iOS9 GoogleAnalytics 和 NSAppTransportSecurity [英] iOS9 GoogleAnalytics and NSAppTransportSecurity
问题描述
我遇到了麻烦,因为 Apple 的 iOS9 提供了新的安全机会,可以将 ssl 请求限制到任何类型的服务器.
I am running into trouble due to the new security opportunity from Apple's iOS9 to restrict ssl requests to any kind of servers.
实际上,我想使用默认值,不允许任何类型的连接NSAllowsArbitraryLoads: 假
Actually, I want to make use of the default and not allow any kind of connection NSAllowsArbitraryLoads: false
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
</dict>
当然,有些连接是有意的,我从自己的服务器和第三方服务器检索数据.
Of course some connections are intended and I retrieve data from own servers as well as from third party servers.
您现在可以嗅探由第三方工具生成的应用程序流量,或者您可以使用记录所有网络流量,参考此处:如何确定应用传输安全阻止了哪个 URL?
Either you can now sniff the app's traffic, which is generated by third party tools, or you make use of logging all network traffic, referenced here: How can I figure out which URL is being blocked by App Transport Security?
很容易在此日志中跟踪所有发生的错误(查找错误代码并不难).通过这种方式,由于负载限制,我可以轻松查看正在建立的连接以及可能失败的连接(当然,优秀的软件工程师都知道;))
It is easy to track down all occurring errors in this log (not too hard to look for an error code). In this way I was easily able to see what connections were being established and maybe failed, due to load limitations (of course, good software engineers know by heart ;) )
尽管来自 Google Analytics,任何类型的第三方跟踪器或自己的网络设置都运行良好.起初我下载了最后的示例代码并查看了它们,当然你不能指望一个库已经支持最新的 beta 系统,不过,我试了一下.一旦 NSAllowsArbitraryLoads 设置为 false/NO
Any kind of third party tracker or the own network setup is running just fine, despite from Google Analytics. At first I downloaded the last Example codes and had a look at them, of course you cannot expect a library to already support most recent beta systems, nevertheless, I gave it a try. And it failed as soon as the NSAllowsArbitraryLoads is set to false/NO
即使尽可能少地限制第三方,我也无法让它运行:
Even with limiting as few as possible for the third party I was not able to make it run:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>ssl.google-analytics.com</key>
<dict>
<key>NSRequiresCertificateTransparency</key>
<true/>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
还尝试了 google-analytics.com 并包含子域 NSIncludesSubdomains:true.并且,由于https://google-analytics.com" 浏览器中的简单网站调用重定向到"https://www.google.com/analytics/" 我也尝试允许 google.com作为额外的异常域,它也失败了.
Also tried google-analytics.com and to include subdomains NSIncludesSubdomains:true. And, as the simple website call in browser of "https://google-analytics.com" redirects to "https://www.google.com/analytics/" I also tried to allow google.com as additional exception domain, which also fails.
甚至查看了支持的 ssl-ciphers,我认为它们在这里没有问题:
Even had a look at the supported ssl-ciphers, I think they are no problem here:
nmap --script ssl-enum-ciphers -p 443 ssl.google-analytics.com
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 256) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A
因此,对于以下请求,谷歌分析跟踪仍然失败:https://ssl.google-analytics.com/collect?[....]
So, the google analytics tracking still fails for requests like: https://ssl.google-analytics.com/collect?[....]
有没有人想出解决方案,或者在我的方法中发现了某种错误?
Has anyone come up with a solution or maybe found some kind of mistake in my approach?
推荐答案
其实上面的配置有点不对,找到了可行的方法.
Actually the above configuration was slightly wrong, I found a working approach.
-- 短篇故事开始--
-- Short story start --
基本上,上述方法基本正确,但当我查看 Mac OS 10.10 和 OS 10.11 已建立的网络连接时,我又想起来检查配置
Basically, the above approach was mostly correct, but I came up to check the configuration again, when I had a look at the established network connection from Mac OS 10.10 and OS 10.11
openssl s_client -connect ssl.google-analytics.com:443 -status
Mac OS 10.10 使用了 TLSv1.2,而 Mac OS 10.11 出于某种原因使用了 TLSv1.0
Mac OS 10.10 made use of TLSv1.2, while Mac OS 10.11 for whatever reason used TLSv1.0
-- 短篇故事结束--
-- Short story end --
因此,在重新考虑属性后,我删除了证书透明度 NSRequiresCertificateTransparency,因为默认值也设置为 false 而不是 true.以下配置现在适用于我:
So, after rethinking the attributes, I removed the Certificate transparency NSRequiresCertificateTransparency, as the default is also set to be false and not true. The following configuration now works for me:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>ssl.google-analytics.com</key>
<dict>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
附加说明:虽然谷歌使用了这个实验标准"(证书透明度):https://en.wikipedia.org/wiki/Certificate_Transparency它似乎没有在谷歌分析中使用它:-)
Additional note: although google makes use of this "experimental standard" (certificate transparency):https://en.wikipedia.org/wiki/Certificate_Transparency It seems to not make use of it in google analytics :-)
这篇关于iOS9 GoogleAnalytics 和 NSAppTransportSecurity的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
