1 Reply
      Latest reply on Feb 15, 2019 2:23 AM by eskimo
      jzilske Level 1 Level 1 (0 points)

        I know that ATS needs to be configured statically at build time and is not meant to be (re-)configured at runtime (to quote Quinn: "[...] if ATS is enabled for a domain, developer code should not be able to decrease security for that domain.", cf. https://forums.developer.apple.com/message/159271#159271), but what if I want to increase security? From the documentation: "You can also increase a named domain’s protections by requiring Certificate Transparency" (cf. https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW35).

        We have an app that supports connecting to more or less arbitrary hosts and would like to be able to utilize CT for any host that supports it, which obviously we don't know at build time.

        To the best of my knowledge there is no way to achieve that; am I correct?

        • Re: API for App Transport Security
          eskimo Apple Staff Apple Staff (10,605 points)

          I apologise for being a bit wishy-washy here; I have limited direct experience with certificate transparency (CT).  If you want definitive answers, open a DTS tech support incident so that I can allocate time to research this properly.


          I believe that modern versions of iOS will do a CT evaluation for every TLS connection, and will fail the connection if CT indicates a problem.  You don’t need to set NSRequiresCertificateTransparency to get that.  Rather, NSRequiresCertificateTransparency tells the system to require CT, that is, fail your request if CT can’t be done at all.

          Also, you may be able to get more info about the CT state by overriding HTTPS server trust evaluation and looking at the kSecTrustCertificateTransparency property of the trust result.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"