Friday, December 11, 2015

Apple enforcing HTTPS connections using TLS v1.2

In iOS 9, Apple has implemented a new security feature called as ATS (App Transport Security), which is enabled by default.

So what is ATS? In simple words, ATS enforces all HTTP requests to be made on SSH - i.e. any API call your app makes to the backend servers must be on HTTPS. If you want to make an unsecured HTTP call, then you have to explicitly list down those exceptions in your Infoplist file.

ATS also enforces the latest protocol version of TLS - i.e. Transport Layer Security version 1.2. This can cause issues if your server is using HTTPS, but an older version of TLS. In such cases, you have two options - either upgrade your server to use the latest TLS protocol or add an exception to your app for these URLs.

More details on ATS can be found here