Re: NSAllowsArbitraryLoadsInWebContent in UIWebView

I took my UIWebView test app, changed the ATS dictionary to set just NSAllowsArbitraryLoadsInWebContent, and then pointed the app at that URL.  I then set a breakpoint on -webView:didFailLoadWithError: and printed the full error:

(lldb) po error
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={_kCFStreamErrorCodeKey=-9801,
NSLocalizedRecoverySuggestion=Would you like to connect to the
server anyway?, NSUnderlyingError=0x610000241c50 {Error
Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={NSErrorFailingURLStringKey=https://fyp.ebay.com/
EnterUserInfo?&clientapptype=16, NSLocalizedRecoverySuggestion=Would
you like to connect to the server anyway?,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9801,
_kCFStreamPropertySSLClientCertificateState=0,
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
_kCFStreamErrorDomainKey=3,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorCodeKey=-9801}},
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16,
NSErrorFailingURLStringKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorDomainKey=3}

Note the failing URL, https://fyp.ebay.com.  So NSAllowsArbitraryLoadsInWebContent is working for the initial URL but failing for this one.

Poking at that server with TLSTool I see the following:

$ TLSTool s_client -connect fyp.ebay.com:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.0
* cipher: RSA_WITH_RC4_128_MD5
* trust result: unspecified
* certificate info:
*  0 + rsaEncryption 2048 sha256-with-rsa-signature 'fyp.ebay.com'
*  1 + rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 Secure Server CA - G4'
*  2  rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'
^C

Oi vey!  That cypher suite, RSA_WITH_RC4_128_MD5, is chock full of obsolete and insecure protocols (RC4, MD5, no forward secrecy).

My guess as to what’s happening here is that NSAllowsArbitraryLoadsInWebContent has disabled most, but not all, of the ATS checks for UIWebView.  So you can load plain text sites, and sites with other problems (for example, scgi.ebay.com doesn’t support forward secrecy), but either RC4 or MD5 is still tripping it up.  Please file a bug about this, then post your bug number here, just for the record.

The obvious workaround would be to continue to use NSAllowsArbitraryLoads until this problem is resolved.

You should also contact the site owner: the level of security for that site is way below what I would expect to see on the modern Internet.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"

We have some questions about ATS.

First, is this setting OK in iOS9 and iOS10 to access 'HTTP' contents with 'UIWebview'?

<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>

Second, do we have to justify the setting as this document says?

https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59

> Your use of certain App Transport Security (ATS) keys triggers additional App Store review for your app, and requires you to provide justification. These keys are:

> ・NSAllowsArbitraryLoads

> ・NSExceptionAllowsInsecureHTTPLoads

> ・NSExceptionMinimumTLSVersion

Third, can we continue to use the setting in future ( 2017~ ) ?

thanks.

I am still experiencing problems with NSAllowsArbitraryLoadsInWebContent.

Bummer.

I have filed an Apple Radar, here is the Bug ID: 29093259.

Thanks.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"

chris.hoff wrote:

Same here, filed bug 30233586

Please test this with the latest iOS 10.3 beta; AFAICT it works there.

btw NSAllowsArbitraryLoadsInWebContent was fixed to allow servers that don’t support forward secrecy in 10.2.  The problem you’re having is that your server only supports TLS 1.0.  That’s something you really need to fix on the server side; TLS 1.0 is very worrisome security-wise.

dloic wrote:

We did filed a bug too: 30239888

On 10.2 I see the same failure as you do.  On the latest 10.3 beta I don’t see that failure, but the page still doesn’t load, even when I remove NSAllowsArbitraryLoadsInWebContent and set NSAllowsArbitraryLoads.  I believe there are bigger problems afoot here.

Also, your server has secure and pay in the name, but uses 3DES; that’s quite worrisome as well.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"