According to Apple:
If your application implements a TLS client using the CFStream APIs or the SecureTransport APIs, it will now default to using a TLS 1.2 handshake when connecting to a TLS server.
Reference:
https://developer.apple.com/library/ios/technotes/tn2287/_index.html
However, in my application, I am not using CFStream API. I am using an NSURLConnection. For NSURLConnection, is the default TLS 1.2 also?
Related
Anyone please explain the role of SSL pinning and App transport security.
I read that SSLpinning is used to ensure that the app communicates only with the designated server itself
With the release of the iOS 9, the App Transport Security library was also introduced. By default, ATS denies all insecure connections which do not use at least the TLS 1.2 protocol. The TLS protocol is a replacement for the SSL protocol, but still, both of them are often referred to as SSL. With SSL pinning in mind, there is no difference between having TLS or SSL as the underlying implementation - the basic concept remains the same.
So my question is
1. If my server is using TLS 1.2 protocol, then enabling ATS is enough for security. No need of doing SSL Pinning in my app. Please confirm
2. If my server below TLS 1.2 protocol, then SSL pinning is the best way to avoid insecure connections. Please confirm
Cert pinning makes sure your app is communicating with the correct server. Without Cert pinning I can set up an intercepting proxy to see all of the traffic flowing in and out of your app.
Pinning the cert makes sure I cannot do this as the app will only accept communications from the server the offers the correct pinned certificate.
then enabling ATS is enough for security
You can never have 'enough for security' but this part is contextual based on what your app is doing. If the endpoints and data your app processes is sensitive you should defiantly be cert pinning. I would argue you should always do it anyway as it is easy to do.
If my server below TLS 1.2 protocol, then SSL pinning is the best way to avoid insecure connections
This will cause problem with ATS, your server should really be supporting TLS 1.2 it is pretty ubiquitous now. You also need to make sure the cert is using at east SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key and you need to support one of these cyphers:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
This may look scare but in reality the above is pretty standard.
NOTE:
both of them are often referred to as SSL
You are correct but this is a bad habit. They might do the same thing but they do it in a different way. SSL is SSL and TLS is TLS, they are different.
NOTE 2:
If you do use cert pinning consider using public key pinning or CA cert pinning.
https://infinum.co/the-capsized-eight/how-to-make-your-ios-apps-more-secure-with-ssl-pinning
"With the release of the iOS 9, the App Transport Security library was also introduced. By default, ATS denies all insecure connections which do not use at least the TLS 1.2 protocol. The TLS protocol is a replacement for the SSL protocol, but still, both of them are often referred to as SSL. With SSL pinning in mind, there is no difference between having TLS or SSL as the underlying implementation - the basic concept remains the same.
I have developed an iOS app using Xamarin and I am unsure about how encryption would work when calling a service that uses HTTPS.
On my end I do nothing particularly special: I utilize a RestClient and add the credentials to the body of a json serialized request. I then post it to the HTTPS service.
Is this safe or should I be doing more? I am not sure if iOS handles the rest for me in terms of encryption.
Answer
Yes, by using HTTPS, you are most-likely safe. However, there are a couple things to verify to ensure that there are no security leaks.
More Info on TLS
Communication with secure HTTPS enpoints encrypt the header and body of the message by default using TLS.
HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security. Source
Things To Verify
Do Not Use Sensitve Data in the URL
The Url of the HTTPS endpoint is not encrypted. It is important to never put any sensitive data into the Url of the HTTPS enpoint. To ensure sensitive data is encrpyted, put the data in the message body.
For example, if you are validating a user's login (username: user1234, password: password1234), do not send the username/password as a url parameter. Instead, serialize the username and password data, and set it as the HttpContent of the HttpClient.
Bad: https://myApiEndpoint.com/getIsUserValid/user123/password1234
iOS HttpClient Implementation
Ensure that you are using NSUrlSession for the iOS HttpClient Implementation.
NSUrlSession will use TLS by default when communicating with secure HTTPS endpoints. As of iOS 10, NSAppTransportSecurity will not allow communication to non-secure HTTP endpoints by default; communication with non-secure HTTP enpoints can be enabled by updating NSAppTransportSecurity in Info.plist, Apple Documentation.
You can verify NSUrlSession is being used in the iOS Build Settings (screenshot below).
When using HTTPS everything except the server address is encrypted during transit. The encryption is totally transparent to the client and server.
Example: for the URL https://myApiEndpoint.com/getIsUserValid/user123/password1234 only myApiEndpoint.com is not encrypted, the rest of the URL is encrypted.
In order to protect against MITM attacks pin the server certificate, that is verify that the certificate received on the request belongs to the correct server.
If you control the server use TLS 1.2 and Perfect Forward Secrecy.
I am making Https connection with NSURLConnection so I wanted to know default What version of Protocol(TLS) used.
How can I differentiate SSL/TLS and HTTP Protocol while making request.
Currently the app I'm working on uses NSURLConnection to connect to the server using HTTPS. The requirement is to enforce the prevention of connections using SSL 2.0 and to use only SSL 3.0 or TLS for connections.
What should be done to disable SSL 2.0 support in the app? As far as i see lower level CFNetwork or Secure Transport API provide some control over SSL protocol, but should all the current NSURL* networking code be changed in order to do this?
As far as I know, you cannot achieve this with NSURLConnection.
However, NSURLSession provides APIs to configure a session via a NSULRSessionConfiguration and TLSMaximumSupportedProtocol and TLSMinimumSupportedProtocol.
Switching from NSURLConnection to NSULRSession/NSURLSessionTask should be straight forward.
I am thinking of writing an Apple Push Notification server using Dart. Does Dart support client side SSL/TLS certificates?
Yes! Dart VM now supports SSL/TLS, and HTTPS.
See http://code.google.com/p/dart/issues/detail?id=3950 and http://code.google.com/p/dart/issues/detail?id=3593 which are now closed. :)
Dart supports SSL/TLS client connections using SecureSocket. It also supports secure server sockets using SecureServerSocket to (use this if you need to listen on a secure port on the VM).
Note that the ordinary HttpClient will automatically handle HTTPS for your browser connections so no extra code is needed in these cases.