Using App Transport Security iOS 9 Makes Your Apps a Little Bit More Secure

using-app-transport-security-ios9-makes-your-apps-a-little-bit-more-secure-0

Apple’s ATS provides secure communication between an application and web services. It does this by ensuring that certain requirements are met (e.g. the application should communicate with HTTPS, along with the TLS protocol with minimum version of 1.2.).

ATS

The importance of application and web security should never be taken lightly. With App Transport Security introduced in iOS 9 and El Capitan, Apple plans to improve app security by enforcing best security practices.

Encountering ATS

If you have already had a chance to fire up Xcode 7 and build your app on iOS 9 or El Capitan, you could have noticed that your API calls are failing all of a sudden. This is because ATS is enabled by default, and its requirements are not being met. This causes an error to be thrown on the network layer.

ATS can be turned off, but it’s strongly recommended that you leave it on, regardless of whether you’re starting a new project or updating an existing one.

If your app needs to make a request to an insecure domain, you can specify it in your app’s Info.plist file.

ATS list of requirements

Here is the list of requirements from Apple docs that ATS specifies:

  • The server must support at least Transport Layer Security (TLS) protocol version 1.2.
  • Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)
  • Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key. Invalid certificates result in a hard failure and no connection.

These are the accepted ciphers:

  • TLSECDHEECDSAWITHAES256GCM_SHA384
  • TLSECDHEECDSAWITHAES128GCM_SHA256
  • TLSECDHEECDSAWITHAES256CBC_SHA384
  • TLSECDHEECDSAWITHAES256CBC_SHA
  • TLSECDHEECDSAWITHAES128CBC_SHA256
  • TLSECDHEECDSAWITHAES128CBC_SHA
  • TLSECDHERSAWITHAES256GCM_SHA384
  • TLSECDHERSAWITHAES128GCM_SHA256
  • TLSECDHERSAWITHAES256CBC_SHA384
  • TLSECDHERSAWITHAES128CBC_SHA256
  • TLSECDHERSAWITHAES128CBC_SHA

Next step

If you haven’t already tried to build your app on iOS 9 and El Capitan to see how ATS affects it, you should definitely take some time to try it out, and make plans to update your project if necessary. While it could be quite an effort to conform to ATS, the end result is better for both developers and end users.

If you’re already on El Capitan, you can run ATS diagnostics to see if server conforms to ATS specifications. You can run the diagnostics from terminal with the following command:

	nscurl --ats-diagnostics https://example.com

Apple hasn’t specified whether ATS will be required when submitting your app to the App Store. Apple has given developers a way to disable it for the time being until they are ready to migrate their projects to support it. The question is whether ATS will be required at some point, or whether developers will have to explain why their new build at the App Store doesn’t have ATS enabled.