Enforcing TLS-secure connections in iOS apps

From iOS 9, Transport Layer Security (TLS) protocol version 1.2 must be enforced in all apps. You can disable this protocol and bypass the iOS 9 requirement for development purposes.

About this task

Apple App Transport Security (ATS) is a new feature of iOS 9 that enforces best practices for connections between the app and the server. By default, this feature enforces some connection requirements that improve security. These include client-side HTTPS requests and server-side certificates and connection ciphers that conform to Transport Layer Security (TLS) version 1.2 using forward secrecy.

For development purposes, you can override the default behavior by specifying an exception in the info.plist file in your app, as described in App Transport Security Technote. However, in a full production environment, all iOS apps must enforce TLS-secure connections for them to work properly.

To enable non-TLS connections, the following exception must appear in the <projectname>info.plist file in the <project>\Resources folder:
<key>NSExceptionDomains</key>
  <dict>
    <key>yourserver.com</key>
    <dict>
      <!--Include to allow subdomains-->
      <key>NSIncludesSubdomains</key>
      <true/>
    
  <!--Include to allow insecure HTTP requests-->
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
    </dict>
  </dict>

Procedure

  1. To prepare for production, remove, or comment out the code that appears earlier in this page.
  2. Set up the client to send HTTPS requests by using the following entry to the dictionary:
    <key>protocol</key>
    <string>https</string>
    
    <key>port</key>
    <string>10443</string>

    The SSL port number is defined on the server in server.xml in the httpEndpoint definition.

  3. Configure a server that is enabled for the TLS 1.2 protocol.

    For more information, see Configuring MobileFirst Server to enable TLS V1.2.

  4. Make settings for ciphers and certificates, as they apply to your setup.

    For more information, see App Transport Security Technote, Secure communications using Secure Sockets Layer (SSL) for WebSphere® Application Server Network Deployment, and Enabling SSL communication for the Liberty profile.