App Transport Security and local networking

Hi,


it seems that "App Transport Security" is also enabled by default for communication on the local network (http transfers between devices on the same wifi network).

In many cases such wifi devices (e.g. wifi based sd cards, mobile wifi harddisks) do not support https; so http needs to be used.

What is the recommended way to handle these cases as the domain based exception cant be applied here?
Is there any way to disable App Transport Security for private networks?


Cheers,


Hendrik

Replies

Another relatively simple workaround is xip.io …

Cool. I hadn’t seen that before. Thanks for sharing.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

devices without Bonjour support are broken anyway (-;


Same here...


I have an APP that does HTTP connexion ( openweathermap) , HTTPS connexion on the internet (personnal data for the users) and that does HTTP connexion to a local network device ( IOT device discovered via Bonjour and after that we use IP connexion in HTTP to have faster response time). Since IOS 9 it's not possible to have this device working with IOS via IP.


Everybody should remember that private IP (192.168.*.*, 10.*.*.*) can't have HTTPS connexion with valid certificates. And that many devices are not "bonjour" compatible. We need something like NSAllowsArbitraryLoadsLocalNetworkOnly

I need this feature too. Are there any news ?

I also need this feature. Any news ?

This does not seem to be working for tvOS.


2016-05-18 08:00:15.672 Hero[8664:3335716] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

2016-05-18 08:00:15.673 Hero[8664:3335690] [Error]: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection. (Code: 100, Version: 1.13.0)

My info.plist looks like this:

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
    </dict>



I'm making a call to http://localhost:1337/parse and I get the App Transport Error. I'm using the Parse SDK to make the call. I don't know if that makes a difference. I haven't dug into it on the Parse side yet.

While editing the info.plist didn't work for me. I followed these instructions and now everything works as expected.


http://stackoverflow.com/questions/31254725/transport-security-has-blocked-a-cleartext-http

Hi,


I started this thread almost a year ago, because of the issues of App Transport Security in combination with local/private networks. The workaround eskimo posted for bonjour based hostnames (.local) is nice, but not a solution for every case. In my opinion something like NSAllowsArbitraryLoadsLocalNetworkOnly is still needed.


I just looked throught the iOS 10 Beta API docs and unfortunately I can't see any addtions that go into that direction. The only new addition seems to be NSAllowsArbitraryLoadsInWebContent, which is only relevant for Web-Content (WKWebKit).

Apple today at WWDC also announced, that ATS is mandatory by the end of 2016 for all AppStore submissions.

I am aware that iOS 10 is in Beta and there might be still additions, but the current state of things makes me quite worried.


The general concept of ATS and protecting users is great, but for applications doing data transfer on the private/local network its use is just not practical in many cases (there are plenty of examples in this thread).


@eskimo: You know the internal processes at Apple better than any of us here. There were numerous bug reports filled for this issue in 2015 and also (I assume) several DTS incidents. What can we do that the issue gets the required attention and the actual framework developers take a look at it?


Cheers,


Hendrik

I second this request.

We manage the app of a connected appliances company, but unfortunately we don't get to design the hardware specs and protocols, so neither bonjour nor HTTPS for us 😟

xip.io might work, but we cannot rely on the 37signals magnanimity forever, I believe.

Without something like NSAllowsArbitraryLoadsLocalNetworkOnly our iOs app will be completely useless in 2017; I believe we're not alone in this, as this thread clearly shows.

We are in the same situation having an app which is in fact a proxy between web media and local network. A lot of web servers does not impement HTTPS and communications over local network too. It seems our app will be absolutely useless without NSAllowsArbitraryLoads. There must a procedure/approval for apps like our similar to setting for example Background modes for apps. I am sure a lot of apps are in our situation.

Support NSAllowsArbitraryLoadsLocalNetworkOnly

I too came back and looked for this support after the iOS 10 annoucement.

I just looked throught the iOS 10 Beta API docs and unfortunately I can't see any addtions that go into that direction.

Indeed. Sad Quinn is sad )-:

What can we do that the issue gets the required attention and the actual framework developers take a look at it?

This is a sufficiently well-known issue that I used it as an example of “reasonable justification” in my recent ATS update. I, and the ATS team, certainly got a lot of feedback about this issue during the labs at WWDC (-: It’s possible that the situation with ATS and local networking might change prior to the new ATS requirement being enforced but, if it does not, you will have to ship with

NSAllowsArbitraryLoads
.

Keep in mind that, even if we did add something like

NSAllowsArbitraryLoadsLocalNetworkOnly
today, you’d still need
NSAllowsArbitraryLoads
as long as you support iOS 9.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the response, Quinn.

It's good to hear, that there is still hope. Something like NSAllowsArbitraryLoadsLocalNetworkOnly would still help and make dealing with App-Review easier.

Thanks so much for keeping us updated.


Cheers,


Hendrik

Hi,


Really appreciate all the responses and information you've provided. I'd just like to follow up and find out if there's been any new information since the last update.


We have an application that communicates to several devices on the local network. Updating these devices to support HTTPS (and in some case, this may not be possible at all) will be a significant endeavor for us. Has there been a path forward or solution for people and companies who are in this particular situation?


Thanks!

-ah

Hi,


it seems we will get the "NSAllowsLocalNetworking" key, see here: https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html



🙂



it seems we will get the "NSAllowsLocalNetworking" key

Indeed. Yay!

Just for the record, while there were lots of bugs filed about this (thanks everyone!), the specific change was made as (r. 27111836).

I tried this out for myself (both in the simulator and on iOS 10.0b4 hardware) and it seems to work well. The only gotcha I found is that it doesn’t allow absolute domain names (r. 27655708). For example,

NSAllowsLocalNetworking
enables access to
http://guy-smiley.local
but not to
http://guy-smiley.local.
(note the trailing dot). This might trip you up if, for example, you build the URL from NSNetService’s
hostName
property, which always returns an absolute domain name.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"