URLSession
class provide methods to load network and URL requests asynchronously and synchronously. Older iOS versions can utilize the Sockets API.using: .tls
is used. It is the preferred option over the legacy Secure Transport framework.URLSession
was built upon the Network framework and utilizes the same transport services. The class also uses TLS 1.3 by default, if the endpoint is HTTPS.URLSession
should be used for HTTP and HTTPS connections, instead of utilizing the Network framework directly. The class natively supports both URL schemes and is optimized for such connections. It requires less boilerplate code, reducing the propensity for errors and ensuring secure connections by default. The Network framework should only be used when there are low-level and/or advanced networking requirements.URLSession
to fetch website data into memory.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
NSAppTransportSecurity
key. These exceptions can be applied to:NSAppTransportSecurity
dictionary.NSAllowsArbitraryLoads
NSExceptionDomains
NSAllowsArbitraryLoadsInWebContent
NSAllowsLocalNetworking
NSAllowsArbitraryLoadsForMedia
NSIncludesSubdomains
NSExceptionAllowsInsecureHTTPLoads
NSExceptionMinimumTLSVersion
NSExceptionRequiresForwardSecrecy
NSAllowsArbitraryLoads
NSAllowsArbitraryLoadsForMedia
NSAllowsArbitraryLoadsInWebContent
NSExceptionAllowsInsecureHTTPLoads
NSExceptionMinimumTLSVersion
Info.plist
file in the application bundle directory and look for any exceptions that the application developer has configured. This file should be examined taking the applications context into consideration.Info.plist
file should be either obtained from a jailbroken device or by extracting the application IPA file. Convert it to a human readable format if needed (e.g. plutil -convert xml1 Info.plist
) as explained in the chapter "iOS Basic Security Testing", section "The Info.plist File".nscurl
is available to check the same. The command can be used as follows:If there are any fails in the nscurl output, please change the server side configuration of TLS to make the serverside more secure, instead of weakening the configuration in ATS on the client.
example.com
is owned by the application owner and ATS is enabled for that domain.NSAllowsArbitraryLoadsInWebContent
can be used to disable ATS restrictions for the content loaded in web viewsInfo.plist
file under App Transport Security Settings. You can find an example in their article Identity Pinning: How to configure server certificates for your app.connection:willSendRequest ForAuthenticationChallenge:
method of NSURLConnectionDelegate
to check if the certificate provided by the server is valid and matches the certificate stored in the app. You can find more details in the HTTPS Server Trust Evaluation technical note.NSURLSession
, CFStream
, and AFNetworking