iOS9 GoogleAnalytics和NSAppTransportSecurity [英] iOS9 GoogleAnalytics and NSAppTransportSecurity
问题描述
由于苹果iOS9的新安全机会,我将遇到麻烦,以限制ssl请求到任何类型的服务器。 请参阅参考资料: https:/ /developer.apple.com/ library / content / documentation / General / Reference / InfoPlistKeyReference / Articles / $ b 实际上,我想使用默认值并且不允许任何形式的连接 当然,有些连接是有意的,我从自己的服务器以及第三方服务器获取数据。
NSAllowsArbitraryLoads:false
<密钥GT; NSAppTransportSecurity< /密钥GT;
< dict>
< key> NSAllowsArbitraryLoads< / key>
< false />
< / dict>
您现在可以嗅探由第三方工具生成的应用程序的流量,或者使用记录所有网络流量的方式:
< a href =https://stackoverflow.com/questions/31193579/how-can-i-figure-out-which-url-is-being-blocked-by-app-transport-security?answertab=votes#tab-如何找出App Transport Security阻止哪个网址?
很容易找出此日志中发生的所有错误(不难看到错误代码)。
通过这种方式,我很容易地看到由于负载限制(当然,优秀的软件工程师知道的),哪些连接正在建立并可能失败?)
尽管使用了Google Analytics(分析),但任何第三方跟踪器或自己的网络设置都可以正常运行。
起初,我下载了最后一个示例代码并查看了它们,当然,您不能指望一个库已经支持最新的测试版系统,不过,我试了一下。并且一旦NSAllowsArbitraryLoads被设置为false,它就会失败/ NO
即使第三方限制尽可能少,我也无法运行:
< key> NSAppTransportSecurity< / key>
< dict>
< key> NSAllowsArbitraryLoads< / key>
< false />
< key> NSExceptionDomains< / key>
< dict>
< key> ssl.google-analytics.com< / key>
< dict>
< key> NSRequiresCertificateTransparency< / key>
< true />
< key> NSThirdPartyExceptionMinimumTLSVersion< / key>
< string> TLSv1.2< / string>
< key> NSThirdPartyExceptionRequiresForwardSecrecy< / key>
< false />
< key> NSThirdPartyExceptionAllowsInsecureHTTPLoads< / key>
< true />
< / dict>
< / dict>
还尝试过google-analytics.com并包含子域名NSIncludesSubdomains:true。而且,当 https://google-analytics.com 中的简单网站调用浏览器重定向到 https://www.google.com/analytics/ 我也尝试允许google.com作为额外的异常域,这也失败了。
即使看过支持的ssl-ciphers,我认为它们在这里没有问题:
nmap --script ssl-enum-ciphers -p 443 ssl.google-analytics.com
| TLSv1.2:
|密码:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(dh 256) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(dh 256) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(dh 256) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA(dh 256) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA(rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA(rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256(rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256(rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA(rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256(rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384(rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5(rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA(rsa 2048) - A
因此,Google分析跟踪仍然会失败,例如:
https://ssl.google-analytics.com/collect?[ ....]
有没有人想出解决方案,或者在我的方法中发现某种错误?
实际上上面的配置有点不对,我找到了一种工作方法。
- 短篇小说开始 -
基本上,上述方法基本上是正确的,但是当我查看Mac OS建立的网络连接时,我再次检查配置10.10和OS 10.11
openssl s_client -connect ssl.google-analytics.com:443-status
Mac OS 10.10使用TLSv1.2,而Mac OS 10.11使用TLSv1.0
- 短故事结束 -
因此,在重新考虑属性之后,我删除了证书透明度 NSRequiresCertificateTransparency ,因为默认值是也被设定为假而不真实。以下配置现在适用于我:
< key> NSAppTransportSecurity< / key>
< dict>
< key> NSAllowsArbitraryLoads< / key>
< false />
< key> NSExceptionDomains< / key>
< dict>
< key> ssl.google-analytics.com< / key>
< dict>
< key> NSThirdPartyExceptionMinimumTLSVersion< / key>
< string> TLSv1.2< / string>
< key> NSThirdPartyExceptionRequiresForwardSecrecy< / key>
< false />
< key> NSThirdPartyExceptionAllowsInsecureHTTPLoads< / key>
< true />
< / dict>
< / dict>
< / dict>
补充说明:尽管google使用了这个实验标准(证书透明度): https://en.wikipedia.org/wiki/Certificate_Transparency
似乎无法使用它的谷歌分析: - )
I am running into trouble due to the new security opportunity from Apple's iOS9 to restrict ssl requests to any kind of servers.
Actually, I want to make use of the default and not allow any kind of connection NSAllowsArbitraryLoads: false
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
</dict>
Of course some connections are intended and I retrieve data from own servers as well as from third party servers.
Either you can now sniff the app's traffic, which is generated by third party tools, or you make use of logging all network traffic, referenced here: How can I figure out which URL is being blocked by App Transport Security?
It is easy to track down all occurring errors in this log (not too hard to look for an error code). In this way I was easily able to see what connections were being established and maybe failed, due to load limitations (of course, good software engineers know by heart ;) )
Any kind of third party tracker or the own network setup is running just fine, despite from Google Analytics. At first I downloaded the last Example codes and had a look at them, of course you cannot expect a library to already support most recent beta systems, nevertheless, I gave it a try. And it failed as soon as the NSAllowsArbitraryLoads is set to false/NO
Even with limiting as few as possible for the third party I was not able to make it run:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>ssl.google-analytics.com</key>
<dict>
<key>NSRequiresCertificateTransparency</key>
<true/>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
Also tried google-analytics.com and to include subdomains NSIncludesSubdomains:true. And, as the simple website call in browser of "https://google-analytics.com" redirects to "https://www.google.com/analytics/" I also tried to allow google.com as additional exception domain, which also fails.
Even had a look at the supported ssl-ciphers, I think they are no problem here:
nmap --script ssl-enum-ciphers -p 443 ssl.google-analytics.com
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 256) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A
So, the google analytics tracking still fails for requests like: https://ssl.google-analytics.com/collect?[....]
Has anyone come up with a solution or maybe found some kind of mistake in my approach?
Actually the above configuration was slightly wrong, I found a working approach.
-- Short story start --
Basically, the above approach was mostly correct, but I came up to check the configuration again, when I had a look at the established network connection from Mac OS 10.10 and OS 10.11
openssl s_client -connect ssl.google-analytics.com:443 -status
Mac OS 10.10 made use of TLSv1.2, while Mac OS 10.11 for whatever reason used TLSv1.0
-- Short story end --
So, after rethinking the attributes, I removed the Certificate transparency NSRequiresCertificateTransparency, as the default is also set to be false and not true. The following configuration now works for me:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>ssl.google-analytics.com</key>
<dict>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
Additional note: although google makes use of this "experimental standard" (certificate transparency):https://en.wikipedia.org/wiki/Certificate_Transparency It seems to not make use of it in google analytics :-)
这篇关于iOS9 GoogleAnalytics和NSAppTransportSecurity的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
