With the goal of enforcing best practices for secure network connections, iOS 9 introduces new security requirements and behavior with its new App Transport Security (ATS) feature.
If you are not planning to recompile your apps with Apple’s iOS 9 SDK (or Xcode 7), you do not need to make any changes. But if you do recompile your app, not following the new security requirements will result in connection failures.
To comply with the iOS 9 ATS security requirements, your app network communication must:
(Source: iOS 9 documentation)
- The server must support at least Transport Layer Security (TLS) protocol version 1.2. This is the default behavior.
- Connection ciphers are limited to those that provide forward secrecy (see App Transport Security documentation).
- Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bits or greater Elliptic-Curve (ECC) key.
- Invalid certificates result in a hard failure and no connection.
If your app’s network communication is not ATS compliant, you can define security exceptions in the meantime. Keep in mind this affects both direct and indirect (third-party) network communications within your app. There are two approaches to defining security exceptions via your app’s Info.plist
.
- The first approach is to disable the ATS feature completely.
- The second approach is to explicitly define exceptions for each domain. This can be tricky since you must know all direct and indirect HTTPS calls made by your app and failing to include a given domain will result in network connection failures.
Please refer to the iOS 9 documentation for more information.
References