Upgrade to Pro — share decks privately, control downloads, hide ads and more …

忙しい人のためのApp Transport Security

niwatako
March 03, 2017
Technology
1
1.1k

忙しい人のためのApp Transport Security

@ try! Swift Tokyo 2017 https://www.tryswift.co/tokyo/jp
発表原稿はこちら: http://niwatako.hatenablog.jp/entry/2017/03/03/162543

WWDC2016にてATS(App Transport Security)の必須化がアナウンスされました。しかしご存知の通り、必須化は延期されました。また、iOS10で新たなATSの設定を行うInfo.plistのキーが導入されましたが、iOS10のマイナーバージョンごとに仕様が異なります。このLTでは、制度も情報も仕様も混乱しているATSを5分でマスターしていただくことに挑戦します。

niwatako

March 03, 2017
Tweet

More Decks by niwatako

See All by niwatako
暗号資産の鍵を取り扱うサービスに関する調査 中間報告
niwatako
3
1.3k
ブロックチェーンでなにか作りたい人に関わるかもしれない仮想通貨カストディ規制の話
niwatako
1
560
#iosdc 2016 LT 10 英語が苦手すぎて財布を店員に渡して会計を任せる僕が、
ATS必須化についてAppleのエンジニアに英語で聞いてきた生存戦略
niwatako
2
3.6k

Other Decks in Technology

See All in Technology
生成AIと著作権 〜生成AIによって生じる著作権関連の課題と対処
line_developers
PRO
1
530
クラウドだからできた 地方主導のJAWS DevOps
matsuihidetoshi
2
170
20230914_FinJAWS
takuyay0ne
2
410
チーム開発における自作ESLintルールの活用と戦略
sansantech
PRO
0
280
Introduction to mcl-wasm
herumi
1
290
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
320
DMMプラットフォームに ゼロベースでSLO導入している取り組み 適切なSLI模索の軌跡
junjunjunk
2
430
できる!アクセシビリティ向上/droidkaigi2023-day2
nikkei_engineer_recruiting
0
880
Traversing the GraphQL AST and Calculating Query Costs
joere
0
310
Amazon Route 53をやさしくおさらい
minorun365
19
4.2k
R Not Only in Production
karawoo
0
110
Material 3 やめました / Good-bye M3 design system
yanzm
3
2.2k

Featured

See All Featured
Navigating Team Friction
lara
177
12k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.2k
Faster Mobile Websites
deanohume
296
29k
Unsuck your backbone
ammeep
660
56k
Building Your Own Lightsaber
phodgson
97
5.1k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
Fashionably flexible responsive web design (full day workshop)
malarkey
395
64k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
Building a Scalable Design System with Sketch
lauravandoore
453
31k
Web development in the modern age
philhawksworth
200
9.8k

Transcript

  1. { }
    try! Swift
    ๩͍͠ਓͷͨΊͷ App Transport Security
    Tokyo 2017

    View Slide

  2. @ niwatako

    View Slide

  3. View Slide

  4. { }
    try! Swift
    Kyoto

    ژ౎

    View Slide

  5. View Slide

  6. View Slide

  7. MacBook Gold

    View Slide

  8. View Slide

  9. { }
    try! Swift
    ๩͍͠ਓͷͨΊͷ App Transport Security
    Tokyo 2017

    View Slide

  10. App Transport Security
    Enforcement

    View Slide

  11. App Transport Security

    View Slide

  12. σϑΥϧτͰ༗ޮ

    View Slide

  13. App Transport Security
    Safe HTTPS
    Unsafe HTTPS
    HTTP


    View Slide

  14. https
    • different? Safe HTTPS
    Unsafe HTTPS

    View Slide

  15. https
    • different?
    • Hash algorithm
    • Digital sign
    • Encryption
    • …
    Safe HTTPS
    Unsafe HTTPS

    View Slide

  16. > What’s is the “Safe HTTPS” ?
    ( ɾωɾ)ͬ Information Property List Key Reference
    https://developer.apple.com/library/prerelease/content/
    documentation/General/Reference/InfoPlistKeyReference/Articles/
    CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW57

    View Slide

  17. $ nscurl --ats-diagnostics https://apple.com/

    View Slide

  18. $ nscurl --ats-diagnostics https://apple.com/
    Default ATS Secure Connection
    ---
    ATS Default Connection
    Result : PASS
    ---

    View Slide

  19. $ nscurl --ats-diagnostics https://swift.org/
    Default ATS Secure Connection
    ---
    ATS Default Connection
    2017-03-03 09:53:51.924 nscurl[82267:6343870] N
    NSURLConnection HTTP load failed (kCFStreamErro
    Result : FAIL
    ---

    View Slide

  20. Want to connect HTTP?
    Safe HTTPS
    HTTP


    Unsafe HTTPS

    View Slide



  21. NSAllowsArbitraryLoads
    Safe HTTPS
    HTTP

    Unsafe HTTPS

    View Slide

  22. NSExceptionDomains
    Safe HTTPS
    HTTP


    Unsafe HTTPS

    hatena.ne.jp hatena.ne.jp

    swift.org

    View Slide

  23. New ATS Options

    View Slide

  24. • NSAllowsArbitraryLoadsForMedia
    App Transport SecurityͷͨΊͷΦϓγϣϯ

    View Slide

  25. • NSAllowsArbitraryLoadsForMedia
    • NSAllowsArbitraryLoadsInWebContent
    App Transport SecurityͷͨΊͷΦϓγϣϯ

    View Slide

  26. • NSAllowsArbitraryLoadsForMedia
    • NSAllowsArbitraryLoadsInWebContent
    • NSAllowsLocalNetworking
    App Transport SecurityͷͨΊͷΦϓγϣϯ

    View Slide

  27. • NSAllowsArbitraryLoadsForMedia
    • NSAllowsArbitraryLoadsInWebContent
    • NSAllowsLocalNetworking
    App Transport SecurityͷͨΊͷΦϓγϣϯ

    View Slide

  28. View Slide

  29. NSAllowsArbitraryLoadsInWebContent

    View Slide

  30. NSAllowsArbitraryLoadsInWebContent
    WK: WebViewɺUI: UIWebViewɺNS: NSURLSession
    WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS

    View Slide

  31. ATSɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹ ATS ɹɹɹɹɹɹɹɹɹ
    WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS
    ATS

    View Slide

  32. NSAllowsArbitraryLoads
    WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS

    View Slide


  33. ATSɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹ ATS ɹɹɹɹɹɹɹɹɹ
    WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS

    View Slide

  34. NSAllowsArbitraryLoadsInWebContent (iOS10.0)
    WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS
    ATS ɹɹɹɹɹɹɹɹɹ

    View Slide

  35. WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS
    ATS ɹɹɹɹɹɹɹɹɹ
    NSAllowsArbitraryLoadsInWebContent (iOS10.0)

    View Slide

  36. NSAllowsArbitraryLoadsInWebContent (iOS10.0)
    WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS
    ATS ɹɹɹɹɹɹɹɹɹ

    View Slide

  37. WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS
    iOS10.2ʙ
    NSAllowsArbitraryLoadsInWebContent
    (iOS10.2)
    ATS ɹɹɹɹɹɹɹɹɹ ATS

    View Slide

  38. NSAllowsArbitraryLoadsInWebContent
    (iOS10.2)
    Bug…
    WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS
    ATS ɹɹɹɹɹɹɹɹɹ ATS

    View Slide

  39. NSAllowsHTTPLoadsInWebContent
    NSAllowsArbitraryLoadsInWebContent

    View Slide

  40. View Slide

  41. WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS
    ATS ɹɹɹɹɹɹɹɹɹ
    NSAllowsArbitraryLoadsInWebContent (iOS10.0)

    View Slide

  42. WK UI NS
    Safe HTTPS
    HTTP Unsafe HTTPS
    WK UI NS
    WK UI NS
    iOS10.2ʙ
    NSAllowsArbitraryLoadsInWebContent
    (iOS10.2)
    ATS ɹɹɹɹɹɹɹɹɹ ATS

    View Slide

  43. Required by App Store at end of 2016

    View Slide

  44. Required by App Store at end of 2016
    Ԇظ

    View Slide

  45. Let's use

    NSAllowsArbitraryLoads


    View Slide

  46. Important Things About ATS
    • There are cases that it does not work properly.
    • You should to check 

    both the specification and the actual behavior.
    • Behaviors are different between minor versions.

    View Slide