关于iOS9中的App Transport Security相关说明及适配
2016-03-10 18:01
423 查看
App Transport Security App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one. If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn‘t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app‘s Info.plistfile |
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your
app‘s Info.plist file.
系统会告诉我们不能直接使用HTTP进行请求,需要在Info.plist新增一段用于控制ATS的配置:
<key>NSAppTransportSecurity</key><dict> <key>NSAllowsArbitraryLoads</key> <true/></dict>
也即:
这段配置中的NSAppTransportSecurity是ATS配置的根节点,配置了节点表示告诉系统要走自定义的ATS设置。而NSAllowsAritraryLoads节点则是控制是否禁用ATS特性,设置YES就是禁用ATS功能。
直到前面的配置可以完美的适配iOS9了,但是如果你想遵循苹果给出的标准,让自己的数据更加安全,那么需要继续往下看。
其实ATS并不单单针对HTTP进行了限制,而是对HTTPS也有一定的要求,以百度的地址为例,如果在App中请求https://baidu.com的话,是会收到如下的错误信息:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
查阅了一下官方资料(https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/),发现HTTPS的请求需要满足下面的要求:
These are the App Transport Security requirements: The protocol Transport Security Layer (TLS) must be at least version 1.2. Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.) Certificates must use at least an SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256 bit or greater Elliptic-Curve (ECC) key. |
支持Forward Secrecy的加密方式TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
可以看到它使用了TLS 1.2版本协议,符合第一个约定。然后可以看到使用AES_128_GCM进行加密,并使用ECDHE_RSA作为密钥交换机制的,我们可以在Forward
Secrecy的列表中找到对应两条记录:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
但是还不能确定百度是否提供Forward
Secrecy,我们再点开证书信息,查看“签发者名称”和“公共密钥信息”两项,如图:
看到签名算法中写着“带RSA加密的SHA-1”。可以判定该加密算法不包含在上面两项中。因此百度是一个不符合ATS的要求,所以返回了错误。这时候,如果要解决这样的问题,同样需要对ATS进行配置。配置如下:
<key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>baidu.com</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSExceptionRequiresForwardSecrecy</key> <false/> <key>NSExceptionAllowsInsecureHTTPLoads</key> <true/> </dict> </dict> </dict>
其中NSIncludesSubdomains设置为YES表示百度的子级域名都使用相同设置。NSExceptionRequiresForwardSecrecy为NO由于百度不支持ForwardSecrecy,因此屏蔽掉改功能。最后NSExceptionAllowInsecureHTTPLoads设置为YES,则表示允许访问没有证书或者是自签名、过期、主机名不匹配的证书引发的错误的域名(这里检查过百度的证书貌似没有什么问题,但是还是需要设置此项才允许访问)。
相关文章推荐
- Android中ColorMatrix的学习
- Android ListView与Button的显示
- Dagger2在Android studio中的配置与简单使用
- iOS开发之自定义导航栏返回按钮右滑返回手势失效的解决
- android实现自定义RelativeLayout可拖动、缩放、旋转TextView-更新版
- Android 在 LinearLayout 添加分割线 divider
- Android IPC机制 开启多进程
- 动态排序小程序
- iOS URL Schemes白名单配置
- 倍数提高工作效率的Android Studio奇技
- Android模拟iOS的PickerView并且附带全国所有省城市地区三级目录
- Android中利用volley同时上传文件和文本参数
- codeforces 416B. Appleman and Tree 树形dp
- android activiy判断当前activiy是不是前台显示的。
- Android 登陆界面
- 如何判断微信内置浏览器
- Android:常用代码片段整理
- iOS ViewController的生命周期分析和使用
- iOS 排序算法总结、二分法查找
- iOS开发-事件传递响应链