What is App Transport Security (ATS) ?

What is ATS ?

Introduced within iOS9 and OS X 10.11, App Transport Security (ATS) is a new feature that enforces greater security within Apples application libraries.

This means that when an application makes an connection, using the NSURLConnection, CFURL, or NSURLSession libraries, that the connection must meet the following requirements.

• The server must support at least Transport Layer Security (TLS) protocol version 1.2.
• Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)
• Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048-bit or greater RSA key or a 256-bit or greater Elliptic-Curve (ECC) key.
• Invalid certificates result in a hard failure and no connection.

These are the accepted ciphers:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

NOTE There are various ways to disable ATS. Further details can be found here.

Safari

So you may be asking. What about the various sites that do not support TLS1.2, let alone HTTPS ?

Currently Safari does not enforce ATS. Meaning that when connecting to a site the ATS requirements (above) are not enforced. So you can still get to you can connect to sites on HTTP or HTTPS along with non TLS1.2 sites.

References

• https://devcentral.f5.com/articles/preparing-your-f5-for-new-tls-requirements-in-apple-ios-9-and-os-x-1011
• https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/
• http://googleadsdeveloper.blogspot.co.uk/2015/08/handling-app-transport-security-in-ios-9.html

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial