App Transport Security

Question

This thread has been locked by a moderator.

App Transport Security (ATS) is a technology that requires an app to either support best practice HTTPS security or statically declare its security limitations via a property in its

Info.plist

. ATS is officially documented Bundle Resources > Information Property List NSAppTransportSecurity and Preventing Insecure Network Connections. This post contains a summary of the latest ATS developments.

For more background on ATS, see:

WWDC 2015 Session 706 Security and Your Apps
WWDC 2015 Session 711 Networking with NSURLSession
WWDC 2016 Session 706 What’s New in Security
WWDC 2017 Session 701 Your Apps and Evolving Network Security Standards
App Transport Security Tip
Legacy ATS documentation

App Transport Security and App Review

At WWDC 2016 Apple announced that by the end of 2016 App Review will require “reasonable justification” for many ATS exceptions. This is not a technical change in the OS but rather a new App Review policy. The WWDC 2016 presentation has some general background to this but if you’re looking for specific details you should read the Provide Justification for Exceptions.

In late 2016 Apple announced (via the Supporting App Transport Security news post) that “this deadline has been extended” and indicated that they “will provide another update when a new deadline is confirmed”.

We recommend that you monitor the News and Updates page to learn more about any future changes to this policy; it even has a handy RSS feed.

App Transport Security Changes in 2017

The 2017 OS releases (macOS 10.13, iOS 11, watchOS 4, tvOS 11) have no new ATS APIs. However, Apple has been making significant changes under the hood to improve HTTPS security, including:

Preliminary support for the draft TLS 1.3 specification
Cypher suites employing 3DES are now disabled by default
Certificates signed using SHA1 are no longer trusted
Certificates signed using an RSA key with a key size less than 2048 bits are no longer trusted
Cypher suites employing AES-CBC are still supported but you should consider moving away from them

The specific details here are complex — for example, the certificate trust changes don’t apply to enterprise-distributed certificates — so you should watch WWDC 2017 Session 701 Your Apps and Evolving Network Security Standards for all the details.

App Transport Security Changes in 2016

The 2016 OS releases (macOS 10.12, iOS 10, watchOS 3, tvOS 10) all contain an updated version of ATS. This section summarises the important changes. While many of these were covered in depth in WWDC 2016 Session 706 What’s New in Security, some of them are new and are highlighted as such.

Here’s a summary of ATS (and general TLS) changes in these OS releases:

```
NSAllowsArbitraryLoadsInWebContent
```
lets you have a strict ATS dictionary but still load arbitrary content in a web view (WKWebView, UIWebView, WebView)
[new since WWDC 2016]
```
NSAllowsLocalNetworking
```
lets you opt out of ATS for local networking
[new since WWDC 2016]
```
NSAllowsArbitraryLoadsForMedia
```
lets you opt out of ATS for media resources
```
NSRequiresCertificateTransparency
```
lets you opt in to Certificate Transparency checking
Cypher suites employing RC4 are now disabled by default
The SSLv3 protocol is now disabled by default at the Secure Transport layer
Cypher suites employing SHA-1 or 3DES are still supported but you should consider moving away from them
[new since WWDC 2016]
```
NSURLConnection
```
now honours the ATS minimum TLS version — Previously
```
NSURLConnection
```
would ignore the minimum TLS version prescribed by ATS (r. 23167645). This bug has been fixed. If you’re using
```
NSURLConnection
```
for your networking, make sure to run your app on the latest released OS to ensure that it still works as expected.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Change History

29 Oct 2015 — First posted.
2 Aug 2016 — Updated to cover the WWDC 2016 announcements and the changes since then.
12 Aug 2016 — Updated to cover
```
NSAllowsArbitraryLoadsForMedia
```
, which I missed in the last update.
15 Aug 2016 — Updated the discussion of
```
NSAllowsArbitraryLoadsInWebContent
```
to specifically call out that UIWebView and WebView are now covered by this key.
16 Aug 2016 — Updated to specifically call out the App Store Review for ATS section of the ATS documentation.
15 Sep 2016 — Minor editorial changes.
23 Nov 2016 — Corrected the name of
```
NSAllowsArbitraryLoadsForMedia
```
, which was previously incorrectly listed as
```
NSAllowsArbitraryLoadsInMedia
```
. This change is based on a corresponding change in the 2016-11-14 revision of the [Information Property List Key Reference][docs].
22 Dec 2016 — Updated with a reference to yesterday’s Apple Developer News post.
6 Feb 2017 — Added a recommendation to monitor the News and Updates page.
21 Jun 2017 — Updated to cover the WWDC 2017 announcements.
12 Feb 2018 — Updated to clarify what the Supporting App Transport Security news post said.
28 Aug 2019 — Updated with references to the new ATS documentation.

Network

82k

Posted by

eskimo

Reply

Add a Comment