Post

Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11

Leave a reply

What is App Transport Security (ATS)?

At WWDC 2015, Apple announced “App Transport Security” for iOS 9 and OSX 10.11 El Capitan. The “What’s New in iOS” guide for iOS 9 explains:

App Transport Security (ATS) lets an app add a declaration to its Info.plist file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.

In simple terms, this means that if your application attempts to connect to any HTTP server (in this example, yourserver.com) that doesn’t support the latest SSL technology (TLSv1.2), your connections will fail with an error like this:

CFNetwork SSLHandshake failed (-9801)
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0x7fb080442170 {NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fb08043b380>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorCodeKey=-9802, NSUnderlyingError=0x7fb08055bc00 "The operation couldn’t be completed. (kCFErrorDomainCFNetwork error -1200.)", NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://yourserver.com, NSErrorFailingURLStringKey=https://yourserver.com, _kCFStreamErrorDomainKey=3}

Curiously, you’ll notice that the connection attempts to change the http protocol to https to protect against mistakes in your code where you may have accidentally misconfigured the URL. In some cases, this might actually work, but it’s also confusing.

WARNING: ATS is good for you and your users and you shouldn’t disable it!

The reason why Apple is pushing so aggressively to force secure connections is because it’s the right thing to do. Protecting personal data from being compromised over insecure wireless connections, among other things, is great for users. Just because these exceptions exist doesn’t mean you should actually use them.

If your application is connecting to third party APIs that you can’t control (such as in my case, where my application Routesy connects to public transit APIs that don’t yet support SSL) or serving as a means to load syndicated content (a browser or a news reader, for instance), these techniques might be useful to you.

The bottom line is, if you run your own API server, FIX YOUR SSL. Thanks to Dave DeLong for reminding me that I should clarify that disabling ATS is a bad idea.

That being said…

How to Bypass App Transport Security

Unfortunately, the pre-release documentation doesn’t currently include any references to this key, so many developers who are testing their preexisting apps with the new betas have been receiving this error and aren’t sure what to do about it. Thanks to some digging through the strings in the CFNetwork executable bundled with Xcode 7, I was able to find the keys necessary to configure your Info.plist.

Per-Domain Exceptions

To configure a per-domain exception so that your app can connect to a non-secure (or non TLSv1.2-enabled secure host), add these keys to your Info.plist (and note that Xcode doesn’t currently auto-complete these keys as of the first Xcode 7 beta seed):

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>yourserver.com</key>
    <dict>
      <!--Include to allow subdomains-->
      <key>NSIncludesSubdomains</key>
      <true/>
      <!--Include to allow HTTP requests-->
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
      <!--Include to specify minimum TLS version-->
      <key>NSTemporaryExceptionMinimumTLSVersion</key>
      <string>TLSv1.1</string>
    </dict>
  </dict>
</dict>

There are other keys that you can use to configure App Transport Security as well, such as:

NSRequiresCertificateTransparency
NSTemporaryExceptionRequiresForwardSecrecy
NSTemporaryThirdPartyExceptionAllowsInsecureHTTPLoads
NSTemporaryThirdPartyExceptionMinimumTLSVersion
NSTemporaryThirdPartyExceptionRequiresForwardSecrecy

When the Apple documentation is updated, you should familiarize yourself with these other keys and how they’re used. Also, note that some of these keys were listen incorrectly in the “Privacy and Your App” session at WWDC 2015 (NSExceptionAllowsInsecureHTTPLoads instead of NSTemporaryExceptionAllowsInsecureHTTPLoads, for instance). The keys listed above are the correct ones.

But What If I Don’t Know All the Insecure Domains I Need to Use?

If your app (a third-party web browser, for instance) needs to load arbitrary content, Apple provides a way to disable ATS altogether, but I suspect it’s wise for you to use this capability sparingly:

<key>NSAppTransportSecurity</key>
<dict>
  <!--Include to allow all connections (DANGER)-->
  <key>NSAllowsArbitraryLoads</key>
      <true/>
</dict>
rg-header
Post

What It’s Really Like to Work at Rap Genius

If there’s one thing Rap Genius has no shortage of, it’s attention. Whether they caught your eye because of their highly publicized smack down from Google, their incredibly popular technical takedown of Heroku, or just the insinuation that the co-founders might be insane, there’s a good chance you have an opinion of what kind of company Rap Genius is. There’s a good chance you’re probably wrong.

I went to work at Rap Genius from September until December 2013 as a full-time contractor, in the office every day, working on building the first version of the site’s iOS app. I thought it might be useful to reflect on my experiences during the time I worked there, and to share what it was like for me.

First Contact

On August 6, 2013, on the heels of being laid off from my previous job, I received an email from Rap Genius co-founder and CTO Tom Lehman that immediately got my attention:

Hiiiii Steven! First: DON’T BE BLINDED – I am not a weirdo recruiter!!! I’m the co-founder/CTO of Rap Genius and I’m on the hunt for bomb engineers to join our team. I came across Routesy looking for the “Better Metro North of San Francisco” and it looks tight! I know this is probably a shot in the dark, but I’ve gotta at least TRY convincing you to join the Rap Genius rocket ship/yacht party.

Tom’s email went on to explain the story behind Rap Genius, its traction, funding, and why I should be interested in working with the team. I was surprised to learn that Tom had built a public transit web app for New York’s Metro North system, and that was of particular interest to me because of my iPhone app, Routesy. Like many iOS engineers, I get tons of recruiting emails, but this message from Tom felt really personal to me, so I agreed to meet him for coffee to hear more, after which we scheduled a proper technical interview.

The Interview

The interview started with a technical presentation, where the team asked me to show them something that I had worked on that I thought was interesting, and to walk them through it. Rather than digging through my old code to find something, I decided to throw together a quick hacked version of what a Rap Genius iPhone app might look like, complete with terrible barely functional content pages and an “API”, which really was nothing more than a crude site scraper.

We spent the rest of the afternoon going through coding exercises together, where I solved a few problems using my laptop projected onto the TV screen, iterating on my solutions to improve and make them more efficient and talking through my thought processes so the team could get a better idea of how I think and work. The process was intense, and I was certainly a little tired at the end of the interview, but it was definitely one of the more fun and stimulating technical interviews I’ve participated in.

When it was all over, they made me a generous employment offer, which I turned down after spending a few weeks thinking about it. I had just been laid off from my last job and was itching to work on my own projects, so I wasn’t quite ready to accept another full-time gig. However, when the Rap Genius guys countered with a freelancing agreement that would involve me coming to spend 3 months working with them on to build their first-ever mobile app from scratch, I couldn’t resist. Sadly, my offer came before the introduction of the Rap Genius Genius Grant, so I didn’t get $1,000 and a trophy.

Working at Rap Genius

I’ll be honest; Even after having a great experience interviewing with the team, I was a bit nervous. As a gay man, I generally don’t fit in well with “brogrammers”, and I really didn’t know what to expect. What I discovered was that Rap Genius has a large team of men and women from all over the world who are passionate about all kinds of things. Many of them are rap fans, but the team is also comprised of artists, academics, writers, singers, and math geeks who are all equally interested in the greater vision behind what Rap Genius aspires to be: an annotated guide to all human knowledge.

I would start my typical day taking the train from Manhattan into Brooklyn (Williamsburg to be specific) and walking to the Rap Genius offices located in multiple apartments on the penthouse floor of a large residential building on the waterfront. Joining me on my commute each morning was my chihuahua, Miss Cleo. Working with a team of dog lovers made it easy for me to bring my dog to the office instead of having to leave her locked up at home during the day, which was a big relief.

Everyone at Rap Genius has unlimited access to the team’s corporate Seamless account, so each day we would order lunch and eat together and go over what everyone was working on, effectively combining the concept of a “standup meeting” with a team lunch. Spending time together is definitely a core part of the company culture, and I always felt like everyone was interested in each other’s lives and got along not just professionally, but also personally, which was a great feeling. Considering the amount of time startup employees spend together, knowing and liking your coworkers definitely helps.

Intense code review is also a big part of the team culture. The engineering team uses GitHub pull requests to submit changes for review and nothing is merged and deployed until an appropriate amount of time has been spent reviewing and discussing changes. Review is treated as a solemn responsibility rather than a burden, and everyone helps. This process applies to both the website and the iOS app. Nobody works in a vacuum, and that helps keep things running smoothly.

Another particularly great thing about working at Rap Genius is the biweekly one-on-one meetings with Tom. He takes two full days to sit down for an entire hour with each member of the team to go over how things are going, and to find out if there’s anything he can do to help. In my experience, the most successful teams are those that are run by managers who are always asking how they can help enable their team members to succeed, and Rap Genius has done a great job of making this part of their culture.

The Founders’ “Antics”

Okay, so let’s get to what you really wanted to know about. Are the founders crazy? Is Rap Genius the real world equivalent of “Entertainment 720“? Do the founders really smoke weed during job interviews?

Although it’s a ludicrous point to even have to refute, there is no weed smoked during any job interviews. I sat through and participated in many interviews after my own, and I can say with certainty that there was no marijuana. Perhaps if there was, it might make the intense interview process at least a little bit more relaxing, although I’m not sure anyone would ever perform well enough to receive a job offer.

Comparing Rap Genius to “Entertainment 720″ from Parks & Recreation seems to be a favorite thing for people to do, mostly because Tom has crazy Jean-Ralphio hair. To assume that Rap Genius has anything in common with a fictional company that has no real purpose is laughable, and also requires you to believe that Marc Andreessen likes throwing millions of dollars away. He does a better job himself of explaining why the Rap Genius mission is worth a $15 million dollar Series A investment than I ever could.

Come on, Steven, you might say. Some crazy shit must have gone down. 

Okay, I’ll bite.

When I traveled to California with the founders to go demonstrate the Rap Genius iPhone app to some people at Apple, our meeting was scheduled in one of the boring annex buildings in Cupertino far away from Apple’s famous One Infinite Loop headquarters. We were definitely disappointed that we didn’t get to visit the mothership for our meeting, so we decided to head over to the Apple Company Store to check it out after we were done presenting.

Someone had the crazy idea that we should try to go wander into the Apple campus to check things out even though we didn’t have another meeting scheduled. I nervously followed close behind as the three founders tried to casually saunter right through the doors of Apple HQ, where we were promptly turned away by an unfriendly security guard, and I was verbally lambasted for trying to take a picture of the iPad Air promotional banner in the atrium.

And that’s about it. It might not make for an interesting tell-all movie, but my time at Rap Genius was overwhelmingly positive. Even knowing that I was only a contractor who would be around for a limited amount of time, the team still made me feel like a member of the family, and I still feel like there’s an open door for me there.

I’ll admit that the founders, whom I love and respect very much, are not always perfect at presenting themselves in a positive light in the media. Just know that the “sunglasses and swagger” image you’ve seen doesn’t tell the entire story. When another crazy story shows up on Hacker News about some eccentric email one of the founders sent, I roll my eyes just like everyone else. But then I remember how much I enjoyed working with them, and that makes it easier for me to forgive the stuff that might not always serve them well. I think that part of building and growing a company is learning how to present a public persona that reads well, and while they may not be there yet, I have faith that they’ll figure it out.

Rap Genius is an awesome company with a ton of heart, full of seriously passionate people building something they believe will change the world. I just feel lucky to have been given the opportunity to play a small role in that mission. The immense popularity and positive reception of the Genius app will always be one of the proudest moments of my career.