Software Integrity

 

Brace yourselves: Application transport security is coming

HTTP is a plaintext protocol. As such, it creates inherent security and privacy concerns when used by applications. Apple, for instance has (finally) decided to start treating the secure alternative, HTTPS, as the de facto Web protocol for iOS mobile apps. At WWDC16, Apple pointed out that enabling HTTPS doesn’t necessarily mean that you’re secure. There are many ways in which HTTPS can be improperly configured. Thus, resulting in the use of insecure connections.

What is Application Transport Security (ATS)?

ATS was introduced by Apple in iOS 9 as a built-in utility to protect network communications. Out-of-the-box, ATS enforces a TLS configuration with the following criteria:

  • Apps can only connect to servers using the TLS 1.2 protocol.
  • Apps can only connect to servers providing strong ciphers.
    • Strong ciphers are described as AES128+ and SHA2+
  • Apps must connect to servers using perfect forward secrecy (PFS). However, Apple has stated that they’ll allow exceptions to this (for now).

Disabling ATS.

At Synopsys, we test many iOS 9 apps. We’ve observed that most developers tend to disable ATS completely (via the Info.plist, using “Allowing Arbitrary Loads”). While this is currently acceptable to Apple, they’ve announced that at the end of 2016 they will no longer allow it.

Enforcement is coming.

With the start of 2017, applications with ATS exceptions will require a valid reason for Apple to grant an exception. Acceptance will be at Apple’s discretion during App Store review. Therefore, app developers should begin planning for this now—if you haven’t already.

Engineering teams should start working with architectural and infrastructure teams to discuss how and when to implement secure server-side TLS configuration.

Diagnosing connectivity problems.

Once you’ve enabled server-side TLS, you can check your configuration and identify compatibility issues. Go about this by using nscurl on an OSX/macOS system. For example, using www.synopsys.com as the target domain:

nscurl --ats-diagnostics https://www.synopsys.com

This returns the following output:

Starting ATS Diagnostics
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://www.synopsys.com.  
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.  
Use '--verbose' to view the ATS dictionaries used and to display the error received in URLSession:task:didCompleteWithError:.  
================================================================================

Default ATS Secure Connection  
---
ATS Default Connection  
Result : PASS  
---

================================================================================

Allowing Arbitrary Loads

---
Allow All Loads  
Result : PASS  
---

================================================================================

Configuring TLS exceptions for www.synopsys.com

---
TLSv1.2  
Result : PASS  
---

---
TLSv1.1  
Result : PASS  
---

---
TLSv1.0  
Result : PASS  
---

================================================================================

Configuring PFS exceptions for www.synopsys.com

---
Disabling Perfect Forward Secrecy  
Result : PASS  
---

================================================================================

Configuring PFS exceptions and allowing insecure HTTP for www.synopsys.com

---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP  
Result : PASS  
---

================================================================================

Configuring TLS exceptions with PFS disabled for www.synopsys.com

---
TLSv1.2 with PFS disabled  
Result : PASS  
---

---
TLSv1.1 with PFS disabled  
Result : PASS  
---

---
TLSv1.0 with PFS disabled  
Result : PASS  
---

================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for www.synopsys.com

---
TLSv1.2 with PFS disabled and insecure HTTP allowed  
Result : PASS  
---

---
TLSv1.1 with PFS disabled and insecure HTTP allowed  
Result : PASS  
---

---
TLSv1.0 with PFS disabled and insecure HTTP allowed  
Result : PASS  
---

================================================================================

In this instance, the key output is as follows:

Default ATS Secure Connection  
---
ATS Default Connection  
Result : PASS  
---

This output shows that the server supports the default ATS connection. Thus, ATS will work out-of-the-box for this host. Your application will now be able to communicate to this host securely (without disabling ATS). If the output says FAIL, something is misconfigured and the issue requires further diagnosis.

Alternatively, developers can set the CFNETWORK_DIAGNOSTICS environment variable to 1 within the Xcode project. This captures networking-based debug logging which too can help diagnose ATS connection issues.

What if I can’t enable strong TLS right now?

There are numerous exception types available within ATS, most of which have legitimate use cases. Here are some examples:

  • NSAllowArbitraryLoads – Disables ATS policy enforcement. Allows apps to connect via insecure HTTPS channels and via HTTP.
  • NSExceptionAllowsInsecureHTTPLoads – Allows connections to this domain via the HTTP protocol.
  • NSExceptionMinimumTLSVersion – Lowers the TLS minimum version required from 1.2 to the value declared.
  • NSExceptionRequiresForwardSecrecy – Disables the requirement for PFS.
  • NSAllowsArbitraryLoadsInMedia – Used for streaming remote media via AVFoundation.
    • This was not available until iOS 10.
  • NSAllowsArbitraryLoadsInWebContent – Used for accessing and displaying Web content through WKWebView objects.
    • This was not available until iOS 10.
  • NSThirdPartyExceptionAllowsInsecureHTTPLoads – See above, but for third-party domains.
  • NSThirdPartyExceptionRequiresForwardSecrecy – See above, but for third-party domains.
  • NSThirdPartyExceptionMinimumTLSVersion – See above, but for third-party domains.

What about domains I don’t own?

Many applications communicate with third-party domains in addition to the domains under the same ownership as the application itself. In this scenario, you can disable ATS for a specific domain, declaring also that it is a third-party domain. Here’s how to achieve this:

<key>NSAppTransportSecurity</key>  
<dict>  
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.synopsys.com</key>
        <dict>
            <key> NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>  

In this scenario, NSThirdPartyExceptionAllowsInsecureHTTPLoads is set to true. This allows HTTP connections for the www.synopsys.com host.

It is also advisable to speak to your third-party vendors and ask them to upgrade their infrastructure to support ATS where possible. Of course, exceptions (such as those seen above) will require justification during App Store review. It’s important to bare this in mind.

Summing it up.

ATS enforcement is looming. As such, start planning support for ATS now in order to meet the deadline. Don’t panic if you’re finding that you can’t enable ATS globally. There are justifiable exceptions that Apple will consider. However, make an attempt to plan your release dates accordingly to compensate for any push-back from Apple.

When possible, also strive to comply with ATS configuration rather than relying on exceptions. This avoids unnecessary delays when going live, and most importantly provides greater security to the app and its users.