Embed Size (px)
Citation preview
SmallTalk
App Transport Security
CocoaHeads ParisJeudi 09 septembre 2015 Nicolas Lauquin
What ?
ATS is default security configuration to conform to.
Apple depreciate HTTP ;)
Involve all connexions based on NSURLConnection, CFURL, or NSURLSession
Starting iOS 9 & OS X 10.11 sdks
Security Requirements
The server must supporting Transport Layer Security (TLS) protocol version 1.2.
Connection ciphers are limited to those that provide forward secrecy (TLS_ECDHE*)
Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.
Not Respecting Rules = Punishment
AppTransport[71704:4475213] CFNetwork SSLHandshake failed (-9801) AppTransport[71704:4475213] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)
When logging network error output :Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."
How To Check ?
Compile with iOS9||OSX10.11 sdk and check the connexion success/logs + check code error with securetransport.h
+ add extra log CFNETWORK_DIAGNOSTICS = 1 -> hard to analyze
In a browser to have a quick (&dirty) check
nscurl (starting 10.11 - best choice) nscurl —ats-diagnostics —verbose https://x.co
Exceptions
Trick OKTo test on a ATS compliant API:
Example with IC server on OSX10.10.5
IC Server ATS KO
IC Server v2-> with certificat update
better but still KO
Configuration Info.plist
Config necessary until upgrade to El Capitan which will support TLSv1.2 & forward secrecyATS OK
Refs
Apple Technote: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html
Apple Video WWDC2015 - 711 - Network with NSURLSESSION
Exemple of App Transport configuration - http://www.neglectedpotential.com/2015/06/working-with-apples-application-transport-security/
Tips about issue with AppTransport : http://timekl.com/blog/2015/08/21/shipping-an-app-with-app-transport-security/ Apple security Transport error code : http://www.opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/Security/SecureTransport.h
![Sempé - Goscinny [Petit Nicolas] (1960) Le petit Nicolas](https://img.pdfslide.net/doc/110x75/5571f98b49795991698fd471/sempe-goscinny-petit-nicolas-1960-le-petit-nicolas.jpg)
