NSAllowsArbitraryLoads or NSExceptionAllowsInsecureHTTPLoads flags are not working after deploymnent of the app to device.

Question

Created Mar ’21

Replies 7

Boosts 0

Views 1.4k

Participants 2

We have internal lower environment services are configured over HTTP (not HTTPS) and when we were connecting the iPad app in the simulator to these HTTP services, it was connecting to services by setting NSAllowsArbitraryLoads to true.

I also tried separately using "NSExceptionAllowsInsecureHTTPLoads" flag for exception domains.

Both the time, I was able to connect to services over HTTP in the simulator, but when I deployed the app to iPad, the app was not able to connect. These apps are strictly for internal and lower environments only.

Is there a way to fix this error?

The production app is connected to HTTPS services.

Thanks in advance.

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’21

We have internal lower environment services

What do you mean by “lower environment”?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

shaash OP

Mar ’21

I meant lab, dev, QA ...

0

Answer 3

shaash OP

Mar ’21

More info if it is of any help....

Is this a restriction enforced in ios 14.x versions?
Our app used to work fine connecting to HTTP services before.

The changes we did were, upgrading the Cordova ios platform version, UIWebView to WKWebView.

0

Answer 4

DTS Engineer OP

Apple

Mar ’21

I meant lab, dev, QA ...

IMO you should not disable TLS security in test environments. Rather, you should issue your test servers with valid certificates, if necessary using a custom certificate authority for that. This avoids the need to disable TLS server evaluation in your code, which both simplifies your code and guarantees that you won’t accidentally ship with it disables (I’ve worked with household name developers who’ve done that, resulting a serious security vulnerability).

I discuss this in more detail in QA1948 HTTPS and Test Servers.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 5

shaash OP

Mar ’21

@eskimo, Thanks for the response.

I totally understand the importance of HTTPS. But, if they are strictly intranet and when I clearly included exception domains, I don't see how it is a security threat.

Anyways, I am still wondering, what could have caused this behavior now when a similar setup was working before.

0

Answer 6

DTS Engineer OP

Apple

Mar ’21

I don't see how it is a security threat.

… says everyone who ever shipped with a massive security vulnerability (-:

Anyways, I am still wondering, what could have caused this behavior
now when a similar setup was working before.

The most likely cause is your switch from UIWebVIew to WKWebView. UIWebView runs entirely within your process which means that its networking is affected by the state of your networking. There is, for example, a popular hack that disables HTTPS server trust evaluation for all CFNetwork clients in your process (1).

*sigh*

In contrast, WKWebView does its networking out of process which means its not affected by any in-process state you set up. To disable HTTPS server trust evaluation in WKWebView you have to intercept its server trust authentication challenges using webView(_:didReceive:completionHandler:).

And this brings me back to my previous point: Modifying your code to disable HTTPS server trust evaluation is both tricky and error prone. Instead you should configure your test servers and devices to avoid the entire problem.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

(1) I specifically call this out in the introduction to Technote 2232 HTTPS Server Trust Evaluation.

0

Answer 7

shaash OP

Mar ’21

Thanks, @eskimo. This helps me understand why we are getting the error.

Appreciate your help !!

0