App Transport Security and Subdomains

Hi,

;tldr How can I treat all subdomains on domain.com as secure, except for the one's I specify in the exception list?


I am trying to configure App Transport Security to have exceptions for particular subdomains but am not having any luck. I have tried searching extensively and haven't found something that matches what I'm seeing.


My scenario is this.

During development, my app can connect to several insecure subdomains for testing different backend environments, so I need to add those domains to the exception list for ATS.

When it is time to distribute my application it will connect to a secure subdomain on the same top level domain as the insecure testing environment servers.

I have not been able to find a way to configure insecure subdomains and treat all others as secure.

The app when released, will point to something like secure.domain.com

Here's what my plist looks like.


<key>NSAppTransportSecurity</key>
  <dict>
   <key>NSExceptionDomains</key>
  <dict>
  <key>insecure.domain.com</key>
  <dict>
   <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
   <false/>
  </dict>
  <key>insecure1.domain.com</key>
  <dict>
   <key>NSExceptionAllowsInsecureHTTPLoads</key>
   <true/>
  </dict>
   <key>insecure2.domain.com</key>
  <dict>
   <key>NSExceptionAllowsInsecureHTTPLoads</key>
   <true/>
  </dict>
</dict>
</dict>

The app is an iOS application building with iOS SDK 9.2, for the time being.

Answered by utn in 125278022

Nevermind. This can be disregarded.

My app was using a webview which was following a redirect and that redirect URL was not listed in my exception list.

Accepted Answer

Nevermind. This can be disregarded.

My app was using a webview which was following a redirect and that redirect URL was not listed in my exception list.

App Transport Security and Subdomains
 
 
Q