How to enable Certificate Transparency checks for all domains in iOS ATS config?

Question

By default, iOS does not enforce Certificate Transparency for HTTPS connections.

Since iOS 10, Apple introduced a new ATS config key, NSRequiresCertificateTransparency. By default this is NO, and if a developer wants to enable CT checks, he can turn it to YES. However, this key is present at the "NSExceptionDomains" level and applies to only specific domains listed as exception domains.

Is there a way I can make the OS enforce CT checks for ALL domains, without listing each one manually as exception domains (and thus forgetting some of them)?

Answer 1

This is not something that can be done right now. Given Apple's history with these keys, I think currently this setting is set by default to NO for all domains because many domains currently don't support it.

My guess (purely speculation on my part at this point) is that as server side support grows, Apple may add support for this for all URLs, with the exception then changing to only be for URLs that don't support certificate transparency.

At this point, it's primarily meant to validate that your core servers certs aren't compromised. I would just add your known servers that support it and include them in the NSExceptionDomains list. However, I have seen some people have had problems on iOS 9 devices with NSExceptionDomains entries that only contain certificate transparency (which wasn't recognized on iOS 9). Make sure if you support iOS 9 that you test after making these changes.

Answer 2

Per the documentation provided by Apple here, Certificate Transparency is enforced by default since iOS 12.1.1 for all network connections, so no special implementation is needed on iOS for Certificate Transparency.