App Transport Security exceptions

App & System Services Networking
werwerwerwerwerwerwer OP
Created Mar ’17
Replies 8
Boosts 0
Views 14k
Participants 3

I have an app that loads some HTTP and HTTPS URLs in a web view, which are blocked if I leave App Transport Security on. I'm starting to see warnings that Apple will be rejecting apps that allow ATS exceptions, or at least requiring an explanation for them. I woudl like to avoid this.


I have looked at this forum post, this blog post, and this documentation, and I'm still confused about what exceptions will be rejected or require justification in the near future. I know that apps that simply have NSAllowsArbitraryLoads=YES will soon be rejected.


Will I be able to use the combination of NSAllowsArbitraryLoads=YES and NSAllowsArbitraryLoadsInWebContent=YES, which is supposed to allow insecure URLs (but only in a web view) on iOS 10 or higher?


Will I be able to use NSExceptionAllowsInsecureHTTPLoads=YES on particular domains?


Apple's docs make me think that both of these will trigger a review. What does the "justification" process look like? What kinds of justifications are allowed? (In my case, we're loading content from domains that we don't control.)


Finally, how are developers supposed to find out about things like this? As far as I can tell, the original announcement was only for WWDC attendees. Is there a single site where Apple lists changes to their approval process? (I think I know the answer....)


Thanks,

Jacob

Replies  8
Boosts  0
Views  14k
Participants  3
DTS Engineer OP
Apple
Mar ’17

Last start with your last question:

Finally, how are developers supposed to find out about things like this?

As I mentioned in my App Transport Security pinned post, the best way to find out about new developments like this is to monitor the News and Updates page. Personally, I do this via its RSS feed.

With regards your other questions, I don’t work for App Review and can’t give definitive answers about their review policy or processes. I will say that this:

Will I be able to use the combination of 

NSAllowsArbitraryLoads=YES
and 
NSAllowsArbitraryLoadsInWebContent=YES

is an expected use case. It works as follows:

  • iOS 10 honours 

    NSAllowsArbitraryLoadsInWebContent

  • iOS 9 ignores 

    NSAllowsArbitraryLoadsInWebContent
    , but honours 
    NSAllowsArbitraryLoads

  • Older versions of iOS do not include ATS

IMPORTANT The presence of 

NSAllowsArbitraryLoadsInWebContent
causes iOS 10 to ignore 
NSAllowsArbitraryLoads
. This results in best practice security on iOS 10 while maintaining compatibility with iOS 9.

Whether you should do this or use an 

NSExceptionDomains
entry really depends on the nature of your web view. If your web view loads a single page that needs an exception, and there is no way for the user to navigate off that page, then I would recommend an 
NSExceptionDomains
entry. It’s a much smaller exception than 
NSAllowsArbitraryLoadsInWebContent
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
werwerwerwerwerwerwer OP
Mar ’17

Thanks Quinn (btw, are you the same Quinn that used to write Mac utilities back in the day?)


I guess I'm going to have to hope that you're right, and that either of those approaches will pass review. It's unfortunate that there's nothing official from Apple's review team on stuff like this. We're building apps for our clients, and I'd like to be able to tell them definitively that we fixed this issue.


Anyway, thanks again for your help.

0
DTS Engineer OP
Apple
Mar ’17

are you the same Quinn that used to write Mac utilities back in the day?

Perhaps. I’ve been doing this job for a long time but, before that, in the the bottom half of the 90s, I was involved in the Mac shareware scene, most notably with Internet Config.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
werwerwerwerwerwerwer OP
Mar ’17

Ah, I remember Internet Config very well. OS X still doesn't do command-clicking of URLs as well as IC did. 🙂

0
KT_ OP
Apr ’17

"Piling on here, hoping for a reply.


I have an app that I'm upgrading to WKWebView for most internet access however I'm running into a couple of issue for when I can't use a WKWebView.

My plist has these entries to support iOS 9


<key>NSAppTransportSecurity</key>

<dict>

<key>NSAllowsArbitraryLoads</key>

<true/>

<key>NSAllowsArbitraryLoadsInWebContent</key>

<true/>

<key>NSAllowsLocalNetworking</key>

<true/>

</dict>


(I also have a peer to peer sharing facilty).


My users can access arbitrary web sites on servers I don't control to access content. I cache the content for their personal use, and this is the main user benefit, a personal clipping service. Part of the clipping service looks for images. I used to get them with NSData*data = [NSData dataWithContentsOfURL:urlInQuestion]; Now I get a warning that "App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file." Same deal with a DataURLTask.


If I turn off NSAllowsArbitraryLoadsInWebContent, nothing loads in the WKWebView.


I let users search a creative commons site for images associated with keywords. The resulting image results are from sites I can't control.


Many many of those sites are still using plain http to serve images. If I could get the image out of the already downloaded WKWebView, I would.


How do I configure App Transport to solve this?

Thanks!

KT

0
DTS Engineer OP
Apple
Apr ’17 
NSAllowsArbitraryLoadsInWebContent
only affects traffic generated by WKWebView and UIWebView. When you fetch a resource via 
+dataWithContentsOfURL:
, the request is actually run by your app and thus does not benefit from the 
NSAllowsArbitraryLoadsInWebContent
.

You have two options here:

  • Remove 

    NSAllowsArbitraryLoadsInWebContent
    and rely on 
    NSAllowsArbitraryLoads

  • Run your image downloads using JavaScript within the web view, passing the results to native code when you’re done

The first option is easy but you may end up needing to explain it to App Review. The second option avoids that, but the implementation is somewhat challenging.

ps You really shouldn’t be using 

+dataWithContentsOfURL:
for network requests, but instead run those request via NSURLSession. This change won’t, however, affect your ATS situation.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
KT_ OP
May ’17

Thanks Quinn (I also used dataTask to no avail, but this was more succinct to write up) I had tried If I turn off arbitrary loads in web views thinking nothing worked, even with the allows arbitrary loads key on.

For those following along at home, I also had the allows local networking key on. After I deleted that key, then just arbitrary loads worked. I guess you can't use any other thing beyond arbitrary loads.

I'll give app review a go, and see how that goes.

0
DTS Engineer OP
Apple
May ’17

For those following along at home, I also had the allows local networking key on. After I deleted that key, then just arbitrary loads worked.

Indeed. This seemingly strange behaviour is covered in the Table 2 of the ATS docs (the NSAppTransportSecurity section of the Information Property List Key Reference). The rationale here is that it allows an app adopting the new keys we added in iOS 10 (

NSAllowsArbitraryLoadsForMedia
, 
NSAllowsArbitraryLoadsInWebContent
and 
NSAllowsLocalNetworking
) to get best practice security on iOS 10 while still being compatible with iOS 9.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
App Transport Security exceptions
First post date Last post date
 
 
Q