App Transport Security: What, Why, How?
In this talk, I answer all your questions about App Transport Security: What is it? Why does it matter? How do you make your server compatible with it, and how do you configure your app to talk to non-compliant servers? Which other apps are using ATS? How does it work alongside other security strategies, like using plain old HTTPS or certificate pinning?
This talk was given at Ann Arbor CocoaHeads in January 2016.
- A screen recording of the presentation, with audio, is avilable on Vimeo.
- The slides are available in PDF, or with presenters’ notes in Markdown format, prepared for Deckset.
- The initial outline and other materials are available on GitHub: cdzombak/app-transport-security-talk-jan-2016. Note that as I created slides for this talk, I rearranged and cut some material from the outline.
I’d like to note some topics that came up in Q&A and provide additional thoughts & context.
If I use certificate pinning, can I also use App Transport Security?
Yes. As long as the certificate you’re pinning came from a trusted certificate authority, it will satisfy App Transport Security’s rules, and you are free to perform additional checks, like verifying that the certificate is the one you expect. App Transport Security doesn’t stop you from performing additional validation; it only stops you from using self-signed certificates, or other certificates that iOS cannot verify are trustworthy.
Additional reading on certificate pinning: HTTP Public Key Pinning; Certificate and Public Key Pinning.
Are there performance implications due to using TLS everywhere?
It seems like a lot of these debugging, testing, and deployment issues could be vastly improved.
Yes. Apple has provided the bare minimum possible in documentation and tooling around App Transport Security. Specifically:
- Working with ATS keys in
Info.plistin Xcode is cumbersome at best; autocomplete doesn’t work for them.
- Core Foundation Networking diagnostic logs are painful to read and it’s difficult to find out which log entries apply to a specific failed request.
- It is difficult to turn App Transport Security on or to modify ATS settings for specific builds, which could allow for faster development, debugging, testing, and verification. Bonus points if this could be automated by CI systems.
- App Transport Security was discussed at one WWDC session and Apple has barely talked about it since then.
- Apple released one technical note on ATS, which has since been pulled from the website. That meager documentation has been rolled into Apple’s documentation for
Info.plistkeys; links to the old technote redirect here.
@cdzombak crushing it at a packed house for Ann Arbor #CocoaHeads pic.twitter.com/AhpulEJcIc— Kevin Vitale (@vitalekj) January 15, 2016
September 18, 2015: “Nobody is using App Transport Security; what’s next?”
As always, I welcome discussion and feedback; I’m @cdzombak on Twitter.