Understanding and Configuring App Transport Security (ATS) in iOS

, , , , , , , , ,

Understanding and Configuring App Transport Security (ATS) in iOS

App Transport Security (ATS) is a security feature introduced by Apple to protect user data in transit. It enforces secure connections between your app and network servers, enhancing the privacy and security of your users. While ATS is crucial for a secure app, it can sometimes block seemingly harmless HTTP connections. This tutorial explains how ATS works and how to configure it to allow specific HTTP connections when necessary, while still maintaining a strong security posture.

What is App Transport Security?

ATS, introduced in iOS 9, requires that all network connections made by your app use HTTPS by default. This means data is encrypted in transit, protecting it from eavesdropping and tampering. ATS achieves this by:

  • Requiring TLS 1.2: It mandates the use of Transport Layer Security (TLS) version 1.2 or later for secure connections.
  • Enforcing HSTS: It encourages the use of HTTP Strict Transport Security (HSTS) to ensure that future connections also use HTTPS.
  • Blocking Cleartext HTTP: By default, ATS blocks connections using plain HTTP (non-HTTPS).

Why might you need to configure ATS?

While HTTPS is the preferred method, there are some scenarios where your app might need to connect to servers using HTTP. These could include:

  • Legacy Systems: Connecting to older servers that haven’t been updated to support HTTPS.
  • Testing and Development: Using local development servers that may not have HTTPS configured.
  • Specific API Requirements: Rare cases where an API explicitly requires HTTP.

Important Security Note: Allowing HTTP connections should be done cautiously and only when absolutely necessary. Always prioritize HTTPS whenever possible.

Configuring ATS in info.plist

You configure ATS by modifying the info.plist file of your iOS project. The info.plist is an XML file that contains configuration information for your app. Here’s how to configure ATS to allow specific HTTP connections:

  1. Add NSAppTransportSecurity Dictionary: If it doesn’t already exist, add a dictionary with the key NSAppTransportSecurity to your info.plist.

  2. Configure Exception Domains: Within the NSAppTransportSecurity dictionary, add another dictionary with the key NSExceptionDomains. This dictionary allows you to specify domains for which you want to relax ATS restrictions.

  3. Specify Domain and Exceptions: For each domain you want to allow HTTP connections to, add a key representing the domain (e.g., example.com). The value associated with this key should be another dictionary containing the specific exceptions.

Here’s an example info.plist snippet:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>example.com</key>
        <dict>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>

Let’s break down the keys:

  • NSTemporaryExceptionAllowsInsecureHTTPLoads: Setting this to true allows HTTP requests to the specified domain.
  • NSIncludesSubdomains: Setting this to true applies the exceptions to all subdomains of the specified domain.
  • NSTemporaryExceptionMinimumTLSVersion: This specifies the minimum TLS version allowed for HTTPS connections to the domain. While allowing insecure loads, it’s still good practice to encourage TLS where possible.

Allowing All Connections (Not Recommended):

You can also completely disable ATS by setting NSAllowsArbitraryLoads to true within the NSAppTransportSecurity dictionary. However, this is strongly discouraged as it removes all security protections and defeats the purpose of ATS.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Best Practice: Always specify exceptions for specific domains rather than disabling ATS entirely. This maintains a balance between security and functionality. Remember to remove these exceptions when they are no longer needed.

Troubleshooting

If you’re still experiencing issues with blocked HTTP connections, double-check the following:

  • Correct Domain Name: Ensure the domain name in your info.plist matches the actual domain you’re connecting to.
  • Caching: Clear any cached network requests or data.
  • Server Configuration: Verify that the server you’re connecting to is configured correctly.
  • Xcode Configuration: Make sure your Xcode project is using the correct info.plist file.

By understanding and properly configuring ATS, you can ensure that your iOS app is both secure and functional, providing a great user experience while protecting sensitive data.

Leave a Reply

Your email address will not be published. Required fields are marked *