-
Re: App Transport Security REQUIRED January 2017
Werecrayon Jun 15, 2016 12:19 PM (in response to RLKingSoftware)I am all for secure communications, but there are some times when it is simply not possible. I have an app that communicates with an physical satellite modem. That satelite modem is local to the wifi network and only exposes an HTTP connection. There is no way to connect to it securely. Is this app simply no longer possible?
-
Re: App Transport Security REQUIRED January 2017
jpoblocki Jun 15, 2016 1:37 PM (in response to RLKingSoftware)I agree. I understand that security is important, but there are far too many services that still use HTTP. I have an app that pulls images from NOAA over an HTTP connection. I don't see them switching to HTTPS anytime soon. Without an exception my app would be useless.
-
Re: App Transport Security REQUIRED January 2017
KalMudov Jun 16, 2016 1:57 AM (in response to RLKingSoftware)We are in the same situation having an app which is in fact a proxy between web media and local network. A lot of web servers does not impement HTTPS and communications over local network too. It seems our app will be absolutely useless without NSAllowsArbitraryLoads. There must be a procedure/approval for apps like our similar to setting for example Background modes for apps. I am sure a lot of apps are in our situation.
-
Re: App Transport Security REQUIRED January 2017
Appa Jun 16, 2016 8:55 AM (in response to KalMudov)Sturgmeister on the xamarin forums mentioned that Apple (during the keynote) said that they would allow developers to apply for exemptions. I'm hoping that he is correct as in my particular use case, I call a REST API on an embedded board and it would literally be impossible to use SSL on without forcing all of our customers to upgrade at a cost of $5000+ per site.
-
-
Re: App Transport Security REQUIRED January 2017
eskimo Aug 2, 2016 4:17 AM (in response to RLKingSoftware)First up, there have been no changes to the technical behaviour of ATS (other than the addition of
NSAllowsArbitraryLoadsInWebContent
andNSRequiresCertificateTransparency
). From a technical perspective, ATS exceptions in the newly seeded OS releases work the same way as they do in the current OS release.What has changed is that App Review will require “reasonable justification” for most ATS exceptions. The goal here is to flush out those folks who, when ATS was first released, simply turned it off globally and moved on. That will no longer be allowed.
The impact of this will depend on the circumstances of your app. I don’t work for App Review, so I can’t give definitive answers as to what constitutes a “reasonable justification” in their minds. However, I can recommend that you do the following:
watch the WWDC session where we announced this change (WWDC 2016 Session 706 What’s New in Security) so that you can get a feel for the rationale behind it
carefully audit your app’s use of HTTP and HTTPS
construct a minimal ATS exception dictionary
if you have ATS exceptions, keep notes about your analysis so that you can refer back to them when you need to submit your justification to App Review
Finally, if there are places where ATS has limitations that cause you to specify wider exceptions than one might reasonably expect, file an enhancement request against ATS for more appropriate exceptions. Make sure to note the bug number to use in your justification. And I’d appreciate you posting your bug number here, just for the record.
[I’ve removed the following example because we introduced
NSAllowsLocalNetworking
in iOS 10.0b4, partly based on the feedback we got from developers like you. Thanks everyone! OTOH, the general advice from the previous paragraph still stands.]For example, right now ATS has very poor support for dealing with accessories on the local Wi-Fi. An app that needs to deal with such an accessory may well need to set
NSAllowsArbitraryLoads
. In that case, it would be wise to file a bug that describes your app’s requirements and requests better support from ATS, and use that bug number as part of your justification.Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: App Transport Security REQUIRED January 2017
Orologics Jun 23, 2016 10:55 AM (in response to eskimo)Thanks, Quinn. Your response is very close to what I expected would happen. Anticipating that, I spent all last week with Allow Arbitrary Loads turned off. I had to create a huge list of exception domains in order to enable not only the third party open data APIs I reference, but their corresponding websites for configuration or information. Because NSAllowsArbitraryLoadsInWebContent is not available in iOS 9, I had to inspect and whitelist embedded links, e.g., code.jquery.com. If I didn't, some website controls would either look wrong or not work. That's even ignoring the FB and Twitter links I found.
There just doesn't seem to be a good way to release an app that can work compatibly in both iOS 9 and 10 if it depends on HTTP-only third party APIs and HTTP-only third party websites. I filed an enhancement request under 26976436.
-
Re: App Transport Security REQUIRED January 2017
Orologics Jun 23, 2016 12:27 PM (in response to eskimo)I also submitted 26979531 as a bug report to allow LAN devices that are discovered by SSDP to be accessed using their discovered IP addresses, via HTTP/GET, while still retaining the security to block WAN access.
-
Re: App Transport Security REQUIRED January 2017
knoxy Sep 6, 2016 6:25 PM (in response to eskimo)Thanks Quinn for all the great information. What's the process for determining now whether our 'reasonable justifcation' is in fact reasonable in the App Review teams mind, post-Jan 2017? If we submit an App with a single domain NSExceptionAllowsInsecureHTTPLoads exception for review today, together with our reasonable justification, can we ask for it to be reviewed as if it's post-Jan 2017?
-
Re: App Transport Security REQUIRED January 2017
jageen.shukla Sep 7, 2016 11:21 PM (in response to eskimo)Hi, Thanks for the solution "NSAllowsArbitraryLoadsInWebContent".
I am working on applicaiton which are going to load pages into WebView this will help me only for iOS10.
Will you please help me what i should do for iOS9 and iOS8?
-
Re: App Transport Security REQUIRED January 2017
RichH_BC Sep 26, 2016 8:42 AM (in response to eskimo)Thanks for this super bit of info!
Just a quick query around the documentation of the ATS keys.
It says:
NSAllowsArbitraryLoads
: "Use of this key triggers App Store review and requires justification."and also "In iOS 10 and later, and macOS 10.12 and later, the value of this key is ignored if any of the following keys are present in your app’s
Info.plist
file"Now does this mean, as I want to load a HTTP link in a web view for iOS 9 that I can specifiy
NSAllowsArbitraryLoads=YES
and alsoNSAllowsArbitraryLoadsInWebContent=YES
and I won't need to provide justification for the App Store review process because of the second comment above from the docs?Or should I specifiy an domain level exception and set
NSExceptionAllowsInsecureHTTPLoads=YES
for that domain?Cheers,
Rich
-
Re: App Transport Security REQUIRED January 2017
eskimo Sep 27, 2016 2:18 AM (in response to RichH_BC)At the technical level, it’s hard to say which is the best option:
With option #1 (
NSAllowsArbitraryLoadsInWebContent
andNSAllowsArbitraryLoads
) iOS 9 will be less secure (because of theNSAllowsArbitraryLoads
) but iOS 10 will be more secure (ATS is enabled for everything except the web view).With option #2 (
NSAllowsArbitraryLoadsInWebContent
and anNSExceptionDomains
entry for your specific domain withNSExceptionAllowsInsecureHTTPLoads
), iOS 9 will be more secure (because there’s noNSAllowsArbitraryLoads
) but iOS 10 will be less secure (because theNSExceptionDomains
applies to code outside of the web view).
I reckon you could reasonably justify either to App Review, but I can’t say for sure because I’m not allowed to speak on their behalf.
If I were in your shoes I’d probably go for the first option because:
it offers the best security going forward; the percentage of users on iOS 10 is already significant and it’s growing rapidly
lots of other developers will be doing this, so it’s going to be easier to justify to App Review
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
Re: App Transport Security REQUIRED January 2017
matthiasfromdresden Sep 27, 2016 8:23 AM (in response to eskimo)Hi Quinn,
We developed an iOS framework that communicates with a backend. The network layer is written in plain C and talks HTTP/1.1 over posix sockets for portability. With the announcement of ATS enforcement at the end of 2016 we are getting a bit nervous if this will eventually have an effect on us.
So my question is, will Apple enforce encryption of HTTP communication over posix sockets in the near future?
Thank you
-
Re: App Transport Security REQUIRED January 2017
eskimo Sep 28, 2016 2:07 AM (in response to matthiasfromdresden)So my question is, will Apple enforce encryption of HTTP communication over posix sockets in the near future?
I’m unable to predict the future, both due to policy reasons (my management hates it when I speculate) and… well… physics (-: Right now ATS is only enforced by our high-level APIs (NSURLSession, NSURLConnection, and anything layered on top of those), and there’s been no announcements about that changing.
Keep in mind, however, that ATS’s enhanced security requirements are not arbitrary; they are defined to give your users a good level of security on an increasingly hostile Internet. As such, your app should aim to comply with these requirements even if ATS is not actively enforcing them.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: App Transport Security REQUIRED January 2017
matthiasfromdresden Sep 28, 2016 2:57 AM (in response to eskimo)Thank you Quinn, that is exactly the answer I was hoping for
Kind regards,
Matthias
-
-
-
Re: App Transport Security REQUIRED January 2017
nvdev Jun 24, 2016 4:14 PM (in response to RLKingSoftware)What happens to apps that are still in the app store by the end of the year that aren't using HTTPS?
-
Re: App Transport Security REQUIRED January 2017
hiroshinotainc Jun 30, 2016 11:45 PM (in response to nvdev)Yeah, I concerned this too. I guess they will be work as is, but I'd like to have some confirmation from Apple about this...
-
Re: App Transport Security REQUIRED January 2017
inspectordev Dec 9, 2016 3:47 AM (in response to nvdev)Did you ever get an answer to your question?
-
Re: App Transport Security REQUIRED January 2017
openupandsay Dec 14, 2016 7:01 AM (in response to nvdev)Can we get an Apple response to this question please?
-
-
Re: App Transport Security REQUIRED January 2017
mobiledatabooks Jul 6, 2016 11:22 AM (in response to RLKingSoftware)You can use https://letsencrypt.org
It is free, stable and used by millions of web sites already.
Requires update every three months which can be automated.I am testing it for 6 months already. Has been in beta till last month.
Now is out of beta.
You can register as many domains as you need for free.
-
Re: App Transport Security REQUIRED January 2017
itworks618 Aug 15, 2016 11:58 AM (in response to RLKingSoftware)Filed enhance request 27850892 to relax the Perfect Forward Secrey requirement.
Quoted from the document on the default ATS requirements:
- The server certificate must meet at least one of the following trust requirements:
- The negotiated Transport Layer Security version must be TLS 1.2
- The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:
- The leaf server certificate must be signed with one of the following types of key
#3 seems to be Perfect Forward Secrey from nscurl utility output. I am wondering how widespread is perfect forwad secrey being enabled in web sites.
This particularly poses an issue for enterprise customers that the same App might be configured by end users to talk to different servers. For example, customerA's employees download the App from App Store and use it to connect to customerA's servers, and customerB's employees ask the same App to connect to different servers; and worse, the developers who build the App have no idea on those servers' SSL configurations/strengths.
-
Re: App Transport Security REQUIRED January 2017
LaurenDaniels Aug 30, 2016 11:10 PM (in response to itworks618) -
Re: App Transport Security REQUIRED January 2017
knoxy Sep 6, 2016 11:19 PM (in response to itworks618)There is already a NSExceptionRequiresForwardSecrecy exception which (I believe) will still be allowed post Jan-2017 (needs confirmation).
BTW over 50% of sites have PFS for modern browsers. If you scroll down here you can see https://www.trustworthyinternet.org/ssl-pulse/.
-
Re: App Transport Security REQUIRED January 2017
MickCropper Sep 1, 2016 3:59 AM (in response to RLKingSoftware)Clearly this isn't going to work in every scenario, but take a look at this as this will cover most of the scenarios where this will impact, https://www.contradodigital.com/2016/09/01/claim-your-free-ssl-certificates-for-https/ - Lots more technical resources listed at the bottom of the page too for those with the capability to implement theirself.
-
Re: App Transport Security REQUIRED January 2017
thelaws Oct 11, 2016 2:35 PM (in response to MickCropper)The https affordability concern isn't even as much of an issue as the performance hit https websites general take. mod_spdy has been depracated and I haven't yet seen a good solution to make https at least as fast as http on Apache servers. The performance hit is noticeable. Is Apple requiring even framed pages in an app must be https? We've got a few apps were links pull up a browser within the app to display sites that don't require https.
-
Re: App Transport Security REQUIRED January 2017
eskimo Oct 12, 2016 2:49 AM (in response to thelaws)Is Apple requiring even framed pages in an app must be https?
I don’t know what you mean by this.
I suspect you’re asking about pages loaded in a web view, in which case you should check out
NSAllowsArbitraryLoadsInWebContent
. You can find links to the docs for this in my App Transport Security pinned post.Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: App Transport Security REQUIRED January 2017
lcvv Nov 8, 2016 7:19 PM (in response to eskimo)I got a message said that "At the end of 2016, Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store" from this link.
If I submit or update an app after January 1, 2017, the app must support HTTPS?
-
Re: App Transport Security REQUIRED January 2017
eskimo Nov 9, 2016 2:05 AM (in response to lcvv)I’m going to assume you’ve read my App Transport Security pinned post; if not please do so now.
If I submit or update an app after January 1, 2017, the app must support HTTPS?
This is a question about App Review policy; I can’t give you definitive answers on that front because I don’t work for App Review. However, the pinned posted I’ve referenced above has links to the published information about this policy change.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: App Transport Security REQUIRED January 2017
dzensik Nov 18, 2016 7:40 AM (in response to eskimo)Thank you Quinn for the explanation so far. However I don't understand one thing: In the App Transport Security post, the Chapter "App Store Review for ATS" reads: "Your use of certain App Transport Security (ATS) keys triggers additional App Store review for your app, and requires you to provide justification."
Does it apply for the already available apps in the App Store. So my apps in the App Store would trigger an additional review by the Review Team?
Thank you in advance.
Kind regards,
Dennis
-
Re: App Transport Security REQUIRED January 2017
openupandsay Dec 14, 2016 7:13 AM (in response to dzensik)Can we get Apple to answer this question please?
-
-
Re: App Transport Security REQUIRED January 2017
inspectordev Dec 8, 2016 7:32 PM (in response to eskimo)Hi Quinn, I appreciate the time you've taken to answer all these question, but I still have one that remains. My app contains a video player that loads sources over HTTP. Come Jan 1, 2017, will iOS 10 devices prevent those videos from playing? Is there an automated prevention of loading resources over HTTP?
Thanks for the help.
-
-
-
-
-
-
Re: App Transport Security REQUIRED January 2017
Asia Innovations Nov 15, 2016 1:25 AM (in response to RLKingSoftware)As the title notes ,Apple announced that ATS will be REQUIRED of all apps as of January 2017.
Currently ,access via HTTPS has been implemented on all our internal service interfaces.
We have several questions below:
1. Could "image url" embedded in our app be accessed via HTTP?
2. Could "FLV streaming url" embedded in our app be accessed via HTTP?
3. Could we continue to use "NSExceptionDomains" to open HTTP access for specific domain name?
4. Since our app need to support iOS 9 and now implemented WKWebKit, we wonder if "NSAllowsArbitraryLoads = YES" could be set seperately under iOS 9?
Look forward to your soonest reply.
Best.
-
Re: App Transport Security REQUIRED January 2017
eskimo Nov 16, 2016 1:05 AM (in response to Asia Innovations)To start, let’s be clear that there are two parts to any ATS question:
how to make things work technically
App Review policy
As I mentioned above, I’m not able to help with App Review policy side of things, but my ATS pinned post has references to the published information on that front.
With that out of the way, let’s look at your questions:
1. Could "image url" embedded in our app be accessed via HTTP?
2. Could "FLV streaming url" embedded in our app be accessed via HTTP?
There’s not enough info to answer these questions. Specifically:
There’s no info about what API you’re using to access these resources, and the APIs really matter when it comes to ATS. For example:
If the resource is loaded by a web view, ATS has specific features to support that
If the resource is being loaded by BSD Sockets, ATS does not apply at all
It’s also not clear whether you’re asking about the technical or App Review side of this.
3. Could we continue to use "NSExceptionDomains" to open HTTP access for specific domain name?
I believe you’re talking about the App Review side of things here, which I’ve covered above.
4. Since our app need to support iOS 9 and now implemented WKWebKit, we wonder if "NSAllowsArbitraryLoads = YES" could be set seperately under iOS 9?
The standard approach here is to add two keys to your ATS dictionary:
NSAllowsArbitraryLoadsInWebContent
NSAllowsArbitraryLoads
This works as follows:
iOS 10 honours
NSAllowsArbitraryLoadsInWebContent
iOS 9 ignores
NSAllowsArbitraryLoadsInWebContent
, but honoursNSAllowsArbitraryLoads
older versions of iOS do not include ATS
IMPORTANT The presence of
NSAllowsArbitraryLoadsInWebContent
causes iOS 10 to ignoreNSAllowsArbitraryLoads
. This results in best practice security on iOS 10 while maintaining compatibility with iOS 9.Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: App Transport Security REQUIRED January 2017
alex_kac Nov 16, 2016 11:52 AM (in response to eskimo)I've read this whole thread…and I don't know what my answer should be. My situation is simple: We allow users to subscribe to calendars. Calendar subscriptions are rarely on SSL - and they are not "web content". So do we pretty much remove this feature? We can't ask for specific overrides because its user-entered input.
-
Re: App Transport Security REQUIRED January 2017
eskimo Nov 17, 2016 2:29 AM (in response to alex_kac)We allow users to subscribe to calendars. Calendar subscriptions are rarely on SSL - and they are not "web content" … We can't ask for specific overrides because its user-entered input.
You should use
NSAllowsArbitraryLoads
. We continue to support this key for good reason: some apps need to be able to make insecure connections to arbitrary URLs input by the user. PreviouslyNSAllowsArbitraryLoads
was primarily used by web browsers, calendar apps, mail clients, and so on. It’s now no longer necessary for web browsers (due toNSAllowsArbitraryLoadsInWebContent
) but it’s still relevant in the other cases.Using
NSAllowsArbitraryLoads
will flag extra scrutiny during App Review but that does not mean you’ll automatically be rejected. Rather, you’ll have to provide reasonable justification for your use.One thing you can do to improve the security of your app is to add
NSExceptionDomains
entries for the sites that should be secure. Let’s say your app talks to FooCal™, and the FooCal™ servers support ATS-compliant HTTPS. In that case you should add anNSExceptionDomains
forfoocal.example.com
to your ATS exception dictionary so that ATS guarantees your security for those servers.Similarly, if your app talks to servers you control (for analytics, say), you should make sure that they are ATS compliant and add them to
NSExceptionDomains
.Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: App Transport Security REQUIRED January 2017
IzzyGM Dec 7, 2016 8:04 PM (in response to eskimo)Hello if my app has a button that makes this call and opens my website in safari will this not be allowed starting january 1st ? since my website isnt https I wasnt sure thanks for your help
[[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"http://www.samplewebsite.com"]];
-ismael
-
Re: App Transport Security REQUIRED January 2017
eskimo Dec 11, 2016 3:16 PM (in response to IzzyGM)App Review’s upcoming App Transport Security (ATS) requirement is about ATS, and ATS only applies to NSURLSession, the now-deprecated NSURLConnection, and APIs layered on top of those.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
Re: App Transport Security REQUIRED January 2017
abuzar Dec 9, 2016 2:07 AM (in response to eskimo)Hi,
I have read whole thread i just want to ask that the developers who have enterprise applications will also need to use all HTTPS connections in their Enterprise apllications or only the apps that are on App store need to implement HTTPS ?
In my Enterprise Applications currently i have key "Allow Arbitrary Loads" set to YES in.plist file which mean it allows all HTTP connections from my applications.
So, do i need to remove this key from enterprise Applications ? Again i am repeating myself i am asking only for enterprise applications and not for App Store Applications.
-
Re: App Transport Security REQUIRED January 2017
eskimo Dec 11, 2016 3:20 PM (in response to abuzar)So, do i need to remove [
NSAllowsArbitraryLoads
] from enterprise Applications ?The announced change relates to App Review.
However, my recommendation is that you work hard to minimise your ATS exceptions, regardless of whether your app goes through App Review. Remember ATS’s requirements are not arbitrary: rather, they are set to give your users a reasonable level of security when talking over the network.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
-
-
Re: App Transport Security REQUIRED January 2017
sspitzerpopsugar Dec 29, 2016 4:22 PM (in response to eskimo)"IMPORTANT The presence of
NSAllowsArbitraryLoadsInWebContent
causes iOS 10 to ignoreNSAllowsArbitraryLoads
. This results in best practice security on iOS 10 while maintaining compatibility with iOS 9."Thanks for this info, that was causing me a lot of confusion.
-
-
Re: App Transport Security REQUIRED January 2017
KearLiao Dec 12, 2016 12:17 AM (in response to RLKingSoftware)It's there any docs from apple about this?
-
Re: App Transport Security REQUIRED January 2017
eskimo Dec 12, 2016 1:47 AM (in response to KearLiao)It's there any docs from apple about this?
My App Transport Security pinned post has references to both the ATS technical documentation and to the published information about the upcoming App Review policy change.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: App Transport Security REQUIRED January 2017
KearLiao Dec 12, 2016 6:12 PM (in response to eskimo)thanks a lot.
-
-
-
Re: App Transport Security REQUIRED January 2017
Kinol Dec 13, 2016 2:35 AM (in response to RLKingSoftware)Hi,
I have a question, same kind as the one asked by abuzar, on NSAllowsArbitraryLoads = YES
Context:
- My app integrates an advertising SDK
- The advertising SDK does mosts of its connexions on https, but some to third-party servers are http and we can't know the server this in advance
After reading https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/ , I have to refer to point
- Third-party servers that the App connects to, for example via connections initiated by SDKs.
Third-Party Servers
For third-party servers that the App connects to, any ATS exemption can be used, including domain-specific blacklisted exemptions, as Apple has stated that not having control of the server was a reasonable justification.
Doing so will require identifying the list of third-party servers the App connects to, in order to be able to add the proper domain-specific ATS exemptions to the App.
My question concerns the underlined point: from what I understand, will have to identify each non-ssl third-party server. I'm in a situation of using an advertising SDK that can't know in advance all servers my app will have to request (throught this SDK).
And also this SDK provider might dynamically tell their SDK to connect to a new third-party server that provide ads (or even as they say, a third-party server can point to a non-ssl address to another hird-party server).
So in this case, if I use NSAllowsArbitraryLoads = YES , and justifify it by the use of this advertising SDK that connects to third-parties, will the validation process be validated and not being rejected for not identifying third-party server? (because this is technically impossible)
Thank you
-
Re: App Transport Security REQUIRED January 2017
eskimo Dec 13, 2016 7:16 AM (in response to Kinol)My question concerns the underlined point …
This is an App Review policy question and the only folks who can give you a definitive answers about App Review policy is App Review. AFAIK they’ve not published any guidance as to what exactly they consider to be “reasonable justification”. For links to the guidance that they have published, see my App Transport Security pinned post.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: App Transport Security REQUIRED January 2017
Kinol Dec 13, 2016 9:24 AM (in response to eskimo)Hi eskimo and thank you for you answer.
So if i understand you well :
Starting January if I want to release an app with NSAllowsArbitraryLoads = YES, I will have to explain where requireed that I need this parameter because of an advertising SDK (the “reasonable justification”) .
But because there is no guidance from App Review team but to provide a “reasonable justification”, depending on who may review my app this justification may be rejected because of a different interpretation of it?
-
Re: App Transport Security REQUIRED January 2017
KMT Dec 21, 2016 9:41 PM (in response to Kinol)The point is there are no pre-reviews, and your questions now may require different responses later, once policy is firmed up.
** 12.21 note the deadline has been extended with details on any new deadline to follow.
-
-
Re: App Transport Security REQUIRED January 2017
maya.z Dec 21, 2016 9:06 AM (in response to eskimo)Hi Quinn
I am still puzzled regarding 3d party servers. As Kinol stated:
For third-party servers that the App connects to, any ATS exemption can be used, including domain-specific blacklisted exemptions, as Apple has stated that not having control of the server was a reasonable justification.
Doing so will require identifying the list of third-party servers the App connects to, in order to be able to add the proper domain-specific ATS exemptions to the App.
In iOS 10: Are we developers expected to reachout to all our 3d party SDK providers to verify that they support secure connections and if they are not are we expected to provide their domain list (for use in the exceptions)? is there any other practice you can suggest?
Thanks
Maya
-
Re: App Transport Security REQUIRED January 2017
eskimo Dec 21, 2016 2:47 PM (in response to maya.z)I am still puzzled regarding 3d party servers.
From Apple’s perspective, you are responsible for the code running inside your app. Ignoring ATS for the moment, if you use a third-party library that does something dumb (uses a private API, fills the user’s disk with junk, or whatever), it’s obvious that App Review will hold you responsible for that behaviour.
ATS is no different from this. If ‘your’ code is accessing a server, you need to ensure it uses ATS-compliant HTTPS, or you need to add an appropriate ATS exception (and, once this policy is enforced by App Review, justify that to App Review).
As to what sort of “reasonable justification” that App Review will accept for third-party SDKs accessing third-party servers, I can’t speak to that.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
-
Re: App Transport Security REQUIRED January 2017
gdakram Dec 13, 2016 8:55 PM (in response to RLKingSoftware)What would Ad banner serving implications of this be in WebView? Unless I specify `NSAllowsArbitraryLoadsInWebContent` to YES, it will fail in 2 cases
1. Destination site is on http
2. Destination site is on https, but can't support TLS v1.2.
Seems like we just always have to justify this during app store submission. Thoughts?
-
Re: App Transport Security REQUIRED January 2017
maya.z Dec 19, 2016 2:25 AM (in response to RLKingSoftware)Thank you Quinn for your answers. We are supporting and creating many applications, some are legacy applications with a low maintenance rate (this means that we rarely update them in the store).
Is Apple planning to review apps that are already in the store? Must we modify and update them asap to support the security requirements or can we leave them as is for now?
-
Re: App Transport Security REQUIRED January 2017
eskimo Dec 19, 2016 1:58 PM (in response to maya.z)Again, I have to stress that I don’t work for App Review and thus can’t speak definitively on their behalf. However, with regards this:
Is Apple planning to review apps that are already in the store?
App Review has specifically announced that they plan to go back and look at existing apps on the store. See the App Store Improvements developer news post for details.
Having said that, this ATS requirement is very new (hey, it’s not being enforced even as I type), so I imagine you have some lead time on this front.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
Re: App Transport Security REQUIRED January 2017
acanare Dec 19, 2016 7:24 PM (in response to RLKingSoftware)In case that the app only supports iOS 9 and below, built using Xcode 7.x, is adding NSAllowsArbitraryLoads will suffice - the app wont get rejected? Or adding options like NSAllowsArbitraryLoadsInWebContent is still needed? Thanks!
-
Re: App Transport Security REQUIRED January 2017
eskimo Dec 20, 2016 1:34 AM (in response to acanare)In case that the app only supports iOS 9 and below …
I would have thought not supporting the latest release of iOS was grounds for rejection in and of itself (-:
Seriously though, only App Review can give you definitive answers about edge cases like this.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
Re: App Transport Security REQUIRED January 2017
canelia Dec 20, 2016 9:21 PM (in response to RLKingSoftware)NSAllowsLocalNetworking: YES
-
Re: App Transport Security REQUIRED January 2017
chemm Dec 22, 2016 8:46 AM (in response to RLKingSoftware)News from 2016/12/21 https://developer.apple.com/news/?id=12212016b
-
Re: App Transport Security REQUIRED January 2017
Minas90 Dec 30, 2016 4:16 PM (in response to RLKingSoftware)Hi there,
I have a news app which loads arbitrary rss feeds, some are http and some are https.
App gets the feeds list from the backend, so I may add new rss http feed without updating my app. Is it “reasonable justification” to use NSAllowsArbitraryLoads?
-
Re: App Transport Security REQUIRED January 2017
eskimo Jan 3, 2017 3:41 AM (in response to Minas90)Is it “reasonable justification” to use
NSAllowsArbitraryLoads
?This is a question about App Review policy, and only App Review can give you definitive answers about that.
In your shoes I’d consider avoiding the whole issue by having my back end proxy the RSS feeds in question; that way your client app would only ever need to talk to your back end.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
Re: App Transport Security REQUIRED January 2017
eskimo Jan 3, 2017 3:50 AM (in response to RLKingSoftware)Greetings All
I’m taking the extraordinary measure of locking this thread (for reasons I’ll outline below). If you have an ATS question, please do the following:
Read my App Transport Security pinned post, just in case your question has been answered there.
If not, put your question in a new thread in the Core OS > Networking area (click the Start a discussion link, which you’ll find on the right towards the top).
I’m locking this thread for two reasons:
Given recent development, the thread title is now misleading.
It’s clear that this thread has become a catch all for ATS questions in general, which has resulted in it growing to an unwieldy size. It would be better if each of those questions was in its own separate thread, allowing us to drive the question to a conclusion while keeping the thread length manageable.
Thanks for understanding!
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"