NSAppTransport in iOS 9

Loading...

來自 University of California, Irvine 的課程

Networking and Security in iOS Applications

233 個評分

University of California, Irvine

Networking and Security in iOS Applications

233 個評分

課程 2（共 6 門，Specialization iOS Development for Creative Entrepreneurs）

You will learn to extend your knowledge of making iOS apps so that they can securely interact with web services and receive push notifications. You'll learn how to store data securely on a device using Core Data. You’ll also learn to securely deploy apps to the App Store and beta users over-the-air. The format of the course is through a series of code tutorials. We will walk you through the creation of several apps that you can keep as a personal app toolbox. When you make your own apps after this course, you can bring in these capabilities as needed. When necessary we pop out of the code tutorials to talk about concepts at a higher level so that what you are programming makes sense. Upon completing this course, you will be able to: 1. Post Facebook, Twitter, Sina Weibo, Tencent Weibo messages to social media using single sign-on on behalf of a user. 2. Use OAuth 2.0 to securely authenticate to Instagram and retrieve photos on behalf of a user 3. JSON 4. Describe JSON’s syntax 5. Write well-formed JSON 6. Work with JSON data objects in Objective-C 7. Appropriately set the security settings for App Transport Security in iOS 9.0 8. Use http, https and https with perfect forward secrecy to fetch web resources 9. Obtain permissions to receive local push notifications 11. Write an app that can send and receive local push notifications 12. Obtain permissions to receive remote push notifications 13. Write an app that can receive remote push notifications 14. Authenticate using Apple’s cryptographic services such that the developer can use 3rd party infrastructure to send remote push notifications to their app. 15. Securely store data on the user’s device. 16. Authenticate using Apple’s cryptographic services such that they can deploy an app to the app store

從本節課中

Using Secure Web APIs: an Instagram Case Study

Now it's time to consider what we are going to do if we want to work with web services that aren't deeply integrated into iOS. There are hundreds (thousands?!?!) of them. Most of them require authentication via the OAuth 2.0 protocol. In this week's lessons we will walk through an example of getting a photo from Instagram on behalf of a user. This week is also a code tutorial in preparation for your peer review assignment, but in the middle we need to step back from coding to cover some basics: How do we use a UIImageView? What is OAuth 2.0 anyway? What is JSON and how do we read it? What's the big deal about http vs https anyway?

NSAppTransport in iOS 910:26

Network Security Considerations22:16

Getting data with NSURLSession10:26

Calling and Parsing API JSON data7:38

與講師見面

Don Patterson
Associate Professor
Informatics and Computer Science
Sam Kaufman
Partner at Gradient

[MUSIC]

When we got that callback from Instagram, we saw that there was kind of an error and

the error had to do with the fact that we hadn't allowed our

application to request information from insecure web services.

And this is a change that has taken place in iOS 9 that we first saw in course one.

The basic change at a high level is that Apple's trying to secure and

enforce a high level of security on the internet.

And the way their doing that is by turning off insecure access to the internet

by default, so it's not possible by default to access web services.

For example, those that are using HTTP unencrypted scheme on the internet and

even if you use the encrypted scheme,

HTTPS, it has to be a very high-level of security, one that implements

forward secrecy in order to make that connection without any changes.

Now, not all web services are secure, but

this is the default behavior as of iOS 9 and OSX 10.11.

The details are available in this URL.

If you want to see all the details of which ciphers and

which protocols are supported, that's available on the developer website.

In the mean time though, we have to figure out how are we gonna transition,

because not all web services are strong enough.

How strong does it need to be?

Well, the server has to support the web server, so Instagram, in our case,

has to support at least Transport Layer Security protocol 1.2.

Connection ciphers have to provide forward secrecy.

Certificates that identify the domain names have to be

signed using a SHA256 or greater hash algorithm.

And invalid certificates prevent any kind of access at all.

What if the web service isn't secure?

One option you have is not to use it, because it's not secure and as a result

the information that is transferred across the Internet tops the part that's not

secure but travels between your client and the server that transition is not secured.

So you might not wanna use it.

Another option is to load an exception.

This is something hat you do on your device and you say okay, I recognize

all services are strong as I like them to be, I'm going to allow an exception.

You can either allow a blanket exception so

that you can access anything this is what we did in course one or

you can allow a modified exception to only be able to access a certain

subset of URLs that don't exhibit perfect forward secrecy.

So here's a table from that tech note.

And if we wanted to enable our app to access everything on the Internet

regardless of transport security, we would change Info.plist to

have an NSAppTransportSecurity dictionary with one element in it,

which is NSAllowsArbitraryLoads with the value of YES.

That's what we did in the first course.

In this example, what we're gonna do is we're gonna make specific exceptions for

Instagram's websites.

So in this case we're going to have ns app transport security dictionary

added to our info p list and we're going to add ns exception domains.

We're going to use cdn Instagram.com.

CDN stands for contribution distribution network it's caching for their data.

And we're also gonna use api.instagram.com

to enable our app to make certain kinds of calls to those two domains.

For each of those entries, we're going to make an exception to needing to reuse

forward secrecy because those domains use HTTPS, but they use servers

that aren't strong enough, and then we're going to allow subdomains,

meaning that any file path after cdninstagram.com will also be exempted.

All right, so that's what's going on,

Apple is now secure by default, web services may not be and

if you want to use them you're gonna need to add an exception info.plist.

All right, let's try and do that.

All right, so what we're gonna need to do is we're gonna need to access info p

list and we know we're gonna need to add a new row and that row is gonna be.

Nope sorry, we're not gonna add it to that key you gotta be careful.

That was only head before remove that all right, add a new row to our parent and

it's going to be NSA App Transport Security,

okay and that's going to be a dictionary.

All right, and now I'm gonna go back and

look at my notes because last time I got the exact spelling not correct and

that caused me some problems so let's go back and look at our notes.

Okay, we're looking at NSExceptionDomains, that's the next thing that we want, okay?

So let's add NS exception domains

this is also gonna be a dictionary,

then we're going to add cdninstagram.com.

That's going to be a dictionary.

And we're gonna add another one.

And that's gonna be api.instagram.com.

And that's going to be a dictionary.

And we're going to say we want NS allow subdomains.

Now that's gonna be a boolean.

We're gonna make it yes.

And we're going to allow.

NS allow subdomains.

That didn't get entered as an element.

That got entered as another key.

Move that, and CDN Instagram.com.

Great.

So, that's gonna be a dictionary.

That's gonna be a dictionary.

We're gonna add NS allow sub domains.

That's gonna be boolean.

NS allow sub domains.

And that's going to be, oops, what'd I do wrong again?

I didn't add it, it's tricky that you have

to be careful to open it.

Okay, so now let's make sure that we have

the right key value pairs that are in here.

Started doing in and x code crashed so we're just gonna pick up from there.

All right so we know that ns ab transport security I'm looking from

here to here that's right it's a dictionary.

The first thing we enter in is, NS exception domains, that's right.

This is not nested and this is not nested.

We want a nested element such as cdninstagram.com and

that's going to be a dictionary.

And we want another domain to be, have an exception,

that's gonna be API.instagram.com.

We know that's gonna be a dictionary as well.

Okay, we're gonna open that accordion.

And then within api.instagram.com

we want NSException

requires forward Secrecy.

And make that a boolean and no.

Gonna open this accordion and add the same property to this domain.

Boolean and no, great.

Now we're gonna add another property to api.instagram,

which is NSIncludes sub domains, and that's gonna be Boolean, yes.

Add another element here, and

that's going to be Boolean, and yes.

All right, so now if we've spelled everything right,

NS includes sub domains, there's an s on there, that matters.

[SOUND] There's an "s" on there, that matters.

NS includes sub domains, yes.

NS exception requires forward.

Secrecy, no.

Ns exception domains.

Ns app transport security, all right.

Okay, so now, when we run it, you wait for simulator.

When your simulator comes up, we should be able to

successfully access Instagram without having anything crash.

Okay, we're going to Instagram to authenticate, so far so good.

We received a callback,

stream has been reopened after close I think everything's good.

I added some code in here.

One Instagram account is logged in, everything's great.

All right so we've successfully registered our callback we've successfully

gotten rid of our NS app transport main restrictions.

Now it's time to get the data from our callback and

actually load in image from our Instagram feed, all right, that's next.

[MUSIC]

探索我們的目錄

免費加入並獲得個性化推薦、更新和優惠。

Coursera 致力於普及全世界最好的教育，它與全球一流大學和機構合作提供在線課程。

© 2019 Coursera Inc. 保留所有權利。

通過 App Store 下載

通過 Google Play 獲取