string>
    </dict>
  </dict>
</dict>

2) If you don’t know all the insecure domains which you need to use or if you want to completely allow any http request to work within your app, then go for the below solution(add those keys to your apps info.plist file),

<key>NSAppTransportSecurity</key>
<dict>
  <!--Include to allow all connections-->
  <key>NSAllowsArbitraryLoads</key>
      <true/>
</dict>

Below is a pictorial representation of this solution in the actual info.plist file, for your reference,




NOTE: Disabling or Bypassing App Transport Security is not a good idea and its not recommended by Apple. This is just a temporary fix until you implement App Transport Security for your app. Since It's yet to be seen how hard Apple will come down during app review in the coming years about ATS exceptions we request.

Why Apple is forcing us to implement ATS or to use secure connections is for protecting personal data from being compromised over insecure wireless connections, and making sure our users online activity is properly secured from unwanted network snooping.

The permanent fix for this problem is to go ahead and implement App Transport Security by considering Apple recommended security practices.

While migrating the services from http to https protocol you must consider the Apple recommended security practices listed below,

The protocol Transport Layer Security (TLS) must be at least version 1.2.

Connection ciphers are limited to those that provide forward secrecy.

Certificates must use at least an SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256 bit or greater Elliptic-Curve (ECC) key.


For more information on this refer Apple's official documentation here, https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html

Hope this post is helpful, any comments or suggestions are acceptable and appreciated.


No comments:

Post a Comment