6 Replies
      Latest reply: Sep 20, 2016 3:18 AM by lemonK RSS
      lemonK Level 1 Level 1 (0 points)

        According to the announcement in WWDC 2016 lecture 706 "What's new on Security" an exception for using http for encrypted HLS is mentioned:

        "We're also adding some new Exceptions to make it easier to adopt. So for example, if you're using Streaming Media and that media's already encrypted in bulk, we'll be able to offer an Exception through AV Foundation for you to load that media without connecting over TLS."

         

        As for the post before https://forums.developer.apple.com/thread/51612

        Also, the docment lists that we can set "NSAllowsArbitraryLoadsInMedia" for iOS10. However, this settings in plist only work for iOS10 but not work for the older version OS.

        How could we set the plist to support HSL exceptions for both iOS10 the older version iOS?

         

         

        Another question is related to the image url.

        In my App, we get images from the server with an url and set to the imageview. Should I make the image server to support https or I could just set the domain of the image server to an exception domain?

         

         

        Thank you in advanced for any suggesetions and answers.

        • Re: App Transport Security Questions for submission in 2017
          eskimo Apple Staff Apple Staff (7,960 points)

          For the latest news an ATS see my App Transport Security pinned post.


          How could we set the plist to support HSL exceptions for both iOS10 the older version iOS?

          You can’t.  The above-mentioned pinned post contains a link to the pre-release docs that specifically address this compatibility question.


          In my App, we get images from the server with an url and set to the imageview. Should I make the image server to support https or I could just set the domain of the image server to an exception domain?

          I recommend that you fetch the image over HTTPS because:

          • that avoids any App Review entanglements

          • it’s more secure (using HTTP creases your attack surface because an imposter server can send your app a malicious image)

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: App Transport Security Questions for submission in 2017
              lemonK Level 1 Level 1 (0 points)

              Tank you for your reply and recommendations.

              I will make the image feching over HTTPS.

               

              According to the pre-release ATS documentation, I have notice a sentence "If you add this key to your Info.plist file, then, irrespective of the value of the key, ATS ignores the value of the NSAllowsArbitraryLoads key.".

               

              Does the sentence mean that if I set "NSAllowsArbitraryLoadsInMedia" to YES, then we can use HLS without HTTPS for iOS10 correctly; On the other hand, it will make iOS9 set "NSAllowsArbitraryLoads" to YES? Also, it will trigger App Store review and requires justification?

                • Re: App Transport Security Questions for submission in 2017
                  eskimo Apple Staff Apple Staff (7,960 points)

                  Also, it will trigger App Store review and requires justification?

                  While the docs don’t cover this specific case (feel free to file a bug about that), I think it’s reasonably safe to extrapolate from the NSAllowsArbitraryLoadsInWebContent case, which is covered by the docs (see the NSAllowsArbitraryLoadsInWebContent row in Table 2).

                  Ultimately, however, the final arbiter of what will or won’t be allowed on the store is App Review.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"