IOS 9 ATS - disable forwarding for all domains

Question

IOS 9 ATS - disable forwarding for all domains

With ATS enabled in iOS 9, many of my clients cannot fulfill the privacy requirement. However, they can satisfy the requirements of https and TLS 1.2. In this regard, I would like to relax in front of the requirements of secrecy, keeping https and TLS 1.2 in place.

I was wondering if anyone had figured out a way to use NSExceptionRequiresForwardSecrecy or NSThirdPartyExceptionRequiresForwardSecrecy to disable direct secrecy for all domains.

I tried using * for NSExceptionDomains or * .com, but when I used the link to the problem, it did not help. When I use it domain.com, then the problem will be loaded. I looked at Apple Docs on it, but did not see any way to achieve my goal.

Is it possible to simply disable forward secrecy for all domains, for example, you can completely disable ATS by setting NSAppTransportSecurity / NSAllowsArbitraryLoads to true?

Thanks!

+5

ios app-transport-security nsapptransportsecurity

Polar bear Feb 03 '16 at 23:18

source share

2 answers

Alexander · Answer 1 · 2016-02-11T05:09:56+0000

Yes it is possible. You probably have at least one domain to which you are sure to connect. If this is not the case, try using any reliable website (google.com, facebook.com, etc.). You must add the NSExceptionDomains rule for this domain by specifying the NSAppTransportSecurity configuration as follows:

 <key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>google.com</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSThirdPartyExceptionRequiresForwardSecrecy</key> <false/> </dict> </dict> </dict>

FYI, facebook apps use the same NSAppTransportSecurity configurations.

Nilesh patel · Answer 2 · 2016-02-11T05:13:19+0000

Perhaps try the following.

 <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict>

Even you can add a specific exception,

 <key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>testdomain.com</key> <dict> <key>NSIncludesSubdomains</key> <false/> <key>NSExceptionAllowInsecureHTTPSLoads</key> <false/> <key>NSExceptionRequiresForwardSecrecy</key> <true/> <key>NSExceptionMinimumTLSVersion</key> <string>TLSv1.2</string> <key>NSThirdPartyExceptionAllowInsecureHTTPSLoads</key> <false/> <key>NSThirdPartyExceptionRequiresForwardSecrecy</key> <true/> <key>NSThirdPartyExceptionMinimumTLSVersion</key> <string>TLSv1.2</string> <key>NSRequiresCertificateTransparency</key> <false/> </dict> ... </dict> </dict>

IOS 9 ATS - disable forwarding for all domains

More articles: