App Transport Security
New SDK of iOS has “App Transport Security” which encourages developers to use https instead of http. If you compile your app with iOS9 SDK, you will get the following error while it’s try to make a http request.
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app’s Info.plist file.
In theory, it’s great to promote for security, but it’s not simple to gather all http requests in a list especially for apps have a number of 3rd party libraries. You should contact vendors of your 3rd party libraries and get information about their http calls.
You can add exceptions for particular domains in your Info.plist:
(The following keys are optional, you can find explanations of keys Apple’s info plist reference. )
<key>NSAppTransportSecurity</key><dict> <key>NSExceptionDomains</key> <dict> <key>testdomain.com</key> <dict> <key>NSIncludesSubdomains</key> <false/> <key>NSExceptionAllowsInsecureHTTPLoads</key> <false/> <key>NSExceptionRequiresForwardSecrecy</key> <true/> <key>NSExceptionMinimumTLSVersion</key> <string>TLSv1.2</string> <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key> <false/> <key>NSThirdPartyExceptionRequiresForwardSecrecy</key> <true/> <key>NSThirdPartyExceptionMinimumTLSVersion</key> <string>TLSv1.2</string> </dict> </dict> </dict>
If you are working on your local server or a test server which doesn’t have an https certificate. You can allow all http requests as follows.
BUT!!! Setting NSAllowsArbitraryLoads to true will allow it to work, but Apple was very clear in that they intend to reject apps who use this flag without a specific reason.
<key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict>
Even defining your exception domains in the Info.plist, if you encounter connection problems, you will need diagnose network. Set CFNETWORK_DIAGNOSTICS environment variable to 3 and add it in Arguments at Run phase to see network logs in Xcode or device console.
Check Server TLS version, SSL configurations
App Transport Security is not only about HTTPS connections. Your server should meet all the requirements of Apple’s secure connection definition. For checking as SSL, minimum TLS version compatibility for your server nscurl is better. In terminal;
$ nscurl --ats-diagnostics https://www.myservername.com
Check your canOpenUrl & openUrl methods – Opening URL Schemes –
If you call the “canOpenURL” method on a URL that is not in your whitelist, it will return “NO”, even if there is an app installed that has registered to handle this scheme. A “This app is not allowed to query for scheme xxx” syslog entry will appear.
If you call the “openURL” method on a URL that is not in your whitelist, it will fail silently. A “This app is not allowed to query for scheme xxx” syslog entry will appear.
You should point this schemes in Info.plist as follows.
<key>LSApplicationQueriesSchemes</key> <array> <string>urlscheme</string> <string>urlscheme2</string> <string>urlscheme3</string> .... </array>
Happy compiles! 🙂