Re: App Transport Security REQUIRED January 2017

I am all for secure communications, but there are some times when it is simply not possible.   I have an app that communicates with an physical satellite modem.  That satelite modem is local to the wifi network and only exposes an HTTP connection.   There is no way to connect to it securely.    Is this app simply no longer possible?

I agree. I understand that security is important, but there are far too many services that still use HTTP. I have an app that pulls images from NOAA over an HTTP connection. I don't see them switching to HTTPS anytime soon. Without an exception my app would be useless.

We are in the same situation having an app which is in fact a proxy between web media and local network. A lot of web servers does not impement HTTPS and communications over local network too. It seems our app will be absolutely useless without NSAllowsArbitraryLoads. There must be a procedure/approval for apps like our similar to setting for example Background modes for apps. I am sure a lot of apps are in our situation.

First up, there have been no changes to the technical behaviour of ATS (other than the addition of NSAllowsArbitraryLoadsInWebContent and NSRequiresCertificateTransparency).  From a technical perspective, ATS exceptions in the newly seeded OS releases work the same way as they do in the current OS release.

What has changed is that App Review will require “reasonable justification” for most ATS exceptions.  The goal here is to flush out those folks who, when ATS was first released, simply turned it off globally and moved on.  That will no longer be allowed.

The impact of this will depend on the circumstances of your app.  I don’t work for App Review, so I can’t give definitive answers as to what constitutes a “reasonable justification” in their minds.  However, I can recommend that you do the following:

• watch the WWDC session where we announced this change (WWDC 2016 Session 706 What’s New in Security) so that you can get a feel for the rationale behind it

• carefully audit your app’s use of HTTP and HTTPS

• construct a minimal ATS exception dictionary

• if you have ATS exceptions, keep notes about your analysis so that you can refer back to them when you need to submit your justification to App Review

Finally, if there are places where ATS has limitations that cause you to specify wider exceptions than one might reasonably expect, file an enhancement request against ATS for more appropriate exceptions.  Make sure to note the bug number to use in your justification.  And I’d appreciate you posting your bug number here, just for the record.

[I’ve removed the following example because we introduced NSAllowsLocalNetworking in iOS 10.0b4, partly based on the feedback we got from developers like you.  Thanks everyone!  OTOH, the general advice from the previous paragraph still stands.]

For example, right now ATS has very poor support for dealing with accessories on the local Wi-Fi.  An app that needs to deal with such an accessory may well need to set NSAllowsArbitraryLoads.  In that case, it would be wise to file a bug that describes your app’s requirements and requests better support from ATS, and use that bug number as part of your justification.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"

What happens to apps that are still in the app store by the end of the year that aren't using HTTPS?

You can use https://letsencrypt.org

It is free, stable and used by millions of web sites already.

Requires update every three months which can be automated.

I am testing it for 6 months already. Has been in beta till last month.

Now is out of beta.

You can register as many domains as you need for free.

Filed enhance request 27850892 to relax the Perfect Forward Secrey requirement.

Quoted from the document on the default ATS requirements:

1. The server certificate must meet at least one of the following trust requirements:
2. The negotiated Transport Layer Security version must be TLS 1.2
3. The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:
4. The leaf server certificate must be signed with one of the following types of key

#3 seems to be Perfect Forward Secrey from nscurl utility output. I am wondering how widespread is perfect forwad secrey being enabled in web sites.

This particularly poses an issue for enterprise customers that the same App might be configured by end users to talk to different servers. For example, customerA's employees download the App from App Store and use it to connect to customerA's servers, and customerB's employees ask the same App to connect to different servers; and worse, the developers who build the App have no idea on those servers' SSL configurations/strengths.

Clearly this isn't going to work in every scenario, but take a look at this as this will cover most of the scenarios where this will impact, https://www.contradodigital.com/2016/09/01/claim-your-free-ssl-certificates-for-https/ - Lots more technical resources listed at the bottom of the page too for those with the capability to implement theirself.

As the title notes ,Apple announced that ATS will be REQUIRED of all apps as of January 2017.

Currently ,access via HTTPS has been implemented on all our internal service interfaces.

We have several questions below:

1. Could "image url" embedded in our app be accessed via HTTP?

2. Could "FLV streaming url" embedded in our app be accessed via HTTP?

3. Could we continue to use "NSExceptionDomains" to open HTTP access for specific domain name?

4. Since our app need to support iOS 9 and now implemented WKWebKit, we wonder if "NSAllowsArbitraryLoads = YES" could be set seperately under iOS 9?

Look forward to your soonest reply.

Best.

It's there any docs from apple about this?

Hi,

I have a question, same kind as the one asked by abuzar, on NSAllowsArbitraryLoads = YES

Context:

- My app integrates an advertising SDK

- The advertising SDK does mosts of its connexions on https, but some to third-party servers are http and we can't know the server this in advance

After reading https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/ , I have to refer to point

• Third-party servers that the App connects to, for example via connections initiated by SDKs.

Third-Party Servers

For third-party servers that the App connects to, any ATS exemption can be used, including domain-specific blacklisted exemptions, as Apple has stated that not having control of the server was a reasonable justification.

Doing so will require identifying the list of third-party servers the App connects to, in order to be able to add the proper domain-specific ATS exemptions to the App.

My question concerns the underlined point: from what I understand, will have to identify each non-ssl third-party server. I'm in a situation of using an advertising SDK that can't know in advance all servers my app will have to request (throught this SDK).

And also this SDK provider might dynamically tell their SDK to connect to a new third-party server that provide ads (or even as they say, a third-party server can point to a non-ssl address to another hird-party server).

So in this case, if I use NSAllowsArbitraryLoads = YES , and justifify it by the use of this advertising SDK that connects to third-parties, will the validation process be validated and not being rejected for not identifying third-party server? (because this is technically impossible)

Thank you

What would Ad banner serving implications of this be in WebView? Unless I specify `NSAllowsArbitraryLoadsInWebContent` to YES, it will fail in 2 cases

1. Destination site is on http

2. Destination site is on https, but can't support TLS v1.2.

Seems like we just always have to justify this during app store submission. Thoughts?

Thank you Quinn for your answers. We are supporting and creating many applications, some are legacy applications with a low maintenance rate (this means that we rarely update them in the store).

Is Apple planning to review apps that are already in the store? Must we modify and update them asap to support the security requirements or can we leave them as is for now?

In case that the app only supports iOS 9 and below, built using Xcode 7.x, is adding NSAllowsArbitraryLoads will suffice - the app wont get rejected? Or adding options like NSAllowsArbitraryLoadsInWebContent is still needed? Thanks!

NSAllowsLocalNetworking: YES

News from 2016/12/21 https://developer.apple.com/news/?id=12212016b

Hi there,

I have a news app which loads arbitrary rss feeds, some are http and some are https.

App gets the feeds list from the backend, so I may add new rss http feed without updating my app. Is it “reasonable justification” to use NSAllowsArbitraryLoads?

Greetings All

I’m taking the extraordinary measure of locking this thread (for reasons I’ll outline below).  If you have an ATS question, please do the following:

1. Read my App Transport Security pinned post, just in case your question has been answered there.

2. If not, put your question in a new thread in the Core OS > Networking area (click the Start a discussion link, which you’ll find on the right towards the top).

I’m locking this thread for two reasons:

• Given recent development, the thread title is now misleading.

• It’s clear that this thread has become a catch all for ATS questions in general, which has resulted in it growing to an unwieldy size.  It would be better if each of those questions was in its own separate thread, allowing us to drive the question to a conclusion while keeping the thread length manageable.

Thanks for understanding!

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"