The following log content appeared when a third-party SDK was used in the previous project
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via > your app’s Info.plist file. Cannot start load of Task <0CF595B5-17EA-44B3-8E5D-8AA70B6D28EE>.<0> since it does not conform to ATS policy NSURLConnection finished with error – code -1022 Task .<2> finished with error – code: -1022
The above output is because in iOS9, apple provides App Transport Security (ATS). In order to ensure that the App supports HTTPS, HTTP requests fail. I used to simply set the Allow Arbitrary Loads in the info.plist file to YES. The simple and crude handling is as follows:
Apple adds ATS to protect the security and integrity of user information. Let’s take a look at the existing problems with HTTP and the benefits of using HTTPS.
Advantages of HTTPS over HTTP:
- Problems with HTTP:
-
- Communications are transmitted in clear text and can be eavesdropped
-
- Failure to authenticate the communicator may result in a man-in-the-middle attack
-
- The integrity of communication packets cannot be verified. Therefore, packets may be tampered during transmission.
-
HTTPS (HTTP Over TLS, or SSL (TLS’s predecessor)) was created to address this problem:
You may not be familiar with TLS and SSL, but you may have used OpenSSL.
OpenSSL is a powerful, commercial-grade, full-featured toolkit for TLS and SSL protocols. You can say that OpenSSL is an implementation of TLS
-
So how does HTTPS eliminate HTTP’s existing disadvantages?
-
- For the shortcomings of HTTP plaintext transmission, HTTPS does not encrypt the transmission content to ensure the transmission security, but through
TLS encrypted communication lines
To achieve the purpose of secure transmission;
- For the shortcomings of HTTP plaintext transmission, HTTPS does not encrypt the transmission content to ensure the transmission security, but through
-
- For the part of verifying the identity of the communicator, HTTPS uses
Authentication certificate provided by TLS
To determine the identity of the corresponding party;
- For the part of verifying the identity of the communicator, HTTPS uses
-
- Verify the communication message part, HTTPS passes using
TLS provides authentication and encryption processing and summarization functions
To determine the integrity of data communication messages.
- Verify the communication message part, HTTPS passes using
Let’s move on to the ATS.
Introduction of ATS
App Transport Security (ATS) is a technology that requires apps to support HTTPS or declare Security restrictions in info.plist files. The ATS can be configured as follows:
NSAllowsArbitraryLoads : Boolean
NSAllowsArbitraryLoadsForMedia : Boolean
NSAllowsArbitraryLoadsInWebContent : Boolean
NSAllowsLocalNetworking : Boolean
NSExceptionDomains : Dictionary {
<domain-name-string> : Dictionary {
NSIncludesSubdomains : Boolean
NSExceptionAllowsInsecureHTTPLoads : Boolean
NSExceptionMinimumTLSVersion : String
NSExceptionRequiresForwardSecrecy : Boolean // Default value is YES
NSRequiresCertificateTransparency : Boolean
}
}
}
Copy the code
The one we’re most familiar with is setting NSAllowsArbitraryLoads to YES, after which we can load the HTTP request.
NSAppTransportSecurity : Dictionary {
NSAllowsArbitraryLoads : Boolean
NSAllowsArbitraryLoadsForMedia : Boolean
NSAllowsArbitraryLoadsInWebContent : Boolean
NSAllowsLocalNetworking : Boolean
NSExceptionDomains : Dictionary {
<domain-name-string> : Dictionary {
NSIncludesSubdomains : Boolean
NSExceptionAllowsInsecureHTTPLoads : Boolean
NSExceptionMinimumTLSVersion : String
NSExceptionRequiresForwardSecrecy : Boolean // Default value is YES
NSRequiresCertificateTransparency : Boolean
}
}
}
Copy the code
NSAllowsArbitraryLoadsForMedia, NSAllowsArbitraryLoadsInWebContent, NSAllowsLocalNetworking are after iOS10 and support
- NSAllowsArbitraryLoads Default to NO. If set to YES, this is a convenient way to enable YOUR app to support HTTP requests, but if your app is https-enabled it might feel like overdoing it.
- NSAllowsArbitraryLoadsForMedia default to NO, in the use of AV Foundation framework, in order to some audio and video processing to change the value of the HTTP to YES.
- NSAllowsArbitraryLoadsInWebContent default to NO, in the use of UIWebView or WKWebView load some HTTP requests can set this value to YES.
- NSAllowsLocalNetworking The default value is NO. You can set this value to YES when using the Intranet.
- NSExceptionDomains is a dictionary type that can be used to set multiple values.
- Domain-name-string Specifies the domain name.
- NSIncludesSubdomains Default to NO, which specifies whether to include subdomains.
- NSExceptionAllowsInsecureHTTPLoads default to NO, is used to specify whether to allow HTTP load unsafe.
- The minimum version NSExceptionMinimumTLSVersion string type, specify the TLS.
- NSExceptionRequiresForwardSecrecy defaults to YES, specify whether to support the forward security. (This is not understood).
- NSRequiresCertificateTransparency default to NO, specify whether to support certificate transparent, certificate transparent probably mean, if the server certificate is capturing the man-in-the-middle attack, in the case of support CertificateTransparency, Man-in-the-middle attacks still cannot manipulate client data.
Here’s an example:
<key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>domain-i-control.example.com</key> <dict> <key>NSExceptionAllowsInsecureHTTPLoads</key> <false/> <key>NSExceptionRequiresForwardSecrecy</key> <false/> < key > NSExceptionMinimumTLSVersion < / key > < string > TLSv1.2 < / string > < / dict > < key > other-domain-i-control.example.com < / key > <dict> <key>NSExceptionAllowsInsecureHTTPLoads</key> <true/> <key>NSExceptionRequiresForwardSecrecy</key> <false/> The < key > NSExceptionMinimumTLSVersion < / key > < string > TLSv1.2 < / string > < key > NSIncludesSubdomains < / key > < false / > < / dict > </dict> </dict>Copy the code
Example Interpretation: In the preceding example, HTTP requests and forward security are not allowed under domain-i-control.example.com. The lowest VERSION of TLS is SPECIFIED as TLSv1.2. Domain name other-domain-i-control.example.com supports HTTP requests, but forward security is not supported. The lowest VERSION of TLS is SPECIFIED as TLSv1.2. Contains subdomain names.
ATS has many values to configure, so how do we determine which values are appropriate? And sometimes not only HTTP requests will have problems, sometimes HTTPS requests will also have problems, sometimes we may not see error logs when using some SDKS, if there is the corresponding error code information, Like NSURLErrorAppTransportSecurityRequiresSecureConnection = – 1022 can be considered to some extent the SDK is a problem with the network request. We can also consider using the following command to see how to set up the ATS.
Apple provides a command (/usr/bin/nscurl — atS-diagnostics [–verbose] URL) for determining how to set up the ATS.
For example, we deliberately write HTTPS for so.com as HTTP. If you want to load resources under SO.com, you can use the following command to check the ATS setting mode.
Example: /usr/bin/nscURL — atS-diagnostics –verbose so.com
Result demo:
Starting ATS Diagnostics Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://so.com. A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error. ================================================================================ Default ATS Secure Connection --- ATS Default Connection ATS Dictionary: { } Result : PASS --- ================================================================================ Allowing Arbitrary Loads --- Allow All Loads ATS Dictionary: { NSAllowsArbitraryLoads = true; } Result : PASS --- ================================================================================ Configuring TLS exceptions for So.com - TLSv1.3 ATS Dictionary: {NSExceptionDomains = {" so.com "= {NSExceptionMinimumTLSVersion =" TLSv1.3 "; }; }; } the 2018-12-11 15:36:01. 690 nscurl [4102-692806] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9800) Result : FAIL Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9800, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway? . NSUnderlyingError=0x7ff1c2c16780 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9800, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9800}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://so.com/, NSErrorFailingURLStringKey=https://so.com/, _kCFStreamErrorDomainKey=3} --- --- TLSv1.2 ATS Dictionary: {NSExceptionDomains = {" so.com "= {NSExceptionMinimumTLSVersion =" TLSv1.2 "; }; }; } Result : PASSCopy the code
In the output, you can select Result: PASS to configure the ATS.