3 Replies
      Latest reply on Sep 2, 2019 1:18 AM by eskimo
      bobandsee Level 1 Level 1 (0 points)

        Hi,

         

        I have read that with the flag NSAllowsArbitraryLoads Apple is enforcing communication via HTTPS and all apps that don't support that will not be added to the App Store.

        Does the same rule apply for apps developed for internal enterprise usage? I have a SOAP web service that is running on HTTP and I want to access that. Is that going to be an issue?

         

        Max

        • Re: NSAllowsArbitraryLoads and Enterprise apps
          eskimo Apple Staff Apple Staff (11,825 points)

          I have read that with the flag NSAllowsArbitraryLoads Apple is enforcing communication via HTTPS and all apps that don't support that will not be added to the App Store.

          That’s not quite right.  Apple has announced that use of this will eventually require “reasonable justification”, but enforcement of that has been deferred.  My App Transport Security pinned post has the backstory.

          Does the same rule apply for apps developed for internal enterprise usage?

          Enterprise apps are required to follow App Store rules.  However, as this rule is about providing justification, it’s unlikely to ever trip you up.


          Having said that…

          HTTP, really!?!  It’s 2019, you shouldn’t be running any service over HTTP.  Getting an HTTPS certificate for your server is pretty straightforward:

          • If this server is on the public Internet, getting a valid certificate is both cheap and easy (where cheap can mean free).

          • If not, you can have your enterprise certificate authority (CA) issue your server a certificate.

          Keep in mind that HTTPS is not just about secrecy; it also allows you to trust the data being returned by the server.  With HTTP you might end up talking to an untrusted server, that returns bogus (or even malicious) results.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: NSAllowsArbitraryLoads and Enterprise apps
              bobandsee Level 1 Level 1 (0 points)

              Thanks for the extensive answer and links provided, really helpful!

              While I totally agree that the server should be HTTPS, I am struggling to get the proper setup and certificates done when my iOS simulator runs on 192.168.1.8 and my web server on 192.168.1.12 but I guess that is a story for another post ...

                • Re: NSAllowsArbitraryLoads and Enterprise apps
                  eskimo Apple Staff Apple Staff (11,825 points)

                  I am struggling to get the proper setup and certificates done when my iOS simulator runs on 192.168.1.8 and my web server on 192.168.1.12

                  That setup suggests that you’re working with a test server.  If so, here’s how you can enable HTTPS in an ATS compatible way:

                  1. Give your server a reasonable .local name.  If the server is running on a Mac, view and configure this in System Preferences > Sharing.  There are equivalent mechanisms on other platforms [1].

                  2. Create a custom CA and use it to issue a certificate for that .local name.  If you don’t already have experience running a CA, do this on your Mac using Certificate Assistant.  See Technote 2326 Creating Certificates for TLS Testing.

                  3. Install that CA’s root certificate on your client devices.  For hints on that, see QA1948 HTTPS and Test Servers.

                  4. Configure your client app to connect over HTTPS to that .local name.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                  [1] Unless your server is running on something that doesn’t support mDNS, which would be weird because it’s supported out of the box by all Apple platforms and modern versions of Android, Linux, and Windows.

                  Regardless, if your server doesn’t support mDNS you can use your Mac to give it a .local name using the -P argument to dns-sd (see its man page for details).