Network security

Considering the amount of data that transits through the Internet, it is important to secure the connections between your application and your internet resources (your back-end server for example).

In this document we will show you how to configure your server and NeoMAD application to take into account the latest security requirements of the mobile platforms.

About ATS

From the Apple documentation:

“On Apple platforms, a networking security feature called App Transport Security (ATS) is available to apps and is enabled by default. It improves privacy and data integrity by ensuring your app’s network connections employ only industry-standard protocols and ciphers without known weaknesses. This helps instill user trust that your app does not accidentally leak transmitted data to malicious parties.”

This feature was introduced in iOS 9 but Apple will enforce its policy and it will become mandatory. To comply with ATS, your mobile application and its server part must follow some specific requirements described later in this document.

ATS requirements

To adopt ATS, your application connections and your application server side must follow a list of requirements (extracted from the Apple documentation):

  • the HTTP connections must use HTTPS

  • the digital certificate of the server must follow the X. 509 norm and meet at least one of the following trust requirements:

    • Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
    • Issued by a trusted root CA and installed by the user or a system administrator
  • The negotiated Transport Layer Security (TLS) version must be TLS 1.2. Attempts to connect without TLS/SSL protection, or with an older version of TLS/SSL, are denied by default.

  • The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following:

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • The leaf server certificate must be signed with one of the following types of keys:

    • Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
    • Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

    In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length, sometimes called a “fingerprint,” of at least 256 (that is, SHA-256 or greater).

Changes in the requirements will not break compatibility. Please consult the Apple documentation to have the latest version of the requirements.

Note

If an application adopts ATS but does not follow the requirements, the connections will not work and data will not be downloaded from your server (or your webpage will not be displayed if you use WebView). Be aware that the application will not crash and exceptions will not necessarily be thrown. If the connections did not work, check the ATS requirements twice !

Supporting ATS with NeoMAD

Network security default configuration

The support of ATS is deactivated by default in NeoMAD. This means that by default, the application can connect through raw HTTP connections to remote servers that do not meet the ATS requirements described in the section above. Leaving this default behaviour is strongly discouraged. Instead the server(s) with which your application communicates should meet the requirements. If you don’t fully control the remote server configuration or can’t fulfill the requirements, you should anyway activate ATS and add the accessed domain(s) to the list of authorized domains by using the exception mechanism described below. This way, you ensure that only the specified domain(s) will be accessible through HTTP.

ATS Exceptions

If you need to communicate with servers that are not configured to accept HTTPS connections (but only HTTP), you will need to add exceptions in the URS file of your project through the httpAuthorizedDomains tag. In this tag you can specify a list of HTTP domains that the application is authorized to access. Samples of how to use this tag are listed in the section below.

ATS examples

Here are some examples on how to configure ATS in your application URS file.

Activate ATS to allow HTTPS connections only

If the server(s) you access fully meet the ATS requirements, simply activate ATS to benefit from the highest security level:

<?xml version="1.0"?>
<urs>
        <parameters>
                ...
        </parameters>

        <!-- Your application authorizes only HTTPS connections -->
        <httpAuthorizedDomains />
</urs>

Activate ATS to allow HTTP connections to specific domains only

You can also allow access on specific domains with HTTP, that you can list in the URS file:

<?xml version="1.0"?>
<urs>
        <parameters>
                ...
        </parameters>

        <!-- Your application can use HTTP to connect to the domains listed above -->
        <httpAuthorizedDomains>
                <!-- Allow connection to neomades.com and mydomain.com and sub domains (sub.neomades.com) -->
                <domain>neomades.com</domain>
                <domain>mydomain.com</domain>
        </httpAuthorizedDomains>
</urs>

Deactivate ATS to allow any HTTP connection (default - discouraged)

If you want to allow access to any HTTP domain, don’t put the httpAuthorizedDomains tag in the URS:

<?xml version="1.0"?>
<urs>
        <parameters>
                ...
        </parameters>

        <!-- No httpAuthorizedDomains tag in the URS -->
</urs>

This practice is stongly discouraged, as it disables ATS from your application, and allow unsecured connections.

ATS in WebView

If you use the WebView control in your user interface, you may need to connect to a remote server. In this case, the exact same rules apply for ATS. If the WebView needs to access resources through HTTP connection, you should declare the accessed domain(s) in the URS file as described above.

Apple App Store review for ATS

If you decided to not adopt ATS for your application or choose to activate ATS to allow HTTP connections to specific domains only, you will have to justify in iTunes Connect when the application will be prepared for publication.

Here are some examples of eligible justifications:

  • Must connect to a server managed by another entity that does not support secure connections
  • Must support connecting to devices that cannot be upgraded to use secure connections, and that must be accessed via public host names
  • App loads media content that is encrypted and that contains no personalized information

Note

Apple can be very meticulous when reviewing an application. We recommend to always adopt ATS and if you can’t, prepare a justification and consider allocating more time to the Apple application validation process.