For App Transport Security REQUIRED January 2017, what's the impact on apps use 3rd party library to do HTTPS communication

Hi

For App Transport Security REQUIRED January 2017, what's the impact on apps use 3rd party library to do HTTPS communication:

1. Will Apple force the app to use only its high-level APIs to do HTTPS communication and will deny the apps using 3rd party library such as openssl that can support X509/TSL1.2/AES-128/AES256 etc including following requirements?

Requirements for Connecting Using ATS

With App Transport Security (ATS) fully enabled, the system requires that your app’s HTTP connections use HTTPS and that they satisfy the following security requirements:

  • The X.509 digital server certificate must meet at least one of the following trust requirements:
    • Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
    • Issued by a trusted root CA and installed by the user or a system administrator
  • The negotiated Transport Layer Security (TLS) version must be TLS 1.2. Attempts to connect without TLS/SSL protection, or with an older version of TLS/SSL, are denied by default.
  • The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following:
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • The leaf server certificate must be signed with one of the following types of keys:
    • Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
    • Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits
  • In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length, sometimes called a “fingerprint,” of at least 256 (that is, SHA-256 or greater).

2. If Apple can accept the app use 3rd party library, does the app use 3rd party library also not allowed to disable ATS in Info.plist?

Thanks🙂

Replies

1. Will Apple force the app to use only its high-level APIs to do HTTPS communication and will deny the apps using 3rd party library such as openssl that can support X509/TSL1.2/AES-128/AES256 etc including following requirements?

ATS only applies to NSURLSession, the now-deprecated NSURLConnection, and APIs layered on top of them. It does not apply to apps that use lower-level APIs (like BSD Sockets), including those that implement TLS on top of those lower-level APIs.

2. If Apple can accept the app use 3rd party library, does the app use 3rd party library also not allowed to disable ATS in Info.plist?

I don’t really understand this question. Hopefully my previous answered has obviated it. If not, please clarify.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo

I already got the answer from your reply of the first question. Thank you very much🙂

Hi eskimo,

Is that mean, if i use third-party networking libraries, even all the connections were http protocol and not add any exception in info.plist, our app still can pass the app store review.

Is that mean, if i use third-party networking libraries, even all the connections were http protocol and not add any exception in info.plist, our app still can pass the app store review.

That depends on what underlying API the networking library is using. If it uses NSURLSession, NSURLConnection, or anything layered on top of those, it is subject to ATS’s enhanced security checks. If it uses lower-level APIs, it is not.

IMPORTANT Even though ATS is not enforced by these low-level APIs, I strongly encourage you to update your low-level networking to use TLS and meet ATS’s security requirements. Remember ATS’s requirements are not arbitrary: rather, they are set to give your users a reasonable level of security when talking over the network.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo,

Is there any way to discover or self-check the use of NSURLSession, NSURLConnection in our App, Especially Library or Framework.

You can start by using Xcode find on both strings: NSURLSession; NSURLConnection

As KMT suggested, you first step should be to actually search the source code. However, if you’re using libraries for which you don’t have the source code then you do this with static analysis. For example, if your app uses NSURLSession, you’ll see a reference to it in the symbol table of the built binary.

$ nm build/Debug-iphonesimulator/***.app/***
…
                U _OBJC_CLASS_$_NSURLSession
…

IMPORTANT If you have any app extensions or frameworks embedded within your app, you should run this check on each one independently.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"