TLDR: Is there any way to configure iOS SSL cipher suites for a mobile-device-initiated, REST-over-TLS network connection, without using non-iOS-native HTTP or SSL libraries. If so, where is the API documented and are there any examples?
Details: I am working with others to develop an iOS mobile application and we are unable to locate details about how to force the native iOS crypto libraries to use a specific version of SSL/TLS, or specific cipher suites. This is for a custom REST application, so the approach would have to be possible to connect via HTTP over TLS.
The app is written in Objective-C. We are trying to stay within iOS native functionality without including a separate SSL/TLS library.
I did try to search for an answer on SO, but I didn't find anything that seemed to cover the question.
Related
I have configured the Burp suit to intercept the API(http and https) calls from the iOS mobile apps.
Am getting the expected result from all my native iOS apps which use http and https(SSL certificate pinning disabled)
But for flutter mobile app, no request is intercepted and no items are listing under "http history" tab.
I am using the flutter default package "http.dart" for the API calls. Does this package contain any kind of inbuilt security to avoid network interception?
Flutter uses Dart, which doesn’t use the system CA store. This way, even though you have installed BURP CA on your iOS device, flutter is oblivious to that as it uses a list of CA’s that are embedded into the application itself.
You have to disable SSL certificate verification in your app for testing purposes. For disabling SSL certificate verification in flutter, please refer to:
how to solve flutter CERTIFICATE_VERIFY_FAILED error while performing a POST request?
Also, it might be the case your iOS dart setup isn't compeltely proxy aware (usually Android Dart isn't). I'd investigate that out as well.
I want to make sure that my iOS app will connect with a defined web server though web api and doesn't have any access to some other domain.
I have tried to implement NSAppTransportSecurity to define my web server domain but it is not working for me and the app can still have an access to other domains as well.
I'm using Alamofire networking library in Swift to make web API requests.
Please guide me whether I can achieve this or not.
Update:
ATS is not working for me with Alamofire library of Swift.
Example:
// This should be accessible from my app only and the app shouldn't send any request to other domains
www.mydomain.com
Update# 2
My Purpose
My aim is to restrict my app to do so because if any opensource framework I use in my app won't be able to access any other web server excepts the one I defined.
It would be great if something I can do in plist or from app settings for the general app target.
It's impossible to restrict/filter the network traffic with ATS.
ATS enforce security policies when loading HTTP- and URL-based resources and doesn't restrict/filter network traffic.
App Transport Security (ATS) is enforced by the NSURLSession class and all APIs that use it. ATS is automatically enabled when you link your app against the iOS 9.0 SDK or later or against the macOS 10.11 SDK or later. (The older NSURLConnection class also enforces ATS when you link against the iOS 9.0 SDK or later or against the macOS 10.11 SDK or later.) ATS protections are not available when using lower-level networking APIs provided by Apple, or when using third-party networking libraries. Source
I am trying to find what is the default implementation of BlackBerry for TLS protocol. Does it default to 1.0 or 1.1 or 1.2.
I am trying to find 1. What versions are TLS are supported 2. What is the default?
I have an app on BB world that connects to a back office server. The server team has decided to deprecate TLSv1.0. I am trying to find if this will impact my customers?
Current versions of BB10 do indeed support TLS 1.2 which you can test by using tools provided by SSL Labs. Unfortunately that is not the end of the story.
TLS is a protocol which specifies how to set up and use an encrypted connection. It does not set absolute requirements on encryption algorithm support however. I am aware of one documented case of an issue connecting with some Exchange Active Sync servers because the BB10 device and the server as configured do not have any cypher suites in common. Other EAS servers that are configured differently do not present this issue to BB10 devices.
What you need to do is find out specifically how the server team is going to configure TLS, and what they are going to accept for connections.
Right now I'm developing an application using Xamarin.Forms. I ran into a problem with the TLS protocol.
My application uses an API. Because of security reasons the API uses HTTPS. This week we decided to remove the support of TLS 1.0 to accept only TLS 1.1 and 1.2 on the server side, but after we made this change, I noticed that my application stoped working.
While debugging I noticed that the call of the API throws an exception (I'm using HttpClient class from .Net). By searching for solutions on the Internet, I saw that many people think the problem is related to TLS support.
I solved this problem on Android and iOS using a plugin named ModernHTTPClient but one of my customers reported me that on his device running on Android they still have the problem (he's running a device with Android 4.2).
Checking Android documentation I saw that this version have support but is not enable by default, and the hard part is that there's not much documentation in the Internet about how I can activate this.
Any advice of how I can activate this? Did Xamarin.Android have native support for TLS 1.1 and up?
Thanks
ModernHTTPClient should use the platforms' native HTTP handling. Looks like for now you can build it manually using this pull: https://github.com/paulcbetts/ModernHttpClient/pull/210
Related Question:
AWS S3 Disabling SSLv3 Support
This is more of an inquiry for the mobile iOS SDK. Wondering what I have to do or where to start since am a bit clueless.
Also just received a notice that Amazon is deprecating SSLv3 and that I need to modify my requests to use TLS.
This is an older iOS app still using the AWS iOS SDK 1.7 version. This basically just accesses S3 Buckets for both upload and download of images.
Now is this normally handled already by the library or do I have to update to the v2 library, thereby dropping iOS 6 support. Or can it just be through code changes, etc.
The SSLSecurityLevel is handled by iOS.
Apple's Doc "By default, a stream’s security level is kCFStreamSocketSecurityLevelNegotiatedSSL. ", which means the client negotiated with server and choose the highest level security protocol agreed by both end.
Since all iOS version supports TLS,by default, iOS client will always try to use TLS during negotiation, and fallback to SSLv3 if it is not available. As long as server supports TLS, you should see no SSLv3 communications unless the default SSLSecurityLevel has been changed.