App Transport Security & Opening URL Schemes – iOS9 Compatibility

App Transport Security

New SDK of iOS has “App Transport Security” which encourages developers to use https instead of http. If you compile your app with iOS9 SDK, you will get the following error while it’s try to make a http request.

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app’s Info.plist file.

In theory, it’s great to promote for security, but it’s not simple to gather all http requests in a list especially for apps have a number of 3rd party libraries. You should contact vendors of your 3rd party libraries and get information about their http calls.

You can add exceptions for particular domains in your Info.plist:

(The following keys are optional, you can find explanations of keys Apple’s info plist reference. )

<key>NSAppTransportSecurity</key><dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <false/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <false/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
        </dict>
    </dict>
</dict>

If you are working on your local server or a test server which doesn’t have an https certificate. You can allow all http requests as follows.

BUT!!! Setting NSAllowsArbitraryLoads to true will allow it to work, but Apple was very clear in that they intend to reject apps who use this flag without a specific reason. 

Lazy way:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Diagnosing Network

Even defining your exception domains in the Info.plist, if you encounter connection problems, you will need diagnose network. Set CFNETWORK_DIAGNOSTICS environment variable to 3 and add it in Arguments at Run phase to see network logs in Xcode or device console.

Screen Shot 2015-12-01 at 19.53.18

Check Server TLS version, SSL configurations

App Transport Security is not only about HTTPS connections. Your server should meet all the requirements of Apple’s secure connection definition. For checking as SSL, minimum TLS version compatibility for your server nscurl is better. In terminal;

$ nscurl --ats-diagnostics https://www.myservername.com

Check your canOpenUrl & openUrl methods – Opening URL Schemes –

If you call the “canOpenURL” method on a URL that is not in your whitelist, it will return “NO”, even if there is an app installed that has registered to handle this scheme. A “This app is not allowed to query for scheme xxx” syslog entry will appear.

If you call the “openURL” method on a URL that is not in your whitelist, it will fail silently. A “This app is not allowed to query for scheme xxx” syslog entry will appear.

You should point this schemes in Info.plist as follows.

<key>LSApplicationQueriesSchemes</key>
<array>
 <string>urlscheme</string>
 <string>urlscheme2</string>
 <string>urlscheme3</string>
 ....
</array>

Happy compiles! 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s