1

I want to make sure that my iOS app will connect with a defined web server though web api and doesn't have any access to some other domain.

I have tried to implement NSAppTransportSecurity to define my web server domain but it is not working for me and the app can still have an access to other domains as well.

I'm using Alamofire networking library in Swift to make web API requests. Please guide me whether I can achieve this or not.

Update:

ATS is not working for me with Alamofire library of Swift.

Example:

// This should be accessible from my app only and the app shouldn't send any request to other domains


www.mydomain.com

Update# 2

My Purpose

My aim is to restrict my app to do so because if any opensource framework I use in my app won't be able to access any other web server excepts the one I defined.

It would be great if something I can do in plist or from app settings for the general app target.

developer
  • 668
  • 1
  • 6
  • 24
  • Possible duplicate of [Transport security has blocked a cleartext HTTP](https://stackoverflow.com/questions/31254725/transport-security-has-blocked-a-cleartext-http) – Jake Jun 21 '18 at 17:26
  • ATS is the solution to your problem. It also doesn't depend on the framework you're using, whether ATS is working, since it's implemented on a lower level. Please share your `NSAppTransportSecurity` settings so i can make a more qualified statement. – Jonas Maier Jun 21 '18 at 19:37
  • ATS is not used to block traffic to domains. ATS is used to block **insecure** to all, or some, domains. So you can certainly configure ATS to allow you to connect to `http://www.example.com` (without using TLS (note it is http, not http**s**), but not allow your app to connect to `http://www.example.org`. However, ATS will not prevent you from connecting to `https://www.example.org` if it meets all the requirements of ATS (TLS v1.2, forward secrecy, etc.). If you have control over the source code, how would a user cause the app to load data from another domain? – wottle Jun 22 '18 at 03:26
  • In other words, ATS is not your solution. If you allow the user to enter other urls to navigate to (or they can navigate away from your core domain, you will have to write the code to prevent loading of other domains. You could probably use the Network Extensions framework to do that. If you just want to make sure your app traffic isn't intercepted through a man in the middle (mitm) attack, you should look into certificate pinning. – wottle Jun 22 '18 at 03:34
  • @wottle yes you are right, ATS is not the right solution, however is there any base URL request method in iOS that is to be overridden to achieve this or may I need to write custom network extension framework for this purpose? – developer Jun 22 '18 at 05:11
  • I think you would have to write a custom network extension. It wouldn't need to do much, but it's not as easy as overriding a singe method. I haven't done something like that. If you are initiating the API calls, why can't you just ensure in your NSURLConnections that the domain is yours? – wottle Jun 22 '18 at 11:59
  • @wottle please see my update. – developer Jun 22 '18 at 15:16
  • OK, so you just want to make sure some framework you use doesn't do anything outside of what you intend it to. I think you'd have to do something low level, like a network extension. Or, if this is for a corporate app, you could potentially secure it with something like MAM, which would allow you to force the app to use a proxy, and you could block all domains except your at the proxy level. – wottle Jun 22 '18 at 15:52
  • @wottle This sounds great for me, I will definitely try this. – developer Jun 22 '18 at 19:18
  • @wottle you should write an answer with all you have wrote in comments – Blazej SLEBODA Aug 30 '18 at 05:49

1 Answers1

1

It's impossible to restrict/filter the network traffic with ATS.

ATS enforce security policies when loading HTTP- and URL-based resources and doesn't restrict/filter network traffic.

App Transport Security (ATS) is enforced by the NSURLSession class and all APIs that use it. ATS is automatically enabled when you link your app against the iOS 9.0 SDK or later or against the macOS 10.11 SDK or later. (The older NSURLConnection class also enforces ATS when you link against the iOS 9.0 SDK or later or against the macOS 10.11 SDK or later.) ATS protections are not available when using lower-level networking APIs provided by Apple, or when using third-party networking libraries. Source

Blazej SLEBODA
  • 8,936
  • 7
  • 53
  • 93