Xamarin 中的应用传输安全App Transport Security in Xamarin.iOS

应用传输安全(ATS)在 internet 资源(如应用的后端服务器)和应用之间强制实施安全连接。App Transport Security (ATS) enforces secure connections between internet resources (such as the app's back-end server) and your app.

本文将介绍应用传输安全在 iOS 9 应用上强制实施的安全更改,以及这对你的 Xamarin iOS 项目的意义,它将介绍ATS 配置选项,并将介绍如何选择退出 ATSATS (如果需要)。This article will introduce the security changes that App Transport Security enforces on an iOS 9 app and what this means for your Xamarin.iOS projects, it will cover the ATS configuration options and it will cover how to opt-out of ATS ATS if required. 因为默认情况下启用 ATS,所以任何不安全的 internet 连接将在 iOS 9 应用程序中引发异常(除非你显式允许)。Because ATS is enabled by default, any non-secure internet connections will raise an exception in iOS 9 apps (unless you've explicitly allowed it).

关于应用传输安全About App Transport Security

如上所述,ATS 确保 iOS 9 和 OS X El Capitan 中的所有 internet 通信都符合安全连接的最佳做法,从而防止直接通过你的应用或其使用的库泄露敏感信息使用.As stated above, ATS ensures that all internet communications in iOS 9 and OS X El Capitan conform to secure connection best practices, thereby preventing accidental disclosure of sensitive information either directly through your app or a library that it is consuming.

对于现有应用,请尽可能实现 HTTPS 协议。For existing apps, implement the HTTPS protocol whenever possible. 对于新的 Xamarin iOS 应用,在与 internet 资源通信时应使用 HTTPSFor new Xamarin.iOS apps, you should use HTTPS exclusively when communicating with internet resources. 此外,必须使用 TLS 版本1.2 和 "向前保密" 加密高级 API 通信。Additionally, high-level API communication must be encrypted using TLS version 1.2 with forward secrecy.

NSUrlConnectionCFUrlNSUrlSession建立的任何连接都默认在为 iOS 9 和 OS X 10.11 (El Capitan)构建的应用程序中使用 ATS。Any connection made with NSUrlConnection, CFUrl or NSUrlSession will use ATS by default in apps built for iOS 9 and OS X 10.11 (El Capitan).

默认 ATS 行为Default ATS Behavior

由于默认情况下,在为 iOS 9 和 OS X 10.11 (El Capitan)构建的应用中启用了 ATS,因此,使用NSUrlConnectionCFUrlNSUrlSession的所有连接都将受到 ATS 安全要求。Since ATS is enabled by default in apps built for iOS 9 and OS X 10.11 (El Capitan), all connections using NSUrlConnection, CFUrl or NSUrlSession will be subject to ATS security requirements. 如果连接不满足这些要求,它们将失败并出现异常。If your connections do not meet these requirement, they will fail with an exception.

ATS 连接要求ATS Connection Requirements

对于所有 internet 连接,ATS 将强制实施以下要求:ATS will enforce the following requirements for all internet connections:

  • 所有连接密码必须使用 "向前保密"。All connection ciphers must be using forward secrecy. 请参阅下面的接受的密码列表。See the list of accepted ciphers below.
  • 传输层安全性(TLS)协议必须是1.2 版或更高版本。The Transport Layer Security (TLS) protocol must be version 1.2 or greater.
  • 至少一个 SHA256 指纹,其中至少有一个2048位或更大的 RSA 密钥,或者256位或更大的椭圆曲线(ECC)密钥必须用于所有证书。At least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256 bit or greater Elliptic-Curve (ECC) key must be used for all certificates.

同样,由于默认情况下在 iOS 9 中启用了 ATS,因此尝试建立不满足这些要求的连接将导致引发异常。Again, since ATS is enabled by default in iOS 9, any attempt to make a connection that doesn't meet these requirements will result in an exception being thrown.

ATS 兼容密码ATS Compatible Ciphers

ATS 受保护的 internet 通信会接受以下转发机密密码类型:The following forward secrecy cipher type are accepted by ATS secured internet communications:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

有关使用 iOS internet 通信类的详细信息,请参阅 Apple 的NSURLConnection 类引用CFURL 引用NSURLSession 类引用For more information about working with iOS internet communication classes, please see Apple's NSURLConnection Class Reference, CFURL Reference or NSURLSession Class Reference.

支持 Xamarin 中的 ATSSupporting ATS in Xamarin.iOS

由于 iOS 9 和 OS X El Capitan 中默认启用 ATS,因此,如果你的 Xamarin 应用或它使用的任何库或服务与 internet 建立连接,则你需要采取某种措施,否则连接将导致引发异常。Because ATS is enabled by default in iOS 9 and OS X El Capitan, if your Xamarin.iOS app or any library or service it is using makes connection to the internet, you'll need to take some action or your connections will result in an exception being thrown.

对于现有应用,Apple 建议你尽快支持 HTTPS 协议。For an existing app, Apple suggests you support the HTTPS protocol as soon as possible. 如果无法连接到不支持 HTTPS 的第三方 web 服务,或者如果支持 HTTPS 不实用,可以选择退出 ATS。If you either can't because you are connecting to a 3rd party web service that doesn't support HTTPS or if supporting HTTPS would be impractical, you can opt-out of ATS. 有关更多详细信息,请参阅下面的ATS部分。See the Opting-Out of ATS section below for more details.

对于新的 Xamarin iOS 应用,在与 internet 资源通信时应使用 HTTPSFor a new Xamarin.iOS app, you should use HTTPS exclusively when communicating with internet resources. 同样,在某些情况下(例如使用第三方 web 服务),这是不可能的,你需要选择退出 ATS。Again, there might be situations (like using a 3rd party web service) where this isn't possible and you'll need to opt-out of ATS.

此外,ATS 强制使用 TLS 版本1.2 和转发机密来加密高级 API 通信。Additionally, ATS enforces high-level API communication to be encrypted using TLS version 1.2 with forward secrecy. 有关更多详细信息,请参阅上面的ATS 连接要求ATS 兼容的密码部分。See the ATS Connection Requirements and ATS Compatible Ciphers sections above for more details.

尽管你可能不熟悉 TLS (传输层安全性),但它是 SSL (安全套接字层)的后继,它提供了一组加密协议来强制通过网络连接进行安全性。While you might not be familiar with TLS (Transport Layer Security) it is the successor to SSL (Secure Socket Layer) and provides a collection of cryptographic protocols to enforce security over network connections.

TLS 级别由正在使用的 web 服务控制,因此在应用程序的控件之外。The TLS level is controlled by the web service that you are consuming and is therefore outside of the app's control. HttpClientModernHttpClient 应自动使用服务器支持的最高级别的 TLS 加密。Both the HttpClient and the ModernHttpClient should automatically use the highest level of TLS encryption supported by the server.

根据要与之通信的服务器(特别是第三方服务时),可能需要禁用 "向前保密" 或选择较低的 TLS 级别。Depending on the server that you are talking to (especially if it is a 3rd party service), you might need to disable forward secrecy or select a lower TLS level. 有关更多详细信息,请参阅下面的配置 ATS 选项部分。See the Configuring ATS Options section below for more details.

重要

应用传输安全不适用于使用托管 HTTPClient 实现的 Xamarin 应用。App Transport Security does not apply to Xamarin apps using Managed HTTPClient implementations. 仅适用于使用 CFNetwork HTTPClient 实现NSURLSession HTTPClient 实现的连接。It applies to connections using CFNetwork HTTPClient implementations or NSURLSession HTTPClient implementations only.

设置 HTTPClient 实现Setting the HTTPClient Implementation

若要设置 iOS 应用使用的 HTTPClient 实现,请双击 "解决方案资源管理器中的项目以打开项目选项To set the HTTPClient Implementation used by an iOS app, double-click the Project in the Solution Explorer to open the Project Options. 导航到 " IOS 生成",然后在 " HttpClient 实现" 下拉列表中选择所需的客户端类型:Navigate to iOS Build and select the desired client type under the HttpClient implementation dropdown:

托管处理程序Managed Handler

托管处理程序是完全托管的 HttpClient 处理程序,它与早期版本的 Xamarin 一起提供,是默认处理程序。The Managed handler is the fully managed HttpClient handler that has been shipped with previous versions of Xamarin.iOS and is the default handler.

专业人员Pros:

  • 它与 Microsoft .NET 和早期版本的 Xamarin 最兼容。It is the most compatible with Microsoft .NET and older version of Xamarin.

各有利弊Cons:

  • 它未与 iOS 完全集成(例如,仅限 TLS 1.0)。It is not fully integrated with iOS (e.g it is limited to TLS 1.0).
  • 它通常比本机 Api 慢得多。It is usually much slower than the native APIs.
  • 它需要更多托管代码,并创建更大的应用。It requires more managed code and creates larger apps.

CFNetwork 处理程序CFNetwork Handler

基于 CFNetwork 的处理程序基于本机 CFNetwork 框架。The CFNetwork based handler is based on the native CFNetwork framework.

专业人员Pros:

  • 使用本机 API 以获得更好的性能和更小的可执行文件大小。Uses native API for better performance and smaller executable sizes.
  • 添加了对较新标准(如 TLS 1.2)的支持。Adds support for newer standards such as TLS 1.2.

各有利弊Cons:

  • 需要 iOS 6 或更高版本。Requires iOS 6 or later.
  • 不可用于 watchOS。Not available of watchOS.
  • 某些 HttpClient 功能和选项不可用。Some HttpClient features and options are not available.

NSUrlSession 处理程序NSUrlSession Handler

基于 NSUrlSession 的处理程序基于本机 NSUrlSession API。The NSUrlSession based handler is based on the native NSUrlSession API.

专业人员Pros:

  • 使用本机 API 以获得更好的性能和更小的可执行文件大小。Uses native API for better performance and smaller executable sizes.
  • 添加了对较新标准(如 TLS 1.2)的支持。Adds support for newer standards such as TLS 1.2.

各有利弊Cons:

  • 需要 iOS 7 或更高版本。Requires iOS 7 or later.
  • 某些 HttpClient 功能和选项不可用。Some HttpClient features and options are not available.

诊断 ATS 问题Diagnosing ATS Issues

尝试在 iOS 9 中直接或从 web 视图连接到 internet 时,可能会收到如下格式的错误:When attempting to connect to the internet, either directly or from a web view in iOS 9, you might get an error in the form:

应用传输安全已阻止明文 HTTP ( http://www.-the-blocked-domain.com) 资源负载,因为它不安全。App Transport Security has blocked a cleartext HTTP (http://www.-the-blocked-domain.com) resource load since it is insecure. 临时异常可以通过应用的 info.plist 文件进行配置。Temporary exceptions can be configured via your app's Info.plist file.

在 iOS9 中,应用传输安全(ATS)在 internet 资源(如应用的后端服务器)和应用之间强制实施安全连接。In iOS9, App Transport Security (ATS) enforces secure connections between internet resources (such as the app's back-end server) and your app. 此外,ATS 还要求使用 HTTPS 协议进行通信,并使用 TLS 版本1.2 和正向机密对高级 API 通信进行加密。Additionally, ATS requires communication using the HTTPS protocol and high-level API communication to be encrypted using TLS version 1.2 with forward secrecy.

由于默认情况下,在为 iOS 9 和 OS X 10.11 (El Capitan)构建的应用中启用了 ATS,因此使用 NSURLConnectionCFURLNSURLSession 的所有连接都将受到 ATS 安全要求的限制。Since ATS is enabled by default in apps built for iOS 9 and OS X 10.11 (El Capitan), all connections using NSURLConnection, CFURL or NSURLSession will be subject to ATS security requirements. 如果连接不满足这些要求,它们将失败并出现异常。If your connections do not meet these requirement, they will fail with an exception.

Apple 还提供了TLSTool 示例应用,可对其进行编译(或选择性地转码C#到 Xamarin 和)并用于诊断 ATS/TLS 问题。Apple also provides the TLSTool Sample App that can be compiled (or optionally transcoded to Xamarin and C#) and used to diagnose ATS/TLS issues. 有关如何解决此问题的信息,请参阅下面的 ATS 部分中的 "选择退出" 部分。Please see the Opting-Out of ATS section below for information on how to solve this issue.

配置 ATS 选项Configuring ATS Options

可以通过在应用的info.plist文件中设置特定密钥的值,来配置 ATS 的多个功能。You can configure several of the features of ATS by setting values for specific keys in your app's Info.plist file. 以下项可用于控制 ATS (缩进以显示嵌套方式):The following keys are available for controlling ATS (indented to show how they are nested):

NSAppTransportSecurity
    NSAllowsArbitraryLoads
    NSAllowsArbitraryLoadsInWebContent
    NSExceptionDomains
    <domain-name-for-exception-as-string>
        NSExceptionMinimumTLSVersion
        NSExceptionRequiresForwardSecrecy
        NSExceptionAllowsInsecureHTTPLoads
        NSRequiresCertificateTransparency
        NSIncludesSubdomains
        NSThirdPartyExceptionMinimumTLSVersion
        NSThirdPartyExceptionRequiresForwardSecrecy
        NSThirdPartyExceptionAllowsInsecureHTTPLoads

每个密钥都具有以下类型和含义:Each key has the following type and meaning:

  • NSAppTransportSecurityDictionary)-包含 ATS 的所有设置键和值。NSAppTransportSecurity (Dictionary) - Contains all of the setting keys and values for ATS.
  • NSAllowsArbitraryLoadsBoolean)-如果对 NSExceptionDomains列出的任何域禁用 YES ATS。NSAllowsArbitraryLoads (Boolean) - If YES ATS will be disabled for any domain not listed in NSExceptionDomains. 对于列出的域,将使用指定的安全设置。For listed domains, the security settings specified will be used.
  • NSAllowsArbitraryLoadsInWebContentBoolean)-如果 YES,则在应用程序的其余部分仍启用 Apple 传输安全(ATS)保护时,将允许正确加载网页。NSAllowsArbitraryLoadsInWebContent (Boolean) - If YES will allow web pages to load correctly while Apple Transport Security (ATS) protection is still enabled for the rest of the app.
  • NSExceptionDomainsDictionary)-域的集合,以及 ATS 应对给定域使用的安全设置。NSExceptionDomains (Dictionary) - A collection of domains that and the security settings that ATS should use for a given domain.
  • <Dictionary)的 "域名",作为给定域的异常集合(例如<domain-name-for-exception-as-string> (Dictionary) - A collection of exceptions for a given domain (eg. www.xamarin.com) 格式模式中出现的位置匹配。www.xamarin.com).
  • NSExceptionMinimumTLSVersionString)-最小 TLS 版本 TLSv1.0TLSv1.1TLSv1.2 (这是默认值)。NSExceptionMinimumTLSVersion (String) - The minimal TLS version as either TLSv1.0, TLSv1.1 or TLSv1.2 (which is the default).
  • NSExceptionRequiresForwardSecrecyBoolean)-如果 NO 域不必使用具有 "转发安全性" 的密码。NSExceptionRequiresForwardSecrecy (Boolean) - If NO the domain does not have to use a cipher with forward security. 默认值为 YESThe default value is YES.
  • NSExceptionAllowsInsecureHTTPLoadsBoolean)-如果 NO (默认值),则与此域的所有通信都必须采用 HTTPS 协议。NSExceptionAllowsInsecureHTTPLoads (Boolean) - If NO (the default) all communications with this domain must be in the HTTPS protocol.
  • NSRequiresCertificateTransparencyBoolean)-如果 YES 域的安全套接字层(SSL)必须包含有效的透明数据。NSRequiresCertificateTransparency (Boolean) - If YES the domain’s Secure Sockets Layer (SSL) must include valid transparency data. 默认值为 NOThe default value is NO.
  • NSIncludesSubdomainsBoolean)-如果 YES 这些设置将覆盖此域的所有子域。NSIncludesSubdomains (Boolean) - If YES these settings override all subdomains of this domain. 默认值为 NOThe default value is NO.
  • NSThirdPartyExceptionMinimumTLSVersionString)-当域是开发人员控件之外的第三方服务时使用的 TLS 版本。NSThirdPartyExceptionMinimumTLSVersion (String) - The TLS version used when the domain is a 3rd party service outside of the developer's control.
  • NSThirdPartyExceptionRequiresForwardSecrecyBoolean)-如果 YES 第三方域需要 "向前保密"。NSThirdPartyExceptionRequiresForwardSecrecy (Boolean) - If YES a 3rd party domain requires forward secrecy.
  • NSThirdPartyExceptionAllowsInsecureHTTPLoadsBoolean)-如果 YES ATS 将允许与第三方域进行不安全的通信。NSThirdPartyExceptionAllowsInsecureHTTPLoads (Boolean) - If YES the ATS will allow non-secure communication with 3rd party domains.

退出 ATSOpting-Out of ATS

尽管 Apple 强烈建议使用 HTTPS 协议和安全地与基于 internet 的信息通信,但有时这并不总是可行。While Apple highly suggests using the HTTPS protocol and secure communication to internet based information, there might be times that this isn't always possible. 例如,如果要与第三方 web 服务进行通信,或在应用程序中使用 internet 交付的广告。For example, if you are communicating with a 3rd party web service or using internet delivered ads in your app.

如果你的 Xamarin iOS 应用必须向不安全的域发出请求,则对你的应用的info.plist文件的以下更改将禁用 ATS 强制用于给定域的安全性默认值:If your Xamarin.iOS app must make a request to an insecure domain, the following changes to your app's Info.plist file will disable the security defaults that ATS enforces for a given domain:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.the-domain-name.com</key>
        <dict>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.0</string>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

在 Visual Studio for Mac 中,双击 "解决方案资源管理器" 中的 Info.plist 文件,切换到 "" 视图并添加上述项:Inside Visual Studio for Mac, double-click the Info.plist file in the Solution Explorer, switch to the Source view and add the above keys:

如果你的应用程序需要从非安全站点中加载和显示 web 内容,请将以下内容添加到你的应用程序的info.plist文件中,以便在应用程序的其余部分仍启用 Apple 传输安全(ATS)保护时正确加载网页:If your app needs to load and display web content from non-secure sites, add the following to your app's Info.plist file to allow web pages to load correctly while Apple Transport Security (ATS) protection is still enabled for the rest of the app:

<key>NSAppTransportSecurity</key>
<dict>
    <key> NSAllowsArbitraryLoadsInWebContent</key>
    <true/>
</dict>

还可以选择对应用的info.plist文件进行以下更改,以完全禁用所有域和 internet 通信的 ATS:Optionally, you can make the following changes to your app's Info.plist file to completely disable ATS for all domains and internet communication:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

在 Visual Studio for Mac 中,双击 "解决方案资源管理器" 中的 Info.plist 文件,切换到 "" 视图并添加上述项:Inside Visual Studio for Mac, double-click the Info.plist file in the Solution Explorer, switch to the Source view and add the above keys:

重要

如果你的应用程序需要连接到不安全的网站,则应始终使用 NSExceptionDomains 将该域输入为异常,而不是完全使用 NSAllowsArbitraryLoads来关闭 ATS。If your application requires a connection to an insecure website, you should always enter the domain as an exception using NSExceptionDomains instead of turning ATS off completely using NSAllowsArbitraryLoads. NSAllowsArbitraryLoads 只应在极端紧急情况下使用。NSAllowsArbitraryLoads should only be used in extreme emergency situations.

同样,如果切换到安全连接不可用或不实用,_只_应将 ATS 禁用。Again, disabling ATS should only be used as a last resort, if switching to secure connections is either unavailable or impractical.

总结Summary

本文介绍了应用传输安全(ATS)并介绍了如何通过 internet 进行安全通信。This article has introduced App Transport Security (ATS) and described the way it enforces secure communications with the internet. 首先,我们介绍了 ATS 在 iOS 9 上运行的 Xamarin iOS 应用所需的更改。First, we covered the changes ATS requires for a Xamarin.iOS app running on iOS 9. 然后我们介绍了如何控制 ATS 的功能和选项。Then we covered controlling ATS features and options. 最后,我们在 Xamarin iOS 应用中介绍了 ATS。Finally, we covered opting out of ATS in your Xamarin.iOS app.