Questions on NSAllowArbitraryLoads settings

In regards to apple's ATS policy, we have the following 3 questions:

  1. In iOS10, if the value of NSAllowArbitraryLoadsInMedia and NSAllowsArbitraryLoadsInWebContent is set to YES, will the configuration of NSAllowArbitraryLoads be ignored during running?
  2. Currently, our app supports iOS9. In order to supports WebView access via http in iOS9 and above versions, if the value of NSAllowArbitraryLoadsInMedia and NSAllowsArbitraryLoadsInWebContent is set to YES, do we have to set the value of NSAllowArbitraryLoads to YES as well?
  3. If the value of NSAllowArbitraryLoadsInMedia and NSAllowsArbitraryLoadsInWebContent is set to YES, the value of NSAllowArbitraryLoads needs to be set to YES to support iOS9. Does that mean we only need to provide reasonable justifications for the value setting of NSAllowArbitraryLoadsInMedia and NSAllowsArbitraryLoadsInWebContent without explaining why we set NSAllowArbitraryLoads to YES?

These are the questions we'd like to ask. Looking forward to your reply!

Many thanks!

Accepted Reply

Thank you so much for your reply, Eskimo. It was very informative and helpful.
However, we are still a bit confused on question 3.

(1) Now, our App needs to link to a third-party, whose access range is uncontrolled and access method may not be https. Thus, we cannot set exceptions by NSExceptionDomains. If we set NSAllowsArbitraryLoadsInWebContent to YES, is the following justification acceptable? “Since the third-party’s access range cannot be controlled and access method is not https, we need to set exceptions byNSAllowsArbitraryLoadsInWebContent.”
(2) Our App needs to get public information from public portal sites. Since customer information or other confidential information is not involved in this process,there will be no security risks even if we don’t use https communication. Therefore, is it possible for us to apply for exceptions byNSExceptionDomains? Is the following justification acceptable? “Since the communication websites are public information disclosing sites in which customer information or other confidential information is not involved, we would like to apply for http communication by NSExceptionDomains configuration.”

BTW, we understand that you are not from APP Review Team. So is it possible for us to contact them directly? For instance, do they have their own forum or other contact channels? Thank you!

Regards,
Al

Replies

1. In iOS10, if the value of

NSAllowArbitraryLoadsInMedia
and
NSAllowsArbitraryLoadsInWebContent
is set to
YES
, will the configuration of
NSAllowArbitraryLoads
be ignored during running?

Yes. The ATS docs are pretty clear about this:

If you add this key to your Info.plist file, then … ATS ignores the value of the

NSAllowsArbitraryLoads
key.

2. Currently, our app supports iOS9. In order to supports WebView access via http in iOS 9 and above versions, if the value of

NSAllowArbitraryLoadsInMedia
and
NSAllowsArbitraryLoadsInWebContent
is set to YES, do we have to set the value of
NSAllowArbitraryLoads
to YES as well?

Yes. iOS 9 knows nothing about the new keys, so if you want things to load there you’ll need to also apply the old key.

3. If the value of

NSAllowArbitraryLoadsInMedia
and
NSAllowsArbitraryLoadsInWebContent
is set to
YES
, the value of
NSAllowArbitraryLoads
needs to be set to
YES
to support iOS 9. Does that mean we only need to provide reasonable justifications for the value setting of
NSAllowArbitraryLoadsInMedia
and
NSAllowsArbitraryLoadsInWebContent
without explaining why we set
NSAllowArbitraryLoads
to YES?

I don’t work for App Review, and thus can’t give definitive answers about what they consider to be reasonable justification. However, I will say that the approach you’re taking is how we expect folks to deal with backwards compatibility. Again, this is supported by the ATS docs, which say:

To support older versions of iOS and macOS, you can employ [

NSAllowsArbitraryLoadsInWebContent
] and still manually configure ATS. To do so, set this key’s value to YES and also configure the
NSAllowsArbitraryLoads
subkeys.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you so much for your reply, Eskimo. It was very informative and helpful.
However, we are still a bit confused on question 3.

(1) Now, our App needs to link to a third-party, whose access range is uncontrolled and access method may not be https. Thus, we cannot set exceptions by NSExceptionDomains. If we set NSAllowsArbitraryLoadsInWebContent to YES, is the following justification acceptable? “Since the third-party’s access range cannot be controlled and access method is not https, we need to set exceptions byNSAllowsArbitraryLoadsInWebContent.”
(2) Our App needs to get public information from public portal sites. Since customer information or other confidential information is not involved in this process,there will be no security risks even if we don’t use https communication. Therefore, is it possible for us to apply for exceptions byNSExceptionDomains? Is the following justification acceptable? “Since the communication websites are public information disclosing sites in which customer information or other confidential information is not involved, we would like to apply for http communication by NSExceptionDomains configuration.”

BTW, we understand that you are not from APP Review Team. So is it possible for us to contact them directly? For instance, do they have their own forum or other contact channels? Thank you!

Regards,
Al

Not working for App Review, I can’t comment on how you should word your justifications. However, I did want to address the following.

(2) Our App needs to get public information from public portal sites. Since customer information or other confidential information is not involved in this process,there will be no security risks even if we don’t use https communication.

Just because a resource is public does not make it OK to transfer it over HTTP. There are at least three problems with that approach:

  • HTTP has no client-authenticates-server authentication, so your client could be displaying completely bogus information. Imagine you’re building an app that displays local restaurants; an attacker in a privileged network position could redirect customers from the closest restaurant to their preferred restaurant. You can imagine a less-than-honest hotel implementing such a ‘feature’ on their hotel Wi-Fi.

  • Another consequence of the above is that an attacker can substitute dangerous content. Imagine your app has a bug in the code it uses to parse responses (either in your code or in some library you use). An attacker could insert a resource that exploits that bug to cause your app to misbehave, possibly using that to bootstrap an attack on the device as a whole.

  • In a lot of cases the specific resources being accessed should be considered private. For example, all of Wikipedia is public information but if you’re building a Wikipedia app you have to use HTTPS because users want to keep their specific searches private.

Honestly, I struggle to find any scenario where insecure HTTP is acceptable.

So is it possible for us to contact them directly?

You can contact App Review via the links on this page.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for your reply. One more question: Our app client communicates with our portal website via HTTPS. However, there are some HTTP links and URLs on our portal. If ATS is required, error may occur if our customer click on these links. In this case, could we apply for exceptions? Thanks!

In this case, could we apply for exceptions?

Well, you can always apply for an exception (-:

Seriously though, I don’t work for App Review and thus can’t give useful advice as to what constitutes “reasonable justification”.

Our app client communicates with our portal website via HTTPS.

Is it doing this in a web view? If so, that should be covered by

NSAllowsArbitraryLoadsInWebContent
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

"Is it doing this in a web view? If so, that should be covered by

NSAllowsArbitraryLoadsInWebContent
."


Yes, this is done in a web view. In this case, how about the http URLs of other websites on our portal site?


Regards

In this case, how about the http URLs of other websites on our portal site?

Loaded by the web view? Or loaded via other means?

As a general rule,

NSAllowsArbitraryLoadsInWebContent
covers all resources loaded by any web view. However, I recommend that you actually try this for yourself; it’s the only way to be sure.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for replying.

In our case, we cannot guarantee that all the URLs on our portal site are HTTPS. As a result, when loading these HTTP URLs by web view, the only way available is to set NSAllowsArbitraryLoadsInWebContent?

As a result, when loading these HTTP URLs by web view, the only way available is to set

NSAllowsArbitraryLoadsInWebContent
?

Is that a question or a statement? It reads like a statement but ends with a question mark )-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

LOL. It's a question. Just want to confirm whether that's the only way available.

It’s not the only way, but may be the best way. It really depends on how your site is structured. For example:

  • If your site is mostly ATS-compliant HTTPS but there’s a few links to known non-compliant sites, you could use

    NSExceptionDomains
    to add exceptions for just those domains.
  • If your site is only accessed by a web view,

    NSAllowsArbitraryLoadsInWebContent
    is a good option.
  • If your app has a native component and the site sends that native component to arbitrary other servers on the Internet,

    NSAllowsArbitraryLoads
    might be the only option.

My general advice on the ATS front is that you should:

  1. evaluate the servers your app accesses

  2. where possible, make those servers ATS compliant

  3. if there are servers you can’t fix, construct the smallest possible ATS exception dictionary that allows your app to work

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi, Quinn.

Here is another question we'd like to ask.

We've noticed that if the key value of NSAllowArbitraryLoadsInWebContent is set to YES in iOS 10.1, visiting of https://elife-customerm.icbc.com.mo via UIWEbView will not be successful. However, we can visit the above URL in iOS 10.2 , even though the forward secrecy policy of this webiste does not meet the ATS requirements.

So is this a bug in iOS 10.0 and iOS 10.1? Will you guys fix this bug in future versions (to be specific, in which version)? And as for us, the app developers, is there anything we can do to avoid this bug?

Thanks for reading this. And look forward to your reply.

Regards,

Al

We've noticed that if the key value of

NSAllowsArbitraryLoadsInWebContent
is set to YES in iOS 10.1, visiting of … via UIWEbView will not be successful. However, we can visit the above URL in iOS 10.2 …

That latter is the expected behaviour. Specifically, the intent of

NSAllowsArbitraryLoadsInWebContent
is that it should cause the web views to act like Safari, that is, enforce standard HTTPS security but not ATS’s enhanced security. It’s implementation is getting steadily closer to fulfilling that intent (-:

So is this a bug in iOS 10.0 and iOS 10.1?

Yes.

Will you guys fix this bug in future versions (to be specific, in which version)?

It looks like it’s already fixed in 10.2.

And as for us, the app developers, is there anything we can do to avoid this bug?

Not really. You could switch to using

NSAllowsArbitraryLoads
, but that’s definitely taking you in the wrong direction. The best option here is to encourage your customers to update to 10.2, which most of them do anyway.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"