Displaying web images valid excuse for using NSAllowsArbitraryLoads? - ios

Until now, we have only been setting NSAllowsLocalNetworking in our app's ATS settings.
However, are now introducing link previews in our chat functionality. Links posted by a user are used to create a preview containing both the linked webpage's image and favicon.
The problem is that some links posted by users have favicons/images in clear-text (HTTP) format.
Is this a valid reason for using NSAllowsArbitraryLoads?
I am not 100% sure on the current status of ATS enforcement and whether user-generated links would be an acceptable exception.
(We are using the Kingfisher library to display these images in a UIImageView so NSAllowsArbitraryLoadsForMedia with AVFoundation is not possible.)

Although I cannot be certain what Apple will consider a valid reason (since they haven't started enforcing, so we have no information to go off of), having user driven content in the app seems like it would be one of those scenarios that would require the broader NSAllowsArbitraryLoads exception.
What I would recommend, in order to show Apple that you've done all that you can to secure any communication you can, would be to do the opposite of the most common technique. Normally, apps will leave ATS enabled (by leaving the default of NSAllowsArbitraryLoads as NO) while adding exception domains that disable ATS for certain domains. If I were you, I would do the opposite - set NSAllowsArbitraryLoads to YES, since you can't know what URLS might need ATS exceptions, then add exception domains for the domains that you control in the app (assuming there is some main server you get most of the app content from). This ensures communications with your server are secured using ATS standards, while all outside of the known servers will be exempt from ATS requirements.So turn ATS off, but turn it back on for domains in your control.
From this great article on some common ATS configurations, you can see how you would set things up this way ("Example C: ATS disabled, with some exceptions"):
To me, this would be a good sign to Apple that you are trying as much as possible to comply with the spirit of ATS.

You won't be rejected. The last update from Apple on this deadline was this:
At WWDC 2016 we announced that apps submitted to the App Store will be
required to support ATS at the end of the year. To give you additional
time to prepare, this deadline has been extended and we will provide
another update when a new deadline is confirmed.
https://developer.apple.com/news/?id=12212016b

Related

Can I publish my app to App store without https?

I am new in iOS development, and I want to publish my first app to the app store. but actually the endpoint I get from the backend guy is only http, not https.
My friend said that it must be https or Apple will reject my app to be published in the app store ? is it true ?
If I set the NSAllowsArbitraryLoads key to YES under NSAppTransportSecurity dictionary in your .plist file. like the image below, can I still publish my app to app store using http connection ? (without https)
If you are using HTTP there is no reason for worries. Just place NSAllowsArbitraryLoads into your info.plist file.
There is so much misleading information available. But as per my experience its more preferred & compulsory to place the NSAllowsArbitraryLoads whether you are using HTTP or HTTPs.
Important Note :
I have worked with both types of connections with HTTP & with HTTPs in both the cases I am used to add NSAllowsArbitraryLoads into info.plist. I have never faced any sort of rejection due to it. So that I am suggesting you to do the same.
Hope this helps to everyone.
Your friends is mostly right. But I would say Apple may reject your app. You need to provide a justification for using NSAllowsArbitraryLoads.
From apple's doc:
You must supply a justification during App Store review if you set the key’s value to YES, as described in Provide Justification for Exceptions. Use this key with caution because it significantly reduces the security of your app. In most cases, it’s better to upgrade your servers to meet the requirements imposed by ATS, or at least to use a narrower exception. source

iOS9 : App Transport Security inside .plist Framework

I had create a Framework that using NSURLSessionDataTask (HTTP) to send request to server, but whenever I use the Framework in Example app, it show warning like this :
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
I tried to add App Transport Security inside Framework .plist but still not working. But, It work when I add App Transport Security in .plist outside Framework.
Is there any solution for this problem ?, Thanks
As #EmilioPelaez stated, the application controls whether ATS is active or not. If your framework does something that violates the ATS rules, each app that uses the framework will need to add the appropriate exceptions.
There is good reason for this behavior. Take, for example, a generic network helper framework, where the URLs are provided to the framework calls by the calling application. The framework would have no way of knowing whether it will need ATS. Conversely, if the framework has hard-coded URLs in it that require ATS exceptions, the calling app developer should be aware of that and it shouldn't be obscured by the face that the framework developer added exceptions. I, as a developer, would want to know I was using a framework that was inherently insecure. If you are dealing with the latter scenario, simply put in your framework documentation the exceptions that are needed for the framework to function properly.
Also, as a best practice with ATS, don't just disable it altogether, there are specific exceptions that can be used to minimize your security risk exposure by only disabling certain parts of the ATS requirements for specific domains. Be sure you do that. Also, understand that Apple planned to require justification for many ATS exceptions at the end of 2016, but it has been postponed at the moment. If you add exceptions, you should be prepared that at some point, when you submit the app to the App Store, you will be asked by Apple for a reason. It probably shouldn't be "because stack overflow told me to disable all ATS".
The framework doesn't have control over ATS, the app does. So you have to write it down in your documentation, that the app developer needs to add ATS exceptions to his app.
That said, don't do that. Especially if you're making a framework. Take time and add HTTPS support to the server / contact the server developer to add it. Because Apple will stop supporting AllowArbitraryLoads / exceptions soon. So, apps that include your framework won't be able to get through a review process without providing a valid reason for why they need those exceptions. Apple originally planned to drop the support starting Jan 1st 2017, but they postponed it for an unknown period of time. Still, they'll do it some day. It's better to plan for the future.
P.S. If you have absolutely no control over the server, and the server developer is on Mars, and your framework really needs to communicate to that server, the app developers will probably be able to pass the review by explaining the situation ("no control over the server" is a valid reason for the Apple Review team), but each and every one of them will have to do it over and over again, and you'll have to explain in your documentation how to do it and what to say. So switching to HTTPS is easier.
Add NSAllowsArbitraryLoads as true key in your info.plist to avoid this issue.

Does iOS "app transport security enforcement“ mean I need to switch APIs to https?

I am now watching wwdc and saw this. Does it mean all api that I am using should already become htpps?
Also, in my info.plst, I put "Allow Arbitrary Loads" as YES. Do I need to remove and support https?
The short answer is: Yes. All your APIs should use https from the moment on Apple enforces this. (They announced this moment to be the January of 2017) Apple will enforce this in the future but they postponed the enforcement to a date yet to be announced.
Your exisiting apps in the store will still work but you can not submit new apps that do not comply to ATS.
Allow Arbitrary Loads will definitely lead to a rejection then but you shouldn´t already use this today for your production app and rather use exceptions per domain.
Apple also announced that there will still be exceptions for servers that are not under your control. You can mark them as Third party exceptions with the help of the following entries in your plist file:
NSThirdPartyExceptionAllowsInsecureHTTPLoads
NSThirdPartyExceptionRequiresForwardSecrecy
NSThirdPartyExceptionMinimumTLSVersion
But there is no insurance that Apple will accept these servers as third party exceptions and therefore accept your app.
Here is some more information about the topic.
Hope this helps!

Add IP Range to Transport Security Layer in Info.plist iOS

I'm currently working on an app that will accept a user's login, password, and ip address to run rest get requests. I have done some research once I realized that TSL is going to be enforced by Apple and we cannot submit apps to the App Store using NSAllowsArbitraryLoads = YES.
Because of the nature of my application I will not be aware of the ip address so I cannot exactly specify the domain unless I use some kind of ip range or add the domain to info.plist once the user enters the ip address into the field. I have not seen anything online where people use ip ranges when adding exceptions for TLS and from what I understand I can only read info.plist in swift and not write to it. Currently kind of stuck at the moment. If anyone could point me in the right direction that would be great thanks!
The new App Transport Security rules were first introduced at this WWDC16 session. Also stated here was that these rules only applied to apps that had the ability to comply. If you believe you have an app that can't, I believe they said you should contact them. Use the link above to check out the WWDC session (searchable transcript included).
Edit: After checking out the transcript again, they said you'll need to "provide justification" for it. This might be justification at the time you submit your app, but you could contact Apple Developer Relations to find out.

iOS 9 Transport Security Policy not blocking all http connections (only https was supposed to be allowed)

I have already researched and tested a lot this new feature of iOS 9, where the "Transport Security Policy" states that all HTTP requests would be blocked and only HTTPS would be allowed.
During my tests, I could download and render an image from an http ONLY link. After that, I put a http link to redirect the image's click and the TSP blocked my request.
Anyone has had this issue before?? What does the TSP actually block??
OBS.: I was NOT using a webview of any kind, before anyone asks...
Thanks!
In your Info.plist you can add a section that lists exceptions for the TSP. You can put http domains in that section. Hopefully that helps.
I haven't run into the exact issue you're describing.
TSP, officially referred to as App Transport Security (ATS), when enabled, forces you to use HTTPS.
Apple has a great documentation page, which gets into a lot of details about what would and wouldn't get blocked.
If you're asking in order to get around it, you can include an NSAppTransportSecurity dictionary in your Info.plist. In it you can have specific domains for which you'd like an exception (NSExceptionDomains) or turn the whole thing off (NSAllowsArbitraryLoads : YES). Note that the spirit of the latter is for an app that allows the user to specify the connection info, not exactly to work around security best practices.

Resources