App Transport Security and local networking

Hi,


it seems that "App Transport Security" is also enabled by default for communication on the local network (http transfers between devices on the same wifi network).

In many cases such wifi devices (e.g. wifi based sd cards, mobile wifi harddisks) do not support https; so http needs to be used.

What is the recommended way to handle these cases as the domain based exception cant be applied here?
Is there any way to disable App Transport Security for private networks?


Cheers,


Hendrik

Post not yet marked as solved Up vote post of hhtouch Down vote post of hhtouch
54k views

Answers

Right now we don't have a great story for this (apparently you can use an IP as an ATS exception domain, but that will only help if you're always talking to the same IP address). For the moment you should just disable ATS via the NSAllowsArbitraryLoads key.

Also, I'd appreciate you filing a bug that describes your requirements so that we can contemplate how best to address this in the future. And please post your bug number, just for the record.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1@apple.com"

It also disables HTTP requests on localhost, which is usually where I'm running a server (e.g. the same Mac I'm running Xcode on). I added an exception in Info.plist for localhost, but I'd really like to see a default exception for that instead of adding this exception to every project.


I've filed an enhancement request: 21519087

I have a similar problem, communicating with other programms or devices in the LAN (even localhost) via XML-RPC.

Enhancement request: 21579094

I posted my suggestions regarding App Transport Security and local networking as Enhancement request: 21669759


Excerpt from the radar:


In local networking scenarios (like communicating with DLNA servers, appliances like Philips Hue Lights, Wi-FI SD cards, wireless hard disks) it's often not possible to implement HTTPS/TLS based communication as required by App Transport Security. The target devices do not support HTTPS/TLS and in many cases never will.

At the moment communicating with these devices, requires disabling App Transport Security for the entire application (NSAllowsArbitraryLoads = true) as domain based exceptions can't be applied here.

It should be possible to disable App Transport Security for local networking without compromising the security of the whole app.


Suggestion: Introduce a key NSAllowsArbitraryLoadsLocalNetworkOnly. When this key is set to true, it allows unencrypted http communication between devices on the same local network (IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and IPv6 fd00::/8, and 127.0.0.1 for development purposes).


If anyone has better ideas how to handle these cases, I am looking forward to hear them.


Cheers,


Hendrik

What keys/dictionaries did you use to disable ATS for localhost only? I've tried various combinations of the exceptions listed in the tech notes and haven't had any success.


I'll file a radar requesting that localhost be excempted by default from ATS... or at least allow a specific key to deal with it specifically.

bwalker wrote:

I've filed an enhancement request: 21519087

Tolibi wrote:

Enhancement request: 21579094

thanatos0801 wrote:

I'll file a radar requesting that localhost be excempted by default from ATS... or at least allow a specific key to deal with it specifically.

hhtouch wrote:

I posted my suggestions regarding App Transport Security and local networking as Enhancement request: 21669759

Thanks everyone.

@thanatos0801, what was your bug number?

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

(apparently you can use an IP as an ATS exception domain ...).

It seems that IP addresses aren't working as expected. Specifically, I set up my property list as shown:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>127.0.0.1</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
        <key>localhost</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

then issued requests to http://127.0.0.1:12345/ and http://localhost:12345/. The latter works but the former gets blocked by ATS. I've filed a bug about this.

So, using

localhost
seems to be fine for folks doing loopback stuff but folks trying to connect to nearby IP addresses (like 192.168.0.0/16 will need to stick with
NSAllowsArbitraryLoads
for the moment.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

My bug number is

21746124

Great! After fiddling around a little more with my own code and using the keys you listed, I was able to get the localhost exception to work. I still think it would be a good idea to excempt localhost by default, and allow people who really want to be super-careful to turn that off in the exceptions list (per my bug), but this will get us enough functionality to work with for now.


Thanks!

I have the the problem with local and remote hosts.

NSAllowsArbitraryLoads doesn't work for me.


I am using XCode 7 Beta 3

NSAllowsArbitraryLoads
is a 'fix everything' option; it basically disables ATS entirely. If it's not working for you, it's likely that you've not configured it correctly.

Be aware that the App Transport Security Technote has a bug in how it describes

NSAllowsArbitraryLoads
. Table 1-1 implies that
NSAllowsArbitraryLoads
should be nested within
NSExceptionDomains
. This is incorrect.
NSAllowsArbitraryLoads
is a top-level key within
NSAppTransportSecurity
. So you're
NSAppTransportSecurity
dictionary should like this:
<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

I tested this myself just yesterday (Xcode 7.0b3, iOS 9.0b3) and it works as I've described.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Is there anything new in iOS 9 Beta 4 regarding App Transport Security and local networking?

NSAllowsArbitraryLoads is not disabling the App Transport Security and is not working for me. I've tested in iOS 9 Beta 3 and Beta 4. Can some one please help me to resolve this?

My post on thread dated 15 Jul covers this: I specifically tested

NSAllowsArbitraryLoads
on 9.0b3 and it worked as expected (although, as described in the post, not as documented). Please read it through.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I've filed an issue as well: 22127901


Is there any indication of when this might be addressed?