iOS App Transport Security in dev environments
App Transport Security, introduced with iOS 9, is a great step towards improving the security of all apps by forcing use of HTTPS for network connections.
It is possible to opt out for legacy applications - and sadly many are opting out right now1. However, I think that in time this will change as security readiness catches up. I don’t believe there are many excuses for using HTTP now, and the list is getting even shorter with the impending launch of Let’s Encrypt. That’s great for production, but what about other environments?
$WORK I’m recommending HTTPS be used as standard, even for internal or prototype systems.
However, one thing that remains awkward is local development servers and iOS Simulator. You can set up SSL for a local server quite easily, and you should (for better production parity). However, I suspect that many developers will find it too much of a burden in the short term.
I worry that many will reach for the nuclear option of disabling ATS altogether through use of
NSAllowsArbitraryLoads - but that is the wrong solution. It’s quite likely that this would end up just getting left in for production, defeating the purpose of ATS.
A safer whitelist
I think, right now, a better approach is to whitelist specific entries you need for development, starting with localhost. That way, the risk caused by whitelisted domains ending up in production is greatly diminished.
There are apparently enhancement request radars open with Apple to make localhost be whitelisted by default, but for now, the following addition to
Info.plist will do the trick:
<key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>localhost</key> <dict> <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key> <true/> </dict> </dict> </dict>
Of the big names mentioned in Nobody is using App Transport Security; what’s next?, I bet many are using their own mechanisms, including certificate pinning, to achieve better security. Just because you see Facebook, Google and Microsoft in this list, it’s perhaps premature to assume they’re not well protected via other avenues.↩