Application Transport Security ?

Question

When I try to start an URL Request to my website from watchOS 2 the request fail and i get this message :

Application Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

what can i do ? All i've found in the doc is :

App Transport Security

App Transport Security (ATS) lets an app add a declaration to its

Info.plist

file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.

But nothing about the name of the key in Info.plist..

282k

Posted by

Arnonymous

Reply

Add a Comment

Answer 1

I only just noticed this thread and I have some concerns about the accepted answer here. Apple strongly recommends against completely disable ATS by setting the NSAllowsArbitraryLoads key. This key is intended to be used in situations where you have to connect to arbitrary user-specified servers, and thus can’t statically declare your ATS requirements in your Info.plist. For example, imagine you’re building a tool where the user can enter an arbitrary URL and you fetch that URL and display the returned headers. The user might enter any sort of URL, including an http URL, or one to a server whose TLS setup is broken, and you still need to work with it. That’s a perfect use case for NSAllowsArbitraryLoads.

In cases like this one, where you’re trying to connect to a single server, our advice is:

If possible, fix the server to be ATS compatible. This yields the best security which, after all, is the whole purpose of ATS.
If you can’t fix the server, apply a targeted exception using NSExceptionDomains rather disabling ATS entirely using NSAllowsArbitraryLoads.

For more background on ATS, see Preventing Insecure Network Connections and the associated NSAppTransportSecurity reference.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

Add a Comment

Answer 2

NSRequiresCertificateTransparency
NSTemporaryExceptionRequiresForwardSecrecy
NSTemporaryThirdPartyExceptionAllowsInsecureHTTPLoads
NSTemporaryThirdPartyExceptionMinimumTLSVersion
NSTemporaryThirdPartyExceptionRequiresForwardSecrecy

kituaz.com

Posted by

luongduong9x

Added a comment accidentally. Please ignore.

—
avnerm

Add a Comment

Answer 3

I'm using wkwebview to refer to a direct local http IP address (e.g. http://192.168.1.80) instead of a domain name.
This is done for development purposes only and not for official or public release.
I'm seeing an error:

domain = NSURLErrorDomain, code = -1202

Adding the following code to my Info.list file does not solve the problem.

<key>NSAppTransportSecurity</key>
<dict>
     <key>NSAllowsArbitraryLoads</key><true/>
</dict>

I read here that the order of things may cause problems.
In my case, I don't have a pre-build or post-build scripts.

I'm debugging iOS14 with xcode 13.1 on MacOS 12.0.1

How can I refer to a direct IP address?

Thanks

Posted by

avnerm

Add a Comment

Answer 4

I'm using wkwebview to refer to a direct local http IP address

I recommend that you start a new thread for this. Please tag it with WebKit and Security so that I see it. And feel free to reference any bits of this thread that you think are relevant.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

Add a Comment

Application Transport Security ?

Apple Recommended

Replies