I have a Cordova Angularjs app that is getting some JSON from my server. It works on iOS 8, but when I "upgraded" to iOS 9 I am now getting nothing from my server. The server has not been changed, and I can see the JSON response if I navigate to my url.
I narowed it down a little to my $http.jsonp() method. It is giving me a 404 error when trying to retrieve the JSON. The same exact code works fine and gets the JSON on an iOS 8 device.
Anyone else having an issue with this and iOS 9 and have figured any more out? It definitely seems like an Apple related issue...
Add this to your info.plist file.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
From this page
App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file.
This has been turned on by default in iOS9. They suggest developing using https whenever possible. To get around that you would need the previous code in this answer.
Related
I’m trying to test my app in iPhone, but Xcode throws this error:
You are using download over http. Currently Unity adds NSAllowsArbitraryLoads to Info.plist to simplify transition, but it will be removed soon. Please consider updating to https.”
I'm using UnityWebRequest with URL "http://..." (to download a JSON file), I already added NSAllowsArbitraryLoads in true, but it doesn’t work. Is it really necessary to update to https, or are there other ways to do it if I don't have https?
The problem is that from Unity Editor it works, but it's not working from an iOS device.
I have a WKWebView which will display users' webpages using links gathered online.
Sometimes these links are http: which are blocked by ATS.
I've tried simply changing the links to https:, which works sometimes.
However, very often I get an error "An SSL error has occurred and a secure connection to the server cannot be made".
Sometimes the page simply redirects to the http:, which gets blocked again.
Other times the https: page is simply "Not found".
Removing http: only results in "Unsupported URL" error.
Is there any way to get WKWebView to show these pages?
PLEASE DON"T suggest NSAllowsArbitraryLoads, or even per-domain exceptions (I do not know in advance what the domains will be).
The pages load perfectly on Safari, and even mobile safari, so it must be possible.
So, the short answer is NSAllowsArbitraryLoadsInWebContent, which will work great in iOS 10. However, if you try to run with that in your Info.plist on an iOS 9 device, it won't work.
If you want this to work on both iOS 9 and iOS 10, what Apple is recommending that you do is to put both NSAllowsArbitraryLoads AND NSAllowsArbitraryLoadsInWebContent in your Info.plist.
In iOS 9, since it doesn't recognize the NSAllowsArbitraryLoadsInWebContent entry, it will allow all http content in the app (including your WKWebview). This isn't ideal, but as long as you are ensuring your critical connections elsewhere are secure, having Apple enforce it really doesn't do much.
In iOS 10 (which most of your users should be running) iOS will ignore the NSAllowsArbitraryLoads if it also sees NSAllowsArbitraryLoadsInWebContent. This means the rest of your app network communications will need to follow ATS's security requirements, while the WKWebView and UIWebView does not. This isn't a great solution, but it is the one recommended by Apple engineers when you need to support both iOS 9 and 10.
Note that when Apple does start to require justifications for ATS exceptions, the NSAllowsArbitraryLoadsInWebContent entry is one of the ones that will trigger the need to justification. But, it is better than having NSAllowsArbitraryLoads by itself, and you can put that in your justification and it should be accepted by Apple.
As posted in this article, add a top level property NSAppTransportSecurity in info.plist, then if the iOS version is 10 and above, add a boolean entry for NSAllowsArbitraryLoadsInWebContent in this dictionary, otherwise NSAllowsArbitraryLoads, such that the plist entry looks like
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
</dict>
I have an issue to make an investigation using my iOS app (iOS 9.3.3). I need to connect to a site which uses self-signed certificate. That site redirects me to an address with http. I see several solutions, but neither of them is working.
First I try to disable the https check using NSAppTransportSecurity but I still get -9813. I add domain as exception using NSExceptionDomains but still continue to receive that error.
If your site runs on Http// then you have to add an App Transport Security Settings
Under that Allow Arbitrary Loads to YES.
If Your site runs on Https// then there no need to add any Key to your info.plist file.
Hope This will help you . If not let me know.
We have an iOS app that connects to our server through HTTPS. When the app is built with the new iOS 9 SDK and ran under iOS 9, the following error occurs:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
The app uses AFNetworking 1.3.4 with pinned certs. The problem occurs if I connect to the server with its IP address. It works if I add the NSAllowsArbitraryLoads config, or if I connect to the server with its domain name.
The Tomcat connector is configured with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2".
I have tried overriding the host name but it doesn't seem to change anything.
I can't find much official documentation on ATS yet. Maybe connecting with IP address is not supposed to work?
iOS9 requires the server to only support TLSv1.2 and support perfect forward security.
Also required is for the app to support IPV6 including not using hard-coded IP addresses. Suggested is to use NSURLSession. Otherwise exception additions must be made in the app plist.
See the WWDC-15 session "Security and your Apps".
Also see Steven Peterson's Blog for details.
You can add this in your "Info.plist" file, it will allow non secured connections:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
I found another stack overflow answer with a checklist of the exact new requirements on the server to full fill the iOS 9 default App Transport Security requirements:
iOS 9 Security Server requirements Checklist
Hope that helps.
I got stuck on this one for a while and tried all the tricks in Info.plist but still had the error:
HTTP load failed (kCFStreamErrorDomainSSL, -9813)
when trying to connect to a localhost server in development.
Developing locally with a react native project connecting to an API served with a self signed certificate I had my system set to trust the certificate but it took me a while to realise that I also needed the IOS simulator to accept my cert as trusted to get past this error.
In the home screen of your simulator you should be able to drag the cert file into the simulator to prompt it to add the certificate profile.
Or, if the certificate is accessible through a localhost url in the simulator's safari browser you may be able to accept it through safari.
Hope this helps someone as I went around in circles before it clicked for me!
Solution 1 :
If you’re looking for work around then use below approach :
Add NSAllowsArbitraryLoads key of type boolean with value true.
Your Info.plist file should look like this :
However, this approach is not recommended since it allows all unsecure connection.
Solution 2 :
The SSL certificate that you apply on Server should be of type TLSv2.0 minimum since iOS 10 requires this.
Check this link for detail.
Add NSIncludesSubdomains key of type boolean with value true
Add NSTemporaryExceptionAllowsInsecureHTTPLoads key of type boolean with value true
Add NSTemporaryExceptionMinimumTLSVersion key of type String with value TLSv1.2
Your Info.plist file should look like this :
I'm developing an app using phonegap/cordova (1.7.0), I can't figure out how to make my application work with a less restrictive option than *. If I try setting www.mywebservicedomain.com or *.mywebservicedomain.com it can't retrieve data anymore. I see many questions about this and the general answer is to just set *. I'd like to understand how to be more restrictive, if it is possible.
Thank you in advance for your efforts.
That is indeed possible. But be aware that redirects on the servers may lead to connections to different domains which you also have to specifiy. Luckily those restricted accesses appear in the debug log in xcode. Run the project on the simulator or the device from within xcode and then you will see which requests to which servers got blocked.
In the cordova.plist it should look like this:
<key>ExternalHosts</key>
<array>
<string>*.googleapis.com</string>
<string>*.gstatic.com</string>
</array>
I use Google maps in my project which uses the described redirect. Thus I had to add the gstatic although my requests point to maps.googleapis.com originally (I use cordova 1.7).