NSAllowsArbitraryLoads and Enterprise apps

Hi,


I have read that with the flag NSAllowsArbitraryLoads Apple is enforcing communication via HTTPS and all apps that don't support that will not be added to the App Store.

Does the same rule apply for apps developed for internal enterprise usage? I have a SOAP web service that is running on HTTP and I want to access that. Is that going to be an issue?


Max

Replies

I have read that with the flag

NSAllowsArbitraryLoads
Apple is enforcing communication via HTTPS and all apps that don't support that will not be added to the App Store.

That’s not quite right. Apple has announced that use of this will eventually require “reasonable justification”, but enforcement of that has been deferred. My App Transport Security pinned post has the backstory.

Does the same rule apply for apps developed for internal enterprise usage?

Enterprise apps are required to follow App Store rules. However, as this rule is about providing justification, it’s unlikely to ever trip you up.

Having said that…

HTTP, really!?! It’s 2019, you shouldn’t be running any service over HTTP. Getting an HTTPS certificate for your server is pretty straightforward:

  • If this server is on the public Internet, getting a valid certificate is both cheap and easy (where cheap can mean free).

  • If not, you can have your enterprise certificate authority (CA) issue your server a certificate.

Keep in mind that HTTPS is not just about secrecy; it also allows you to trust the data being returned by the server. With HTTP you might end up talking to an untrusted server, that returns bogus (or even malicious) results.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the extensive answer and links provided, really helpful! 🙂

While I totally agree that the server should be HTTPS, I am struggling to get the proper setup and certificates done when my iOS simulator runs on 192.168.1.8 and my web server on 192.168.1.12 but I guess that is a story for another post ...

I am struggling to get the proper setup and certificates done when my iOS simulator runs on 192.168.1.8 and my web server on 192.168.1.12

That setup suggests that you’re working with a test server. If so, here’s how you can enable HTTPS in an ATS compatible way:

  1. Give your server a reasonable

    .local
    name. If the server is running on a Mac, view and configure this in System Preferences > Sharing. There are equivalent mechanisms on other platforms [1].
  2. Create a custom CA and use it to issue a certificate for that

    .local
    name. If you don’t already have experience running a CA, do this on your Mac using Certificate Assistant. See Technote 2326 Creating Certificates for TLS Testing.
  3. Install that CA’s root certificate on your client devices. For hints on that, see QA1948 HTTPS and Test Servers.

  4. Configure your client app to connect over HTTPS to that

    .local
    name.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Unless your server is running on something that doesn’t support mDNS, which would be weird because it’s supported out of the box by all Apple platforms and modern versions of Android, Linux, and Windows.

Regardless, if your server doesn’t support mDNS you can use your Mac to give it a

.local
name using the
-P
argument to
dns-sd
(see its man page for details).