This may sound like a stupid question but I've been having some trouble understanding ATS and Whitelisting.
I use the Facebook SDK so I followed what the documentation said and made the appropriate changes on my .plist to Whitelist Facebook servers.
In my app, I make API calls to my server and I was wondering how I should go about Whitelisting that? Also, in one of the WWDC talks on ATS, they spoke about URLSchemes. If someone could explain or point me in the right direction where I can get an understanding of why it needs to be implemented and how it should be done, that would be great!
Again sorry if this sounds like a stupid question - I've tried reading articles but haven't really been able to understand it.
Many thanks in advance for your help!
You may try the following:
Official technote :
Apple Developer Technote for ATS
Console log, User Experience and Solution : click here
If enabled, ATS will block every HTTP request made by your App or third party libraries.
Apple will require specific justification whether you're disabling it or putting exceptions in the NSExceptionDomains dictionary.
You're allowed to do it when you have to connect to a server not managed by you or using a device that cannot support secure connections or be requesting media content already DRM-protected.
Your .plist will look to something like this:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>domain.com/</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
Don't forget to put the domain without the: http://
Related
WKWebView doesn't load http requests, only https is working. My Url's strings are fetched from an API, so the url's links could be http and https. I did read about security, however the only thing I found was to add the following lines to the Info.plist:
<key>NSAppTransportSecurity</key>
<dict>
<key> NSAllowsArbitraryLoadsInWebContent</key>
<true/>
</dict>
However, in the .plist these keys don't exist. Is there any way to make WKWebView load http web content, and would the app be approved by the App Store?
I'm using Xcode 9.
1: Open your info.plist file from the project
2: add App Transport Security Settings in Information Property List
3: add Allow Arbitrary Loads in App Transport Security Settings
See the attached images
You can ignore all transport security restrictions with the key your provided using the following:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
I assume your example is not working due the space in the key:
<key> NSAllowsArbitraryLoadsInWebContent</key>
Try to use the same value as you did but without the space.
iOS doesn't allow to navigate to http only url, allowing only https.
There is a solution, which is changing some code inside info.plist file
https://github.com/facebook/react-native/issues/8717
How can I change settings for iOS, as it comes with only .expo folder but nothing else.
Do I need to change server configuration for this at last? :(
As you properly find out, the problem is that iOS do not allow arbitrary calls to non-secure(http only) domains. It was a feature introduced with iOS 9 in order to push developers onto more secured connections.
As per writing of this(mid 2017), there is workaround. You should open
{Your-project}/ios/{Your-project}/Info.plist
and set proper values for the domain you are targeting(docs).
Following example will disable ATS and allow HTTP call to somedomain.com:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>localhost</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
In your situation, I believe you are looking for the Info.plist file in the wrong place. It is not part of the node modules, instead look at the ios path specified above.
Unfortunately Expo doesn't allow you to modify the App Transport Security Settings but may bake in a configuration option. Here's a Github thread.
You can eject from Expo but only do this if you are 100% sure.
This will give you a project very similar to one created by react-native init
This features an ios and android directory, navigating to ios/YourProject/ will reveal Info.plist.
How much of a struggle would it be to install an SSL certificate on your server? It may be more beneficial to do this and you can use a free service like letsencrypt.
I am trying to restrict my app from communicating with a server that is running any version of TLS prior to 1.2. From the docs, it appears that I should be able to do this by calling SSLSetProtocolVersionMin, so I have done that:
SSLContextRef context = SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType);
SSLSetProtocolVersionMax(context, kTLSProtocol12);
SSLSetProtocolVersionMin(context, kTLSProtocol12);
I have verified that the call to SSLSetProtocolVersionMin does not return an error, but I am still able to connect to servers that negotiate down to SSLv3.
SSLSetProtocolVersionMax appears to work correctly, as when I set it to TLSv1.1 and the server to TLSv1.2 only, I cannot connect to the server.
It appears that this works as expected on iOS 9. Does anybody know if this is not supported in iOS 8, or if there are other steps I need to take?
You can configure iOS to only connect to servers meeting a minimum TLS version using Apple's new Application Transport Security in iOS 9.
You can add code like the following to your Info.plist file:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com</key>
<dict>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>1.2<string/>
</dict>
</dict>
</dict>
You can take a look at the WWDC video.
EDIT:
I see you added to your question to state that you need to accomplish this on iOS 8, which does not have ATS. But hopefully this answer will help those using iOS 9 and that need to do this, since the original question did not include this limitation.
What might be wrong if my class responsible for connection works when I run on simulator with iOS8, but it is not going to work with simulator on iOS9. What is the reason?
If you are loading a non-https URL using AFNetworking, you need to add an App Transport Security override in your info.plist file like this:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
You can also add overrides for specific domains, which is a better approach. More info here:
http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/
In iOS 9, Apple is blocking insecure HTTP connections for apps, unless specific hosts are whitelisted.
http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/
Are WebView(s) exempt from these rules for obvious reasons, or are we still expected to whitelist hosts that a browser opens... including all links from a given page?
I wasn't sure if this was our responsibility or if that was exempt.
SFSafariViewController can show HTTP without the NSAppTransportSecurity key.
UIWebView and WKWebView require the NSAppTransportSecurity key mentioned above to display HTTP pages.
I have inserted the following in my apps .plist per the Apple Guidance:
<key>NSAppTransportSecurity</key>
<dict>
<!--Include to allow all connections - with and without SSL (DANGEROUS)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
and when I try to load my webView (from an HTTPS server no less), I get the following error and it doesn't load.
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
So I it looks like not only are they not exempt, they don't work even if you make the correct addition to the .plist.
This question was originally about iOS 9; however, according to Apple's documentation:
Starting in iOS 10.0 and later, the following subkeys are supported:
NSAllowsArbitraryLoadsInWebContent
...
Use NSAllowsArbitraryLoadsInWebContent so that you do not need to white list each page a WebView may load.
Keep NSAllowsArbitraryLoads to maintain backward compatibility with iOS 9 and enable the new setting in your Xcode 8 project Info.plist here:
If your app (a third-party web browser, for instance) needs to load arbitrary content, Apple provides a way to disable ATS altogether, but I suspect it’s wise for you to use this capability sparingly:
<key>NSAppTransportSecurity</key>
<dict>
<!--Include to allow all connections (DANGER)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>