Richard North’s Blog

iOS App Transport Security in dev en­vi­ron­ments

App Transport Security, in­tro­duced with iOS 9, is a great step to­wards im­prov­ing the se­cu­rity of all apps by forc­ing use of HTTPS for net­work con­nec­tions.

It is pos­si­ble to opt out for legacy ap­pli­ca­tions - and sadly many are opt­ing out right now[^1]. However, I think that in time this will change as se­cu­rity readi­ness catches up. I don’t be­lieve there are many ex­cuses for us­ing HTTP now, and the list is get­ting even shorter with the im­pend­ing launch of Let’s Encrypt. That’s great for pro­duc­tion, but what about other en­vi­ron­ments?

At $WORK I’m rec­om­mend­ing HTTPS be used as stan­dard, even for in­ter­nal or pro­to­type sys­tems.

However, one thing that re­mains awk­ward is lo­cal de­vel­op­ment servers and iOS Simulator. You can set up SSL for a lo­cal server quite eas­ily, and you should (for bet­ter pro­duc­tion par­ity). However, I sus­pect that many de­vel­op­ers will find it too much of a bur­den in the short term.

I worry that many will reach for the nu­clear op­tion of dis­abling ATS al­to­gether through use of NSAllowsArbitraryLoads - but that is the wrong so­lu­tion. It’s quite likely that this would end up just get­ting left in for pro­duc­tion, de­feat­ing the pur­pose of ATS.

A safer whitelist #

I think, right now, a bet­ter ap­proach is to whitelist spe­cific en­tries you need for de­vel­op­ment, start­ing with lo­cal­host. That way, the risk caused by whitelisted do­mains end­ing up in pro­duc­tion is greatly di­min­ished.

There are ap­par­ently en­hance­ment re­quest radars open with Apple to make lo­cal­host be whitelisted by de­fault, but for now, the fol­low­ing ad­di­tion to Info.plist will do the trick:

<key>NSAppTransportSecurity</key>
<dict>
	<key>NSExceptionDomains</key>
	<dict>
		<key>localhost</key>
		<dict>
			<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
			<true/>
		</dict>
	</dict>
</dict>

[^1]: Of the big names men­tioned in Nobody is us­ing App Transport Security; what’s next?, I bet many are us­ing their own mech­a­nisms, in­clud­ing cer­tifi­cate pin­ning, to achieve bet­ter se­cu­rity. Just be­cause you see Facebook, Google and Microsoft in this list, it’s per­haps pre­ma­ture to as­sume they’re not well pro­tected via other av­enues.

← Home