章节都为本人定义,无抄袭,其中英文部分内容为官方文档摘抄以及自己总结,翻译的不好,敬请指正

App Transport Security(暂且翻译为app传输安全)

What is ATS?

App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

ATS为app应用和后台之间的安全连接提供了一个很好地规范,ATS阻止了额外的消息泄露,提供了安全规范的行为,并且很容易采用。同时最早提供在iOS 9 和 OS X v10.11之间的交互中。开发者应该尽快的采用ATS,无论是创建还是更新app。

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn‘t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app‘s Info.plist file

如果你正在开发一个新的应用,你应该只用HTTPS协议。如果你已经有一个app,你应该现在就尽可能地用HTTPS,并且有计划地尽快改动剩下的部分。另外通过高等级API进行的通信需要用 采用forward secrecy的TLS 1.2进行编码。如果你试着建立一个不符合标准的连接,将会抛出错误。如果你的app需要向一个不可靠的域发送请求,你必须在你的plist文件里指定这个域。

ATS requirements:

All connections using the NSURLConnectionCFURL, or NSURLSession APIs use App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail.

所有用到 NSURLConnectionCFURL 或者 NSURLSession 的 API在iOS9.0或者OS X 10.00 以后的版本都用ATS的标准行为进行编译. 没有满足ATS要求的连接将会失败。

These are the App Transport Security requirements:

满足ATS需要下列要求:

  • The server must support at least Transport Layer Security (TLS) protocol version 1.2.     必须是TLS协议1.2之后的版本

  • Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)   必须是提供forward secrecy的连接加密(查看后面的可通过的加密规则)

  • Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.

    Invalid certificates result in a hard failure and no connection.   证书必须是用SHA256或者更好的签名hash算法,可以用一个2048bit key或者 RSA key 或者 ECCkey

These are the accepted ciphers:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

If your connect not apply to the requirements, you will get the error followed:

如果连接不满足要求,将会报下列错误:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

 

How to set ATS with HTTPS not apply to ATS? (设置不满足要求的HTTPS协议)

<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>api.circletable.com</key>
<dict>
<key>NSIncludesSubdomains</key> <true/>
<key>NSExceptionRequiresForwardSecrecy</key> <false/>
                                <key>NSExceptionAllowsInsecureHTTPLoads</key> <true/>
</dict>
</dict>
</dict>

 

NSIncludesSubdomains设置为YES表示子级域名和父级域名都使用相同设置。

NSExceptionRequiresForwardSecrecy为NO 如果当前HTTPS不支持ForwardSecrecy,屏蔽掉改功能。

NSExceptionAllowInsecureHTTPLoads设置为YES,则表示允许访问没有证书或者是自签名、过期、主机名不匹配的证书引发的错误的域名。

 

 

How and when to disable ATS?(什么时候不使用ATS,怎样取消ATS)

在iOS 9下直接用http请求会收到如下错误

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app‘s Info.plist file.

如果需要支持Http,需要在info.plist中添加字段:

<key>NSAppTransportSecurity</key><dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/></dict>

NSAllowsAritraryLoads部分表示禁用ATS

The property keys(可设置的属性)

KeysType

NSAppTransportSecurity

Dictionary

NSAllowsArbitraryLoads

Boolean

NSExceptionDomains

Dictionary

<domain-name-for-exception-as-string>

Dictionary

NSExceptionMinimumTLSVersion

String

NSExceptionRequiresForwardSecrecy

Boolean

NSExceptionAllowsInsecureHTTPLoads

Boolean

NSIncludesSubdomains

Boolean

NSThirdPartyExceptionMinimumTLSVersion

String

NSThirdPartyExceptionRequiresForwardSecrecy

Boolean

NSThirdPartyExceptionAllowsInsecureHTTPLoads

Boolean

NSAppTransportSecurity

A dictionary containing the settings for overriding default App Transport Security behaviors. The top level key for the app’s Info.plist file.

一个用于重写ATS标准行为的字典,里面包含ATS的设置。在app的plist文件里是顶级设置目录

NSAllowsArbitraryLoads

A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. Listed domains use the settings specified for that domain.The default value of NO requires the default App Transport Security behavior for all connections.

一个布尔值,对于任何没有在NSExceptionDomains的字典里添加的域,可以用这个值来禁用ATS。 默认值为NO,表示所有连接都需要采用ATS标准

NSExceptionDomains

A dictionary of App Transport Security exceptions for specific domains. Each key is a string containing the domain name for the exceptions.

存放特殊ATS的字典,每个键值是一个包含特殊域名的字符串

<domain-name-for-exception-as-string>

A dictionary of exceptions for the named domain. The name of the key is the name of the domain–for example, www.apple.com.

存放特殊域的字典,键值是域名

NSExceptionMinimumTLSVersion

A string that specifies a the minimum TLS version for connections. Valid values are:TLS v1.0, TLS v1.1, TLS v1.2.

TLSV1.2 is the default value.

一个为连接最小TLS版本号的字符串。有效的值是TLSv1.0, TLSv1.1, TLSv1.2. 默认的值是TLS v1.2

NSExceptionRequiresForwardSecrecy

A Boolean value for overriding the requirement that the domain support forward secrecy using ciphers.

YES is the default value and limits the ciphers to those shown in Default Behavior.

Setting the value to NO adds the following the list of accepted ciphers:

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA

NSExceptionAllowsInsecureHTTPLoads

A Boolean value for overriding the requirement that all connections use HTTPS. Use this key to access domains with no certificate, or with an error for a self-signed, expired, or hostname-mismatch certificate.

NO is the default value.

NSIncludesSubdomains

A Boolean value for applying the overrides to all subdomains of the top-level domain.

NO is the default value.

NSThirdPartyExceptionMinimumTLSVersion

A version of NSExceptionMinimumTLSVersion used when the domain is an app service that is not controlled by the developer.

NSThirdPartyExceptionRequiresForwardSecrecy

A version of NSExceptionRequiresForwardSecrecy used when the domain is an app service that is not controlled by the developer.

NSThirdPartyExceptionAllowsInsecureHTTPLoads

A version of NSExceptionAllowsInsecureHTTPLoads used when the domain is an app service that is not controlled by the developer.

Reference

http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/

http://www.neglectedpotential.com/2015/06/working-with-apples-application-transport-security/

https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html

https://developer.apple.com/library/prerelease/ios/releasenotes/DeveloperTools/RN-Xcode/Chapters/xc7_release_notes.html#//apple_ref/doc/uid/TP40001051-CH5-SW1

04-30 18:58