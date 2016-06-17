reply
I think the proposal was to have a configurable option to enable an extra security lockdown, which would remain disabled by default.
kind of like transition period.
As long as there is a way for an App to make non-SSL connection you'll have to run a non-SSL enabled endpoint; which in effect can put users at risk even if they haven't configured their own devices/apps to use it.
"The overall approach the App Store review team will take when it comes to ATS exemptions was summed up on the Apple developer forums:
“The goal here is to flush out those folks who, when ATS was first released, simply turned it off globally and moved on. That will no longer be allowed.”
* An easy policy to justify is to have NSAllowsArbitraryLoads disabled and a list of domain-specific exemptions for third-party domains the App connects to.
* A policy that will be harder to justify is to have NSAllowsArbitraryLoads enabled and a list of domain-specific “un-exemptions” for the domains you control.
* Lastly, a policy that will definitely trigger a rejection, as stated by Apple, is to have NSAllowsArbitraryLoads enabled with no additional ATS settings.
"
Since most Apps are not compliant yet, the App Store review team would have had to review every justification for every App and make a decision on whether to allow the App on the Store or not.
It's annoying to have to audit your apps and enumerate the endpoints, but as long as Apple didn't require justification for explicit domain exceptions, everything should've been fine.
The previous plan was they they were going to require justification for every domain exception.
Further, they were going to require justification if you were already using HTTP Live Streaming... Apple's own protocol which is written to use AES encrypted segments over plain HTTP.
They were going to require justification for peer connections that have to jump through hoops to get URLSession recognize their self-signed certificates. This one in particular is still affecting one of my apps. It's not always possible to force peer certificates to be accepted, making HTTPS between peers very difficult (seemingly impossible) at times.
I'm not saying that these things can't be done but I think Apple underestimated the number of systems affected and the justifications and reasons involved. HTTPS is fundamentally not "everywhere", despite its prevalence in larger systems.
If one is doing some multi-cast multi-tenant swarm stuff... why is the data private? It seems like a lot of people have access.
There's nothing magical about certificate authorities. There are many ways to establish secure connections without them.
> By the end of 2016, when your apps communicate with your own server back ends, they must do so using a secure TLS channel using TLS 1.2, unless the data being communicated is bulk data such as media streaming and data that’s already encrypted.
https://nakedsecurity.sophos.com/2016/06/17/apple-ios-to-req...
Would ATS have enforced that there could only be a few centralized cloud servers?
And can I simply bypass ATS by linking in curl+openssl?
Are iOS apps even allowed to open raw TCP sockets?
iOS 10 adds the key NSAllowsLocalNetworking which
disables ATS for "connections to unqualified domains and to .local domains". So this can continue to work.
However, treating local networks as secure isn't generally a good design! If the home network has an open Wi-Fi hotspot, or a WPA hotspot with WPS PIN enabled or where the attacker knows or can bruteforce the password (and in many other cases), it is possible to sniff other users' traffic. Instead of using an unencrypted connection, whether HTTP or otherwise, you should design the initial pairing process between the app and the device to set up encryption keys. For HTTPS this can be in the form of having the device generate a self-signed certificate and send it to the app to use as a custom root. You need some sort of pairing or setup process anyway for the device to know how to connect to the user's network, so you might as well do security properly.
> Or to a system that each company who buys it hosts on their own and in the app the customer has to supply that hostname or IP in order to connect?
In that case you should probably just require the companies to have a domain and a certificate for it; build in Let's Encrypt support if you want.
> And can I simply bypass ATS by linking in curl+openssl?
From a technical perspective, yes, though I can't say whether Apple would reject an app because of it.
> Are iOS apps even allowed to open raw TCP sockets?
Yes.
While we could request exceptions for every single one, this would require updating the app every time we enable a new HTTP site through our back-end. I was not looking forward to this, and I wondered how many others were similarly dreading the transition.
On a related note, does anyone know how Firefox, Chrome, or other browsers are handling this? Don't they need to have a universal exception for HTTP, which is not supposed to be allowed under the new rule?
Forgive me if I've misused terminology here—I'm the non-technical founder—so my understanding of why we couldn't use the Safari WebView (which I assume is the same or closely related to what you referenced) is a bit fuzzy. All I know for sure was that our dev team was not looking forward to pleading for ATS exceptions.
"Indefinitely" while technically accurate also implies "unlimited period of time." The article says there will be a deadline, it just hasn't been determined as of yet.
A better title may be "Apple Delays iOS TLS App Requirement." Just simply chop off the word "indefinitely." And throw in App to differentiate it from a e.g. Safari TLS requirement. Also TLS instead of SSL.
http://www.dictionary.com/browse/indefinitely
> "Indefinitely" while technically accurate also implies "unlimited period of time."
It has two meanings. But is more often used to mean unlimited period of time.
They mean at the App Store submission point. In January, they were going to start rejecting apps that didn't provide a justification for completely disabling ATS.
We're still going on with our efforts to make everything go over HTTPS always, but this does take the pressure off a little. We were really fearing not being able to submit updates in early 2017 because of ATS.
