App Transport Security Questions for submission in 2017

According to the announcement in WWDC 2016 lecture 706 "What's new on Security" an exception for using http for encrypted HLS is mentioned:

"We're also adding some new Exceptions to make it easier to adopt. So for example, if you're using Streaming Mediaand that media's already encrypted in bulk, we'll be ableto offer an Exception through AV Foundation for you to loadthat media without connecting over TLS."


As for the post before https://forums.developer.apple.com/thread/51612

Also, the docment lists that we can set "NSAllowsArbitraryLoadsInMedia" for iOS10. However, this settings in plist only work for iOS10 but not work for the older version OS.

How could we set the plist to support HSL exceptions for both iOS10 the older version iOS?



Another question is related to the image url.

In my App, we get images from the server with an url and set to the imageview. Should I make the image server to support https or I could just set the domain of the image server to an exception domain?



Thank you in advanced for any suggesetions and answers.

Replies

For the latest news an ATS see my App Transport Security pinned post.

How could we set the plist to support HSL exceptions for both iOS10 the older version iOS?

You can’t. The above-mentioned pinned post contains a link to the pre-release docs that specifically address this compatibility question.

In my App, we get images from the server with an url and set to the imageview. Should I make the image server to support https or I could just set the domain of the image server to an exception domain?

I recommend that you fetch the image over HTTPS because:

  • that avoids any App Review entanglements

  • it’s more secure (using HTTP creases your attack surface because an imposter server can send your app a malicious image)

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Tank you for your reply and recommendations.

I will make the image feching over HTTPS.


According to the pre-release ATS documentation, I have notice a sentence "If you add this key to your

Info.plist
file, then, irrespective of the value of the key, ATS ignores the value of the
NSAllowsArbitraryLoads
key.".


Does the sentence mean that if I set "NSAllowsArbitraryLoadsInMedia" to YES, then we can use HLS without HTTPS for iOS10 correctly; On the other hand, it will make iOS9 set "NSAllowsArbitraryLoads" to YES? Also, it will trigger App Store review and requires justification?

Also, it will trigger App Store review and requires justification?

While the docs don’t cover this specific case (feel free to file a bug about that), I think it’s reasonably safe to extrapolate from the

NSAllowsArbitraryLoadsInWebContent
case, which is covered by the docs (see the
NSAllowsArbitraryLoadsInWebContent
row in Table 2).

Ultimately, however, the final arbiter of what will or won’t be allowed on the store is App Review.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

hi eskimo,


Thank you for your reply and suggestions.


I have already file a bug on 1 Sep 2016, and the bug number is 28113272.


However, 20 days have passed and the sate remain "Open".


Should I ask the same question for fast reply from TSI for code-level support?

Should I ask the same question for fast reply from TSI for code-level support?

A DTS tech support incident won’t help you here. There’s two parts to this:

  • How do iOS 9 and iOS 10 behave when you set things up this way? — You can work this out by testing it for yourself.

  • How will this setup be treated by App Review? — DTS isn’t in a position to speak on App Review’s behalf about policy matters.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for your reply.