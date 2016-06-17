Hacker News new | comments | show | ask | jobs | submit login
Apple Delays iOS SSL Requirement Indefinitely (apple.com)
84 points by mark-ruwt 8 hours ago | hide | past | web | 37 comments | favorite





The apps at my F50 employer are in no way compatible with these requirements, and getting all the VPs to care about this is unlikely to ever reach even the minimal level of concern. Of course this is sad and stupid and shortsighted but unless Apple enforces it and our apps were refused updates nothing will ever change.

It was always a nice way to force my customers to implement HTTPS, the threat of Apple rejecting or removing the app. It's pretty easy to implement and inexpensive so why people still don't do it is a complete mystery to me.

I think you also have to register with some US government body to obtain crypto export licenses yearly. Even if the app just uses the iOS https connection classes!

They probably just don't want to break a bunch of applications that haven't updated yet. It would be nice if they could make it a configurable option for those of us who don't use / care to use apps that are still not using HTTPS. "Allow Secure Connections Only" checkbox in Settings or something.

Having a configurable option to disable a security setting is a pretty bad idea. Users who don't know anything about security will just disable it forever the first time an app tells them to.

> Having a configurable option to disable a security setting is a pretty bad idea.

I think the proposal was to have a configurable option to enable an extra security lockdown, which would remain disabled by default.

I think you missed the idea, It could be temporary thing for a while, after a year or two and with continues beforehand notification, apple could disable non-secure connection apps definitely.

kind of like transition period.

No there shouldn't be a configurable setting; giving users a choice just creates problems; giving developers a way out just delays implementation.

As long as there is a way for an App to make non-SSL connection you'll have to run a non-SSL enabled endpoint; which in effect can put users at risk even if they haven't configured their own devices/apps to use it.

IMHO, it is not Apple's style to make such things configurable.

No, the original plan was only to apply the rule to newly updated apps anyway.

What was supposed to happen on January 1st: https://datatheorem.github.io/ios/ssl/2016/08/14/ats-enforce... .

"The overall approach the App Store review team will take when it comes to ATS exemptions was summed up on the Apple developer forums:

    “The goal here is to flush out those folks who, when ATS was first released, simply turned it off globally and moved on. That will no longer be allowed.”
Hence, for a given App going through the App Store review process:

* An easy policy to justify is to have NSAllowsArbitraryLoads disabled and a list of domain-specific exemptions for third-party domains the App connects to.

* A policy that will be harder to justify is to have NSAllowsArbitraryLoads enabled and a list of domain-specific “un-exemptions” for the domains you control.

* Lastly, a policy that will definitely trigger a rejection, as stated by Apple, is to have NSAllowsArbitraryLoads enabled with no additional ATS settings. "

Since most Apps are not compliant yet, the App Store review team would have had to review every justification for every App and make a decision on whether to allow the App on the Store or not.

I don't get why they're delaying this. My understanding was that fully disabling ATS would require a justification. That makes sense.

It's annoying to have to audit your apps and enumerate the endpoints, but as long as Apple didn't require justification for explicit domain exceptions, everything should've been fine.

> but as long as Apple didn't require justification for explicit domain exceptions

The previous plan was they they were going to require justification for every domain exception.

Further, they were going to require justification if you were already using HTTP Live Streaming... Apple's own protocol which is written to use AES encrypted segments over plain HTTP.

They were going to require justification for peer connections that have to jump through hoops to get URLSession recognize their self-signed certificates. This one in particular is still affecting one of my apps. It's not always possible to force peer certificates to be accepted, making HTTPS between peers very difficult (seemingly impossible) at times.

I'm not saying that these things can't be done but I think Apple underestimated the number of systems affected and the justifications and reasons involved. HTTPS is fundamentally not "everywhere", despite its prevalence in larger systems.

You really shouldn't do HTTPS if you can't complete the chain of trust with a peer.

If one is doing some multi-cast multi-tenant swarm stuff... why is the data private? It seems like a lot of people have access.

In my case, your peers are your friends. You use a pairing code (part of the SHA256 fingerprint) to accept the certificate (so you need to see the other person's screen and have agreement with the fingerprint) and then you can use indefinitely. It's great until the whole connection fails because some element in the system works with Certificate Authority certs-only – issues we're still working on and certainly won't be finished by Jan 1.

reply


The finger print is public. There is literally zero security in this system anyone can hijack it

reply


Public keys are public. Just because you don't understand cryptography doesn't make a system bad.

There's nothing magical about certificate authorities. There are many ways to establish secure connections without them.

That's not quite right. You will still have to justify every domain exception.

> By the end of 2016, when your apps communicate with your own server back ends, they must do so using a secure TLS channel using TLS 1.2, unless the data being communicated is bulk data such as media streaming and data that’s already encrypted.

https://nakedsecurity.sophos.com/2016/06/17/apple-ios-to-req...

How would ATS affect apps which don't just talk to one server of the developer of that app? What if an app should talk directly over wifi to a device in your local home network via HTTP? Or to a system that each company who buys it hosts on their own and in the app the customer has to supply that hostname or IP in order to connect?

Would ATS have enforced that there could only be a few centralized cloud servers?

And can I simply bypass ATS by linking in curl+openssl?

Are iOS apps even allowed to open raw TCP sockets?

> How would ATS affect apps which don't just talk to one server of the developer of that app? What if an app should talk directly over wifi to a device in your local home network via HTTP?

iOS 10 adds the key NSAllowsLocalNetworking which disables ATS for "connections to unqualified domains and to .local domains". So this can continue to work.

However, treating local networks as secure isn't generally a good design! If the home network has an open Wi-Fi hotspot, or a WPA hotspot with WPS PIN enabled or where the attacker knows or can bruteforce the password (and in many other cases), it is possible to sniff other users' traffic. Instead of using an unencrypted connection, whether HTTP or otherwise, you should design the initial pairing process between the app and the device to set up encryption keys. For HTTPS this can be in the form of having the device generate a self-signed certificate and send it to the app to use as a custom root. You need some sort of pairing or setup process anyway for the device to know how to connect to the user's network, so you might as well do security properly.

> Or to a system that each company who buys it hosts on their own and in the app the customer has to supply that hostname or IP in order to connect?

In that case you should probably just require the companies to have a domain and a certificate for it; build in Let's Encrypt support if you want.

> And can I simply bypass ATS by linking in curl+openssl?

From a technical perspective, yes, though I can't say whether Apple would reject an app because of it.

> Are iOS apps even allowed to open raw TCP sockets?

Yes.

Apple's own services make extensive use of plaintext HTTP. Even if they're only doing so in ways that are safe (due to other application layer encryption mechanisms like in iMessage) it's hypocritical for them to enforce a requirement on 3rd parties that they themselves cannot meet.

reply


Can you give an example of this? I've been using charles proxy for various tasks a bunch on my iPhone, and so far it seems that all the calls to Apple that I've noticed are HTTPS.

reply


Use little snitch on your mac OS computer, you'll see all sorts of port 80 connections to things like mzstatic.com and so on.

reply


Glad to see this. I'm about to release a new version of my app (a news reader, which makes extensive use of webviews), and I was sweating about this. I don't control any of the news sites that we interface with, and I was surprised to see that most don't support SSL.

While we could request exceptions for every single one, this would require updating the app every time we enable a new HTTP site through our back-end. I was not looking forward to this, and I wondered how many others were similarly dreading the transition.

On a related note, does anyone know how Firefox, Chrome, or other browsers are handling this? Don't they need to have a universal exception for HTTP, which is not supposed to be allowed under the new rule?

Apple introduced an ATS exemption specifically designed for the browse-to-any-website-in-a-webview use case. You can also use the Safari ViewController which doesn't enforce ATS (by design). Hence you don't need to list all these third party domains in your Info.plist.

Unfortunately, the Safari ViewController doesn't do everything that the old UIWebView and WKWebView did. I think in our case we needed to be able to increment the cache size (to be compatible with Kindle Cloud reader), and this was only available on UIWebView. I could be mistaken here, and regardless I hope the Safari ViewController is updated to support this feature.

Forgive me if I've misused terminology here—I'm the non-technical founder—so my understanding of why we couldn't use the Safari WebView (which I assume is the same or closely related to what you referenced) is a bit fuzzy. All I know for sure was that our dev team was not looking forward to pleading for ATS exceptions.

The title at the time of posting reads: "Apple Delays iOS SSL Requirement Indefinitely."

"Indefinitely" while technically accurate also implies "unlimited period of time." The article says there will be a deadline, it just hasn't been determined as of yet.

A better title may be "Apple Delays iOS TLS App Requirement." Just simply chop off the word "indefinitely." And throw in App to differentiate it from a e.g. Safari TLS requirement. Also TLS instead of SSL.

You should email this stuff to the mods since they don't read every post. It's definitely a confusing title.

Indefinitely means "for an unlimited or unspecified period of time".

http://www.dictionary.com/browse/indefinitely

reply


I know. Which is why my post reads:

> "Indefinitely" while technically accurate also implies "unlimited period of time."

It has two meanings. But is more often used to mean unlimited period of time.

Yep I read the title and assumed that the first meaning was meant.

Speaking of Transport Security, last night I got bitten by the removal of OpenSSL headers in Xcode in favor of their own "-framework security" aka Secure Transport.

Apple has had deprecated on the OpenSSL headers for a couple of releases now...

I think at least NSURLSession is forcing HTTPS currently.

reply


You can disable that by adding a key to your Info.plist.

They mean at the App Store submission point. In January, they were going to start rejecting apps that didn't provide a justification for completely disabling ATS.

I expect the likes of Facebook, Microsoft to already be ATS-ready. But it has been my experience that Unreal Engine 4 and Unity are not. Its probably the big game makers of the App Store that are influencing this delay.

reply


Try media companies. We have been working to make our television companion apps ATS-compliant. All our advertising / analytics / streaming endpoints had to be HTTPS. We ended up with a list of dozens of domains from over 10 external companies (mostly related to video ads / streams) that still had to be made available over HTTPS, or we'd have to get exemptions for those domains.

We're still going on with our efforts to make everything go over HTTPS always, but this does take the pressure off a little. We were really fearing not being able to submit updates in early 2017 because of ATS.

