Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable ATS entirely #6642

Merged
merged 2 commits into from
Aug 27, 2024
Merged

Disable ATS entirely #6642

merged 2 commits into from
Aug 27, 2024

Conversation

buggmagnet
Copy link
Contributor

@buggmagnet buggmagnet commented Aug 19, 2024
edited by faern
Loading

This PR disables ATS entirely from our application.
This requires justifying to apple why we do this, and we feel we have a good explanation in hand :

  • We do not trust DNS systems
  • We do SSL pinning so we cannot do insecure connections to our API (we already validate the TLS connection ourselves)

This change is Reviewable

@buggmagnet buggmagnet added the iOS Issues related to iOS label Aug 19, 2024
@buggmagnet buggmagnet self-assigned this Aug 19, 2024
@linear Linear
Copy link

linear bot commented Aug 19, 2024

IOS-730 Enable `NSALlowsArbitraryLoads` to disable ATS

rablador
rablador previously approved these changes Aug 20, 2024
View reviewed changes
Copy link
Contributor

@rablador rablador left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

mojganii
mojganii requested changes Aug 20, 2024
View reviewed changes
Copy link
Collaborator

@mojganii mojganii left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @buggmagnet)

ios/MullvadVPN/Supporting Files/Info.plist line 65 at r1 (raw file):

			</dict>
		</dict>
		<key>NSPinnedDomains</key>

we haven't set SSLPinningURLSessionDelegate for the url session of OutgoingConnectionProxy.if we are gonna removing pining here then we have to add SSLPinningURLSessionDelegate into OutgoingConnectionProxy.

Code snippet:

    outgoingConnectionProxy: OutgoingConnectionProxy(
                    urlSession: REST.makeURLSession(),
                    hostname: ApplicationConfiguration.hostName
                )

@buggmagnet buggmagnet force-pushed the enable-nsallowsarbitraryloads-to-disable-ats-ios-730 branch from 775dc5b to 6a5bdb9 Compare August 21, 2024 09:45
buggmagnet
buggmagnet commented Aug 21, 2024
View reviewed changes
Copy link
Contributor Author

@buggmagnet buggmagnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: 1 of 3 files reviewed, 1 unresolved discussion (waiting on @mojganii)

ios/MullvadVPN/Supporting Files/Info.plist line 65 at r1 (raw file):

Previously, mojganii wrote…

we haven't set SSLPinningURLSessionDelegate for the url session of OutgoingConnectionProxy.if we are gonna removing pining here then we have to add SSLPinningURLSessionDelegate into OutgoingConnectionProxy.

Good catch ! I've fixed SSLPinningURLSessionDelegate to work with conn-check too.

rablador
rablador approved these changes Aug 22, 2024
View reviewed changes
Copy link
Contributor

@rablador rablador left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 2 of 2 files at r2, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @mojganii)

@buggmagnet buggmagnet force-pushed the enable-nsallowsarbitraryloads-to-disable-ats-ios-730 branch from 9a5f72e to 29775fb Compare August 22, 2024 13:26
mojganii
mojganii approved these changes Aug 23, 2024
View reviewed changes
Copy link
Collaborator

@mojganii mojganii left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

rablador
rablador approved these changes Aug 26, 2024
View reviewed changes
Copy link
Contributor

@rablador rablador left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

@buggmagnet buggmagnet force-pushed the enable-nsallowsarbitraryloads-to-disable-ats-ios-730 branch from 29775fb to 8ff7f7c Compare August 27, 2024 07:41
@buggmagnet buggmagnet merged commit 766f211 into main Aug 27, 2024
9 checks passed
@buggmagnet buggmagnet deleted the enable-nsallowsarbitraryloads-to-disable-ats-ios-730 branch August 27, 2024 07:50
@github-actions GitHub Actions
Copy link

🚨 End to end tests failed. Please check the failed workflow run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mojganii mojganii mojganii approved these changes

@rablador rablador rablador approved these changes

Assignees

@buggmagnet buggmagnet

Labels
iOS Issues related to iOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@buggmagnet @rablador @mojganii