I want to make sure that my iOS app will connect with a defined web server though web api and doesn't have any access to some other domain.
I have tried to implement NSAppTransportSecurity to define my web server domain but it is not working for me and the app can still have an access to other domains as well.
I'm using Alamofire networking library in Swift to make web API requests.
Please guide me whether I can achieve this or not.
Update:
ATS is not working for me with Alamofire library of Swift.
Example:
// This should be accessible from my app only and the app shouldn't send any request to other domains
www.mydomain.com
Update# 2
My Purpose
My aim is to restrict my app to do so because if any opensource framework I use in my app won't be able to access any other web server excepts the one I defined.
It would be great if something I can do in plist or from app settings for the general app target.
It's impossible to restrict/filter the network traffic with ATS.
ATS enforce security policies when loading HTTP- and URL-based resources and doesn't restrict/filter network traffic.
App Transport Security (ATS) is enforced by the NSURLSession class and all APIs that use it. ATS is automatically enabled when you link your app against the iOS 9.0 SDK or later or against the macOS 10.11 SDK or later. (The older NSURLConnection class also enforces ATS when you link against the iOS 9.0 SDK or later or against the macOS 10.11 SDK or later.) ATS protections are not available when using lower-level networking APIs provided by Apple, or when using third-party networking libraries. Source
Related
I have configured the Burp suit to intercept the API(http and https) calls from the iOS mobile apps.
Am getting the expected result from all my native iOS apps which use http and https(SSL certificate pinning disabled)
But for flutter mobile app, no request is intercepted and no items are listing under "http history" tab.
I am using the flutter default package "http.dart" for the API calls. Does this package contain any kind of inbuilt security to avoid network interception?
Flutter uses Dart, which doesn’t use the system CA store. This way, even though you have installed BURP CA on your iOS device, flutter is oblivious to that as it uses a list of CA’s that are embedded into the application itself.
You have to disable SSL certificate verification in your app for testing purposes. For disabling SSL certificate verification in flutter, please refer to:
how to solve flutter CERTIFICATE_VERIFY_FAILED error while performing a POST request?
Also, it might be the case your iOS dart setup isn't compeltely proxy aware (usually Android Dart isn't). I'd investigate that out as well.
Is the Apple App Transport Security feature implemented in CFNetwork or maybe it is a part of sandbox or system ?
App Transport Security (ATS) is enforced by the NSURLSession class and all APIs that use it. ATS is automatically enabled when you link your app against the iOS 9.0 SDK or later or against the macOS 10.11 SDK or later. (The older NSURLConnection class also enforces ATS when you link against the iOS 9.0 SDK or later or against the macOS 10.11 SDK or later.) ATS protections are not available when using lower-level networking APIs provided by Apple, or when using third-party networking libraries. Source
Current situation:
Not long ago, Apple delayed the mandatory use of https
Our app that
has been released, not fully forced to use https. Because some
requests in webView do not support https yet.
Questions:
If the requirement of using https was necessary, then could I
still use http in webView by setting the “Allow Arbitrary Loads in
Web Content” as “YES” and setting the “Allow Arbitrary Loads” as
“NO”?
In addition, would the requirement impact the app that has
been released already?
If you are using UIWebViews or WKWebViews, you could use the NSAllowsArbitrartyLoadsInWebContent exception to allow any http connection in your webviews. However, note that this would only help for devices running iOS 10 and greater. If your app supports iOS9, and you only include the web content exception, iOS 9 users will not be able to load sites that use http. In order to support both, Apple has a combination where you set both NSAllowsArbitrartyLoadsInWebContent and NSAllowsArbitrartyLoads in your Info.plist. This will basically disable App Transport Security (ATS) on iOS 9 devices, but in iOS 10, the NSAllowsArbitrartyLoadsInWebContent setting will override the NSAllowsArbitrartyLoads setting, meaning http and non-ATS compliant connections will only be allowed in WebViews.
I would recommend that if you allow the user to do web browsing to arbitrary sites within your app, you should consider switching to SFSafariViewController. It does not require any ATS exceptions, because it is essentially embedding Safari within your app, but as a separate process. If you can't control the sites your users can go to, it provides flexibility while giving them the best experience.
As for apps already in the store: if the app was compiled with a base SDK prior to iOS 9, the ATS protections would not have been baked in. The app should run fine on iOS 9 and iOS 10. You can confirm by installing the app from the App Store on an iOS 9 or 10 device and confirming you can hit http:// URLs.
Just understand that Apple did not delay the requirement for using https - ATS is active on devices running iOS 9 and up, for apps that were compiled with iOS9 or greater base SDK. What they delayed was the need to provide justification when using the NSAllowArbitraryLoads exception. That check is done when you submit the app to Apple. No existing apps in the store will be affected, it's just that if you need one of the exceptions listed above, you will need to have a reason for disabling aspects of ATS. If your current app in the store is using the NSAllowsArbitraryLoads exception, you have disabled ATS for your app and at some point, Apple is going to want you to explain why you are potentially putting your users at risk by doing insecure communications with servers.
upon running my app in ios9 simulator, i get app transport security related issues because some of my urls are not using https. I tried it in an ipad with ios9 and its working fine.
Upon release of ios9, should I expect my live app (sdk 8) to fail on ios9 devices? Just making sure if late appstore updates are safe.
Thanks!
Reference
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file.
I have written a summary and ways to how to check Acceptability of Webservice for iOS 9's App transport security
https://medium.com/#Mrugraj/app-transport-security-b7910c4fc70f
It have two ways
Using Curl
$ curl -v https://github.com/
Trying 192.30.252.130...
Using online tool like - https://www.ssllabs.com/ssltest/index.html
TLDR: Is there any way to configure iOS SSL cipher suites for a mobile-device-initiated, REST-over-TLS network connection, without using non-iOS-native HTTP or SSL libraries. If so, where is the API documented and are there any examples?
Details: I am working with others to develop an iOS mobile application and we are unable to locate details about how to force the native iOS crypto libraries to use a specific version of SSL/TLS, or specific cipher suites. This is for a custom REST application, so the approach would have to be possible to connect via HTTP over TLS.
The app is written in Objective-C. We are trying to stay within iOS native functionality without including a separate SSL/TLS library.
I did try to search for an answer on SO, but I didn't find anything that seemed to cover the question.