App Transport Security

With the launch of iOS 9, Apple added a new level of security for communication of app and its web services. If you are creating any connection using NSURLConnection or NSURLSession in iOS 9 then you will need to use App transport security, which will reject any insecure connections. Many places I read that, web servers should have HTTPS, but Is it just HTTPS?

Apple has a very detailed document on this, but taking bullets from them.
https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html

  • Server must support at least Transport Layer Security (TLS) 1.2
  • Connection ciphers must provide forward secrecy.
  • Certificates must be signed with SHA256 or better with at least 2048 bits for RSA or 256 bits for Elliptic Curve keys.

Now the question arises, how can I check App transport security for My Webservices?

Using CURL

Using curl in the terminal we can get some information regarding this.

Yes using “curl” you can have some bit of information regarding the SSL and server as shown above. Let’s match the checklist provided by apple here.

  1. In above case, this tells us that Github is using TLS 1.2, i.e. first need of App Transport Security.
  2. It also tells cipher suite, that Github is using “TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256” and it falls in the list of ciphers that Apple accepts for App transport security.

Following is the list of ciphers that apple accepts:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

3. The third and last requirement is use of SHA256 or better with at least 2048 bits for RSA or 256 bits for Elliptic Curve keys. Here Server certificate field provide that information.

Using Online tool

Apart from method of Terminal, you can also test SSL of site/webservice using some online tool like https://www.ssllabs.com/ssltest/index.html

Let’s try “https://www.github.com"

It will show overall rating of A+ here without any warning like

“Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.”

or

“Signature algorithm SHA1withRSA WEAK”

If such warnings are there then service will not pass App transport security test and will fail the request in the application.

So, this is how we can check the acceptability of any Webservice URL for App transport security in iOS 9.

For more information: