I have an issue to make an investigation using my iOS app (iOS 9.3.3). I need to connect to a site which uses self-signed certificate. That site redirects me to an address with http. I see several solutions, but neither of them is working.
First I try to disable the https check using NSAppTransportSecurity but I still get -9813. I add domain as exception using NSExceptionDomains but still continue to receive that error.
If your site runs on Http// then you have to add an App Transport Security Settings
Under that Allow Arbitrary Loads to YES.
If Your site runs on Https// then there no need to add any Key to your info.plist file.
Hope This will help you . If not let me know.
Related
I've got an odd issue where a certain domain fails to load in a WKWebView. It gives an error:
WebPageProxy::didFailProvisionalLoadForFrame: frameID=3, domain=NSURLErrorDomain, code=-1200
Which I believe is complaining about a certificate issue? It works fine if I allow insecure content via info.plist, but of course I don't want to allow that.
The cert is fine for that domain. I'm unable to share the url unfortunately. It's a .gov domain. The cert is DigiCert and not-expired.
It works fine in Safari outside of the app, and even in Firefox and Chrome, which I thought used WKWebView but maybe not?
Has anyone ever experienced this issue? What additional steps can I do to pin down what exactly WKWebView is complaining about and what can be done to fix it?
We're actually using Xamarin, but we have test projects in both Xamarin and Xcode that replicate the issue.
Thanks!
I found the problem!
WKWebView (unlike Safari) requires that SSL certs support forward secrecy.
https://developer.apple.com/documentation/bundleresources/information_property_list/nsexceptionrequiresforwardsecrecy
You can check if a cert supports this here:
https://www.ssllabs.com/ssltest/analyze.html
It's possible to disable it in info.plist but we've opted to ask the site owner to change their certs.
I've been facing issue setting up deeplinking with react native for IOS with react navigation 5.
When i try the URL scheme of myownapp://homepage/ it opens up the app.
But if i try with url : https://dev.myownapp.com/homepage/ it opens up the safari browser, but it doesnt open up the app.
I've tried with the documentation by adding Appropriate code in AppDelegate.m file and also ive added myownapp.com in the Associated Domains in Xcode.
Can you guys brief about what configuration is left to be done because the same opens in android. Thanks in Advance
Can you reach https://dev.myownapp.com/.well-known/apple-app-site-association or https://dev.myownapp.com/apple-app-site-association yet?
If you can't, please host the file on the servers you want to be supported universal link.
So to make it work:
You need to setup your app to be supported wildcard domain by set applinks:*.myownapp.com.
You also need to host the config file (apple-app-site-association) to all the sub-domains, it means you're able to reach:
https://sub1.myownapp.com/.well-known/apple-app-site-association
https://sub2.myownapp.com/.well-known/apple-app-site-association
....
Another thing you should notice that all your domains must be supported secure connection (https).
I use the cordova plugin "ionic-plugin-deeplinks" (to my knowledge also works with a plain cordova app).
On Android, links when clicked let users choice between chrome and my application.
=> I suppose that app links works
=> As I'm able to access window.IonicDeeplink and redirect the user to the right page
I'm not able to have the same behavior on iOS, when I click a link I always get the app open in Safari.
How can I find clue on issues ?
More context:
apple-app-site-association is got with a HTTP 200 (over https only), it's located in /.well-known/apple-app-site-association:
I checked TeamID and BundleID 5 times (at least);
with the branch.io validator i get all validations green:
Your domain is valid (valid DNS).
Your file is served over HTTPS.
Your server does not return error status codes greater than 400.
Your file's 'content-type' header was found :)
Your JSON is validated.
with the apple validator, I got : "Action required
Could not extract required information for Universal Links. Learn how to implement the recommended Universal Links.
Error no apps with domain entitlements
The entitlement data used to verify deep link dual authentication is from the current released version of your app. This data may take 48 hours to update." (but some devs said that working app add the same error) what to do with that result?
when monitoring server's log while installing the app with Xcode I see a request get a HTTP 200 on apple-app-site-association
while installing the app with Xcode I got no logs referring to swcd in Xcode (I read here that I should if I had error while installing the app). Is a successful installation silent?
I followed that guide to setup entitlements, but some things feel odd with it:
Unlike the snapshot in the guide, I didn't found any *.entitlements file in my project. Should I have one with cordova? (my xCode seems to remember my setting though). Is it possible to check that installed app get entitlements?
I did set my domain in Xcode like this: applinks:mydomain.com and the switch is ON. But I never uploaded any thing from my local dev environment to apple services. Should I have? If yes, how ?
My current interrogations are highlighted but any explanations on any lack of understanding will be more than welcome!!!
Until then I started a verification for testFlight looking for more info.
while installing the app with Xcode I got no logs referring to swcd in xCode
I implemented Universal Links manually, but situation was similar. Particularly I mentioned empty swcd process log while installing the app, and it turned out that most likely iOS didn't even try to download apple-app-site-association file, like if responsible process wasn't run. In my case device restart helped and deep-linking began to work.
Thus I think restarting device is one another step in troubleshooting when you are sure about all your setup.
For anyone trying to debug this in development:
In XCode, ensure you're editing the Debug version of Signing & Capabilities.
To bypass the Apple Universal Links CDN, configure your Debug domains like applinks:?mode=developer -- adding that query string in development is important.
On your iOS Device, go to Settings->Developer->Universal Links and ensure the Associated Domains Development toggle is switched on.
On your iOS Device in Settings->Developer->Universal Links->Diagnostics, enter your Universal Links URL and ensure you get a green checkmark.
After following all of these steps, Universal Links work locally.
I have a Cordova Angularjs app that is getting some JSON from my server. It works on iOS 8, but when I "upgraded" to iOS 9 I am now getting nothing from my server. The server has not been changed, and I can see the JSON response if I navigate to my url.
I narowed it down a little to my $http.jsonp() method. It is giving me a 404 error when trying to retrieve the JSON. The same exact code works fine and gets the JSON on an iOS 8 device.
Anyone else having an issue with this and iOS 9 and have figured any more out? It definitely seems like an Apple related issue...
Add this to your info.plist file.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
From this page
App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file.
This has been turned on by default in iOS9. They suggest developing using https whenever possible. To get around that you would need the previous code in this answer.
We have an iOS app that connects to our server through HTTPS. When the app is built with the new iOS 9 SDK and ran under iOS 9, the following error occurs:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
The app uses AFNetworking 1.3.4 with pinned certs. The problem occurs if I connect to the server with its IP address. It works if I add the NSAllowsArbitraryLoads config, or if I connect to the server with its domain name.
The Tomcat connector is configured with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2".
I have tried overriding the host name but it doesn't seem to change anything.
I can't find much official documentation on ATS yet. Maybe connecting with IP address is not supposed to work?
iOS9 requires the server to only support TLSv1.2 and support perfect forward security.
Also required is for the app to support IPV6 including not using hard-coded IP addresses. Suggested is to use NSURLSession. Otherwise exception additions must be made in the app plist.
See the WWDC-15 session "Security and your Apps".
Also see Steven Peterson's Blog for details.
You can add this in your "Info.plist" file, it will allow non secured connections:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
I found another stack overflow answer with a checklist of the exact new requirements on the server to full fill the iOS 9 default App Transport Security requirements:
iOS 9 Security Server requirements Checklist
Hope that helps.
I got stuck on this one for a while and tried all the tricks in Info.plist but still had the error:
HTTP load failed (kCFStreamErrorDomainSSL, -9813)
when trying to connect to a localhost server in development.
Developing locally with a react native project connecting to an API served with a self signed certificate I had my system set to trust the certificate but it took me a while to realise that I also needed the IOS simulator to accept my cert as trusted to get past this error.
In the home screen of your simulator you should be able to drag the cert file into the simulator to prompt it to add the certificate profile.
Or, if the certificate is accessible through a localhost url in the simulator's safari browser you may be able to accept it through safari.
Hope this helps someone as I went around in circles before it clicked for me!
Solution 1 :
If you’re looking for work around then use below approach :
Add NSAllowsArbitraryLoads key of type boolean with value true.
Your Info.plist file should look like this :
However, this approach is not recommended since it allows all unsecure connection.
Solution 2 :
The SSL certificate that you apply on Server should be of type TLSv2.0 minimum since iOS 10 requires this.
Check this link for detail.
Add NSIncludesSubdomains key of type boolean with value true
Add NSTemporaryExceptionAllowsInsecureHTTPLoads key of type boolean with value true
Add NSTemporaryExceptionMinimumTLSVersion key of type String with value TLSv1.2
Your Info.plist file should look like this :