HTTP is a plaintext protocol. As such, it creates inherent security and privacy concerns when used by applications. Apple, for instance has (finally) decided to start treating the secure alternative, HTTPS, as the de facto Web protocol for iOS mobile apps. At WWDC16, Apple pointed out that enabling HTTPS doesn’t necessarily mean that you’re secure. There are many ways in which HTTPS can be improperly configured. Thus, resulting in the use of insecure connections.
ATS was introduced by Apple in iOS 9 as a built-in utility to protect network communications. Out-of-the-box, ATS enforces a TLS configuration with the following criteria:
At Synopsys, we test many iOS 9 apps. We’ve observed that most developers tend to disable ATS completely (via the Info.plist, using “Allowing Arbitrary Loads”). While this is currently acceptable to Apple, they’ve announced that at the end of 2016 they will no longer allow it.
With the start of 2017, applications with ATS exceptions will require a valid reason for Apple to grant an exception. Acceptance will be at Apple’s discretion during App Store review. Therefore, app developers should begin planning for this now—if you haven’t already.
Engineering teams should start working with architectural and infrastructure teams to discuss how and when to implement secure server-side TLS configuration.
Once you’ve enabled server-side TLS, you can check your configuration and identify compatibility issues. Go about this by using nscurl on an OSX/macOS system. For example, using www.synopsys.com as the target domain:
nscurl --ats-diagnostics https://www.synopsys.com
This returns the following output:
Starting ATS Diagnostics Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://www.synopsys.com. A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error. Use '--verbose' to view the ATS dictionaries used and to display the error received in URLSession:task:didCompleteWithError:. ================================================================================ Default ATS Secure Connection --- ATS Default Connection Result : PASS --- ================================================================================ Allowing Arbitrary Loads --- Allow All Loads Result : PASS --- ================================================================================ Configuring TLS exceptions for www.synopsys.com --- TLSv1.2 Result : PASS --- --- TLSv1.1 Result : PASS --- --- TLSv1.0 Result : PASS --- ================================================================================ Configuring PFS exceptions for www.synopsys.com --- Disabling Perfect Forward Secrecy Result : PASS --- ================================================================================ Configuring PFS exceptions and allowing insecure HTTP for www.synopsys.com --- Disabling Perfect Forward Secrecy and Allowing Insecure HTTP Result : PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled for www.synopsys.com --- TLSv1.2 with PFS disabled Result : PASS --- --- TLSv1.1 with PFS disabled Result : PASS --- --- TLSv1.0 with PFS disabled Result : PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for www.synopsys.com --- TLSv1.2 with PFS disabled and insecure HTTP allowed Result : PASS --- --- TLSv1.1 with PFS disabled and insecure HTTP allowed Result : PASS --- --- TLSv1.0 with PFS disabled and insecure HTTP allowed Result : PASS --- ================================================================================
In this instance, the key output is as follows:
Default ATS Secure Connection --- ATS Default Connection Result : PASS ---
This output shows that the server supports the default ATS connection. Thus, ATS will work out-of-the-box for this host. Your application will now be able to communicate to this host securely (without disabling ATS). If the output says FAIL, something is misconfigured and the issue requires further diagnosis.
Alternatively, developers can set the CFNETWORK_DIAGNOSTICS environment variable to 1 within the Xcode project. This captures networking-based debug logging which too can help diagnose ATS connection issues.
There are numerous exception types available within ATS, most of which have legitimate use cases. Here are some examples:
Many applications communicate with third-party domains in addition to the domains under the same ownership as the application itself. In this scenario, you can disable ATS for a specific domain, declaring also that it is a third-party domain. Here’s how to achieve this:
<key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>www.synopsys.com</key> <dict> <key> NSThirdPartyExceptionAllowsInsecureHTTPLoads</key> <true/> </dict> </dict> </dict>
In this scenario, NSThirdPartyExceptionAllowsInsecureHTTPLoads is set to true. This allows HTTP connections for the www.synopsys.com host.
It is also advisable to speak to your third-party vendors and ask them to upgrade their infrastructure to support ATS where possible. Of course, exceptions (such as those seen above) will require justification during App Store review. It’s important to bare this in mind.
ATS enforcement is looming. As such, start planning support for ATS now in order to meet the deadline. Don’t panic if you’re finding that you can’t enable ATS globally. There are justifiable exceptions that Apple will consider. However, make an attempt to plan your release dates accordingly to compensate for any push-back from Apple.
When possible, also strive to comply with ATS configuration rather than relying on exceptions. This avoids unnecessary delays when going live, and most importantly provides greater security to the app and its users.
Grant Douglas is an associate principal security consultant at Synopsys. His primary area of expertise is in mobile security and tooling. He has worked on internal SAST and DAST tools and also produced external mobile tools which are used within the industry, including memscan, which was featured in ‘The Mobile Application Hacker's Handbook’ and ‘Learning iOS Forensics.’ Grant enjoys writing code, reading, and travel during his free time.