5 Replies
      Latest reply on May 21, 2018 3:30 AM by TomaszTrela
      TomaszTrela Level 1 Level 1 (0 points)

        Hi,
        We are developing a smart home application which is communicating with our own devices (like smart socket plug) via HTTPS.
        Devices use our own CA, and iOS application set this certificate as a trusted by calling 'SecTrustSetAnchorCertificates' and override hostname according to: (https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/NetworkingTopics/Articles/OverridingSSLChainValidationCorrectly.html)
        with ATS fully enabled (NSAllowsArbitraryLoads set to False).

        And everything works just fine.

        I read this topic: https://forums.developer.apple.com/message/169269

        and according to it, we shouldn't be able to accomplish communication because:
        "When ATS is enabled for a server you still get server trust authentication challenges (NSURLAuthenticationMethodServerTrust) and you can use that to increase security.  However, you can’t use this to decrease security, that is, ATS provides a minimum level of security for a domain."

        User eskimo said that this is a bug:

        This is a bug in the interaction between ATS and the NSURLSession delegate callback (r. 27866669).

        It was 2 years ago and it still works, so i'm wondering if our approach is correct and will be approved in App Store or not?
        We can't use CA trusted by Apple because we will have like thousand of devices and it will be just to expensvice even more expensive than device itself.

        • Re: ATS and SSL pinning, Override Hostname - own CA
          TomaszTrela Level 1 Level 1 (0 points)

          And why it works even when I don't override host verification? Connection is estabished by IP Address and CA certificate added to trusted by "SecTrustSetAnchorCertificates" has CommonName set as a String. but the is no error like "common name mismatch"

          • Re: ATS and SSL pinning, Override Hostname - own CA
            eskimo Apple Staff Apple Staff (9,835 points)

            In iOS 10 we made a bunch of ATS tweaks and, as part of that, we disabled ATS checking for connections made to an IP address.  That’s why your connections aren’t being blocked by ATS even though it’s fully enabled.

            Note If you still support iOS 9 then I recommend that you test this there because it may not work!

            With regards the second half of this, why default trust evaluation works, it’s hard to say without more details.  For example, if the certificate that your CA issued to the accessory has a Subject Alternative Name extension that includes the IP address, you don’t need to override the host name.  Specifically, I’d like to see:

            • The code you’re using to handle the server trust authentication challenge

            • The leaf certificate using by the accessory

            • The root certificate of the CA that issued that leaf

            For the second two, please post either a PEM or a hexdump of the DER.

            Alternatively, if you want to discuss this in private, open up a DTS tech support incident and we can pick things up in that context.

            Share and Enjoy

            Quinn “The Eskimo!”
            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
            let myEmail = "eskimo" + "1" + "@apple.com"

              • Re: ATS and SSL pinning, Override Hostname - own CA
                TomaszTrela Level 1 Level 1 (0 points)

                Thaks for your answer!
                I made a mistake, indeed default trust evaluation return 'recoverableTrustFailure' when hostnames don't match. So we can ignore my second post (May 16, 2018 6:52 AM)

                 

                In sum, we need to use IP address in communication which don't match hostname in certificate and our own CA which isn't trusted by Apple. We have implemented urlSession( didReceive challenge:  completionHandler: ) accroding to: https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/NetworkingTopics/Articles/OverridingSSLChainValidationCorrectly.html

                (Listing 1 and Listing 2). And it works great, but the question is, whether I will pass App Store Review? Because there is a lot of rumors in the internet that this approach can be used to Test/Development environment only.

                btw.
                "In iOS 10 we made a bunch of ATS tweaks and, as part of that, we disabled ATS checking for connections made to an IP address."
                If I don't implement urlSession( didReceive challenge:  completionHandler: )     (URLSession.delegate = nil)
                I still receive "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “192.168.1.xxx” which could put your confidential information at risk." despite using IP address. Did I misunderstand something?

                Thanks!

                  • Re: ATS and SSL pinning, Override Hostname - own CA
                    eskimo Apple Staff Apple Staff (9,835 points)

                    … despite using IP address. Did I misunderstand something?

                    Yes.  There’s two levels of HTTPS server trust evaluation in the system:

                    • All TLS connections implement default (RFC 2818) TLS server trust evaluation.

                    • High-level HTTPS APIs, most notably NSURLSession, also implement App Transport Security.

                    Disabling ATS, either explicitly or implicitly because you’ve connected to an IP address, has no impact on default TLS server trust evaluation.  To override that you need to handle the NSURLAuthenticationMethodServerTrust authentication challenge.

                    And it works great, but the question is, whether I will pass App Store Review?

                    The only folks who can give you definitive answers about what will or won’t be allowed on the store is App Review; I don’t work for App Review and can’t speak on their behalf.  However, I’m not aware of any major roadblocks here.  The ATS changes we made for local networking in iOS 10 — including this IP address change and NSAllowsLocalNetworking — were specifically designed to help in situations like yours.

                    Because there is a lot of rumors …

                    That’s probably folks being confused by our WWDC 2016 announcement about App Review and ATS.  You can find the latest news on that front in the App Transport Security and App Review section of my App Transport Security pinned post.

                    Share and Enjoy

                    Quinn “The Eskimo!”
                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                    let myEmail = "eskimo" + "1" + "@apple.com"