我刚刚观看了关于安全和隐私的WWDC 2015会议,并整理了一些关于iOS 9引入的变化的笔记,我认为这些变化很有趣。 应用程序传输安全性
这是一个重要的变化:默认情况下,在iOS 9上,应用程序将不再允许启动纯文本HTTP连接,并且必须使用具有最强TLS配置(TLS 1.2和PFS密码套件)的HTTPS:
通过向应用程序的Info.plist添加一些配置密钥,可以取消这些限制并仍然通过纯文本HTTP检索数据。此外,应用程序传输安全似乎仅适用于使用NSURLSession发起的连接。虽然NSURLConnection正在被弃用(迫使每个人都切换到NSURLSession进行HTTP请求),但我想知道通过其他网络API(如NSStream)启动的纯文本连接是否也会失败。
总体而言,这是一个非常好的变化,这甚至可能是将强制要求HTTPS作为App Store政策的第一步。
阻止已安装应用程序的检测
苹果已经关闭了三个隐私漏洞,这些漏洞允许应用程序检测设备上安装的其他应用程序。
The first technique was to use the sysctl() function to retrieve the process table (a remnant of OS X), which includes the list of running Apps. In iOS 9, sysctl() was modified to no longer allow sandboxed Apps to retrieve information about other running processes.
The second technique relied on the UIApplication canOpenUrl method to try known URI schemes implemented by specific Apps, in order to detect if these Apps were installed on the device. This was made famous by Twitter, which used a list of 2500 URI schemes to detect which Apps were installed on the device. In iOS 9, Apps have to explicitly declare which schemes they would like to use in their Info.plist file. For Apps targeting iOS 8 but running on an iOS 9 device, there is also a hard limit of 50 URI schemes that can be checked at most.
There was a third technique which relied on the icon cache being accessible to sandboxed Apps. Although it wasn’t even mentionned in the WWDC video, this privacy leak has also been addressed in iOS 9.
总体来说,关闭这些隐私漏洞对于用户是一个很好的举措,因为一些应用和分析/广告SDK滥用了这些API。