In summary, below is what we need to do in the apps
1. Make every URLs to https
2. Ensure the TLS version is TLS1.2.
3. Have the certificate used in the server to client communication is trusted.
How do we detect if a URL is ATS compliant?
The nscurl tool on OS X El Capitan supports diagnosing ATS secure connections.
For example, /usr/bin/nscurl --ats-diagnostics https://www.example.com will display ATS connection information for www.example.com. Run /usr/bin/nscurl -h for more information.
This tools prints PASS / FAIL information. Ensure PASS results for test with diagnose dictionary with NO exceptions specified.
To view the certificate info of a particular Domain or test out the connection, TLS tool will be a good utility.
https://developer.apple.com/library/content/samplecode/sc1236/Introduction/Intro.html#//apple_ref/doc/uid/DTS40014927-Intro-DontLinkElementID_2
Does it affect Socket communication?
Below is the answer from Apple staff (https://forums.developer.apple.com/thread/48979)
Right now ATS is only enforced by our high-level APIs (NSURLSession, NSURLConnection, and anything layered on top of those), and there’s been no announcements about that changing.
Keep in mind, however, that ATS’s enhanced security requirements are not arbitrary; they are defined to give your users a good level of security on an increasingly hostile Internet. As such, your app should aim to comply with these requirements even if ATS is not actively enforcing them.
https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59
(Section NSAppTransportSecurity)
1. Make every URLs to https
2. Ensure the TLS version is TLS1.2.
3. Have the certificate used in the server to client communication is trusted.
How do we detect if a URL is ATS compliant?
The nscurl tool on OS X El Capitan supports diagnosing ATS secure connections.
For example, /usr/bin/nscurl --ats-diagnostics https://www.example.com will display ATS connection information for www.example.com. Run /usr/bin/nscurl -h for more information.
This tools prints PASS / FAIL information. Ensure PASS results for test with diagnose dictionary with NO exceptions specified.
To view the certificate info of a particular Domain or test out the connection, TLS tool will be a good utility.
https://developer.apple.com/library/content/samplecode/sc1236/Introduction/Intro.html#//apple_ref/doc/uid/DTS40014927-Intro-DontLinkElementID_2
Does it affect Socket communication?
Below is the answer from Apple staff (https://forums.developer.apple.com/thread/48979)
Right now ATS is only enforced by our high-level APIs (NSURLSession, NSURLConnection, and anything layered on top of those), and there’s been no announcements about that changing.
Keep in mind, however, that ATS’s enhanced security requirements are not arbitrary; they are defined to give your users a good level of security on an increasingly hostile Internet. As such, your app should aim to comply with these requirements even if ATS is not actively enforcing them.
https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59
(Section NSAppTransportSecurity)
No comments:
Post a Comment