2015-09-28

iOS App Transport Security in dev environments

App Transport Security, introduced with iOS 9, is a great step towards improving the security of all apps by forcing use of HTTPS for network connections.

It is possible to opt out for legacy applications - and sadly many are opting out right now1. However, I think that in time this will change as security readiness catches up. I don’t believe there are many excuses for using HTTP now, and the list is getting even shorter with the impending launch of Let’s Encrypt. That’s great for production, but what about other environments?

At $WORK I’m recommending HTTPS be used as standard, even for internal or prototype systems.

However, one thing that remains awkward is local development servers and iOS Simulator. You can set up SSL for a local server quite easily, and you should (for better production parity). However, I suspect that many developers will find it too much of a burden in the short term.

I worry that many will reach for the nuclear option of disabling ATS altogether through use of NSAllowsArbitraryLoads - but that is the wrong solution. It’s quite likely that this would end up just getting left in for production, defeating the purpose of ATS.

A safer whitelist

I think, right now, a better approach is to whitelist specific entries you need for development, starting with localhost. That way, the risk caused by whitelisted domains ending up in production is greatly diminished.

There are apparently enhancement request radars open with Apple to make localhost be whitelisted by default, but for now, the following addition to Info.plist will do the trick:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>localhost</key>
        <dict>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

  1. Of the big names mentioned in Nobody is using App Transport Security; what’s next?, I bet many are using their own mechanisms, including certificate pinning, to achieve better security. Just because you see Facebook, Google and Microsoft in this list, it’s perhaps premature to assume they’re not well protected via other avenues.


iOS security


Previous post
GPG and SSH with Yubikey for Mac Yubikey Neo The Yubikey Neo [affiliate] is a great, inexpensive security device that supports Universal 2nd Factor authentication to web services
Next post
Practical direnv is a nifty little shell tool I came across recently which looks extremely useful for developers who work across multiple languages or projects.