Application Transport Security ?

App & System Services Core OS
Arnonymous OP
Created Jun ’15
Replies 33
Boosts 0
Views 282k
Participants 28

When I try to start an URL Request to my website from watchOS 2 the request fail and i get this message :


Application Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.


what can i do ? All i've found in the doc is :


App Transport Security

App Transport Security (ATS) lets an app add a declaration to its 

Info.plist
file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.


But nothing about the name of the key in Info.plist..

Answered by DTS Engineer in 642411022
I only just noticed this thread and I have some concerns about the accepted answer here. Apple strongly recommends against completely disable ATS by setting the NSAllowsArbitraryLoads key. This key is intended to be used in situations where you have to connect to arbitrary user-specified servers, and thus can’t statically declare your ATS requirements in your Info.plist. For example, imagine you’re building a tool where the user can enter an arbitrary URL and you fetch that URL and display the returned headers. The user might enter any sort of URL, including an http URL, or one to a server whose TLS setup is broken, and you still need to work with it. That’s a perfect use case for NSAllowsArbitraryLoads.

In cases like this one, where you’re trying to connect to a single server, our advice is:

  • If possible, fix the server to be ATS compatible. This yields the best security which, after all, is the whole purpose of ATS.

  • If you can’t fix the server, apply a targeted exception using NSExceptionDomains rather disabling ATS entirely using NSAllowsArbitraryLoads.

For more background on ATS, see Preventing Insecure Network Connections and the associated NSAppTransportSecurity reference.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Replies  33
Boosts  0
Views  282k
Participants  28
mattryan OP
Jun ’15
Accepted Answer

Adding the following to your Info.plist will disable ATS


<key>NSAppTransportSecurity</key>
     <dict>
          <key>NSAllowsArbitraryLoads</key><true/>
     </dict>
1
Rumple OP
Jun ’15

Where in the doc did you find this information? Is there more useful information?


Tag: App Transport Security

0
stevenp OP
Jun ’15

It's not in the documentation. I found it by doing a search of the contents of the CFNetwork binary. There are other keys, but I haven't figured out how to use them yet.

0
Jeroen OP
Jun ’15

The info you are looking for:

NSAppTransportSecurity
NSExceptionDomains
"example.com"
NSIncludesSubdomains = YES
NSExceptionRequiresForwardSecrecy = NO
NSExceptionMinimumTLSVersion = "TLSv1.1"

Check it out in WWDC session 711

https://developer.apple.com/videos/wwdc/2015/?id=711 @ 5:55



🙂

0
DriveTime Traffic OP
Jun ’15

That's good if you've found your solution, however a word of caution re the iOS9 beta and HTTPS: at least one bug exists where legitimate HTTPS URLs are not seeing successful connections because of an SSL bug. See my issue here: https://forums.developer.apple.com/thread/4988 - although this is an SSL issue to do with Mapkit URLs, I would expect it'd be affecting more than just those. Most SSL issues resolve down to a lack of trust; by design if anything in the trust checklist between two parties doesn't succeed, the whole request fails. Anyway, regarding this beta and its SSL problem, if I find a way of working around this, I'll update that linked issue above.

0
Universalis OP
Jun ’15

The problem may be that ATS is requiring TLS 1.2-only servers, presumably to prevent attacks that involve downgrades to lower versions of the protocol. Evidence in favour of this is that Amazon servers (which do support TLS 1.2) are also blocked, though with a different code. See the thread at https://forums.developer.apple.com/thread/4017, and DO FILE A BUG REPORT ABOUT THIS. That is what beta testing is for.

0
LCS OP
Jun ’15

There is some (recently added) documentation here:

https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html

0
Saliency OP
Jun ’15

This bypass doesn't appear to work anymore on beta 2 -- my app fails to install on either the hardware or on the simulator. Has anyone found a workaround?

0
suileglas OP
Jul ’15

Saliency, it must be something else other than just this causing a failure (one of perhaps many numerous problems?). I just was able to get around this network error today on beta 2 (simulator) -- it's worked many times for me after conversion of an app. Watch menus, however, never fire their IBActions for me 😟.

0
Saliency OP
Jul ’15

How's beta 3 working for you?

0
iPad_dev OP
Jul ’15

this works on beta 3

0
suileglas OP
Jul ’15

Same problem as before, could just be a bug in the sdk. I've kinda given up on bleeding edge stuff (like WatchKit 2.0) and using Xcode 7 b3 for more pedestrian things like iOS apps. Really hard to know what's going on; filed a bug a few weeks ago, no response, no acknowledgement. These forums are hard to follow because there's no inbox and no interactivity -- vast difference when compared to StackOverflow. BTW the network bypass works for me on b2 and b3.

0
hanpa OP
Jul ’15

I tried this and the app works on the Simulator. When running on my iPhone iOS 8.4 with Apple Watch (old Watch OS) the app "hangs".

I've set 8.4 as deployment target but maybe this combination doesn't work with Swift 2 and Xcode 7 beta 3?

0
auco OP
Jul ’15

Dang it: the screenshot in the video was really confusing.


The WWDC video "Networking with NSURLSession" showed this:


<dict>
  <key>NSExceptionDomains</key>
  <dict>
       <key>subdomain.somedomain.com</key>
       <dict>
            <key>NSIncludesSubdomains</key><true/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key><true/>
            <key>NSExceptionRequiresForwardSecrecy</key><false/>
       </dict>
  </dict>
</dict>


but this did not seem to work for IP addresses (e.g. 127.0.0.1 or localhost).

In order to allow any http, you just need the afore mentioned key that seems to opt out completely:


<dict>
  <key>NSAllowsArbitraryLoads</key><true/>
</dict>


note: tried on beta 4

0
LongTiger OP
Aug ’15

It doesn't work with Swift 2 and Xcode7 beta 5 .How to fix it ? pls help me

0
LongTiger OP
Aug ’15

How to fix this error in Xcode 7 beta 5 ? pls help me

0
mramosch OP
Aug ’15

Opting out of ATS for me only works on the devices - iPad2, iPhone 4s...

The simulator still refuses to load the app!


objC - Xcode beta4 - deployment target 8.4

0
gutty1 OP
Aug ’15

for me worked fine, in an iphone 6+ and also in iphone6 simulator with iOS 8.4

0
auco OP
Aug ’15

Does anyone know about the real-world implications on existing apps?


For example: I have an app in the app store, compiled agains iOS 8 SDK making massive use of localy stored http (not https) and javascript content. Will my app/webview break and fail to load as soon as users upgrade to iOS 9?


If so, this will be a desaster, regarding the uncountable number of apps with WebViews on the app store. I can't imagine they will all break?


Edit: Nevermind, just found the answer:

"Apps built against earlier SDKs will behave as they always have."

https://forums.developer.apple.com/message/40668#40668

0
cuyogomez OP
Aug ’15

I'm trying to run an app in the Watch, using XCode beta 4.

I already added the ATS keys in the plist to shut down ATS functionality. Once I did that, I'm still getting the error:


Optional(Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSErrorFailingURLStringKey=https://hostURL, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://hostURL, _kCFStreamErrorCodeKey=-9801, _kCFStreamErrorDomainKey=3, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.})

Any ideas if this is already fixed in Watch OS 2, or will it be available for the Watch?


Thanks in advance.

0
thanikc OP
Aug ’15

Not working for me in Beta 5 for "localhost", and neither in Beta 6

0
Gladrap Studio OP
Sep ’15

Edit: Nevermind, just found the answer:

"Apps built against earlier SDKs will behave as they always have."


Hi Auco


I don't think this is true though? My app's deployment target is set to 5.1.1, but my app fails on my iOS 9 device.

0
OP
Apple
Sep ’15

It's not the deployment target that matters, but rather that you're compiling against the iOS 9 SDK.

0
bogdannistor OP
Sep ’15

The keys are not correct. The correct ones are:


NSRequiresCertificateTransparency

NSTemporaryExceptionRequiresForwardSecrecy

NSTemporaryThirdPartyExceptionAllowsInsecureHTTPLoads

NSTemporaryThirdPartyExceptionMinimumTLSVersion

NSTemporaryThirdPartyExceptionRequiresForwardSecrecy


See:

http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/

0
sheeziebby OP
Sep ’15

So if my app still crashes while im building against the latest sdk(ios 9.0) what other options are there to fix this issue?

0
Application Transport Security ?
First post date Last post date
 
 
Q