Reputation: 191
iOS 9: Application Transport Security plist configurations
I am currently working on a application that uses both HTTPS endpoints and HTTP endpoints. Now I want to conform to Application Transport Security for iOS9 by making a NSExceptionDomainsdictionary in the plist, but the amount of 3rd party endpoints my application hits is dynamic and always growing so to do this would be a fairly tedious task.
So while I could just set NSAllowsArbitraryLoads to YES I would much rather have ATS off by default except for my handful of secure HTTPS endpoints. Is it possible to do this? I saw one blog post about someone configuring the plist this way.
But I cannot find any information verifying that this is a valid solution, nor do I know how to know if a HTTPS request is using ATS. Does anyone know if this is possible or how to know if this is working?
EDIT
It's worth mention that the tags in the current app documentation is incorrect.
NSExceptionAllowInsecureHTTPLoads
NSExceptionRequiresForwardSecrecy
NSExceptionMinimumTLSVersion
NSThirdPartyExceptionAllowsInsecureHTTPLoads
NSThirdPartyExceptionMinimumTLSVersion
NSThirdPartyExceptionRequiresForwardSecrecy
Are Actually
NSTemporaryExceptionAllowsInsecureHTTPLoads
NSTemporaryExceptionRequiresForwardSecrecy
NSTemporaryExceptionMinimumTLSVersion
NSTemporaryThirdPartyExceptionAllowsInsecureHTTPLoads
NSTemporaryThirdPartyExceptionMinimumTLSVersion
NSTemporaryThirdPartyExceptionRequiresForwardSecrecy
Upvotes: 4
Views: 2801
Answers (1)
Reputation: 191
After doing some more research I was able to answer my own question. So basically you are saying everything needs to default to not using ATS by setting NSAllowsArbitraryLoads = YES.
But then in your exceptions dictionary(NSExceptionDomain) you are specifying endpoints that you want to act differently. So that means you can put your HTTPS endpoints in this list and specify it to use ATS by setting NSTemporaryExceptionAllowsInsecureHTTPSLoads to NO. I was able to verify this by putting a unsecure endpoint itunes.apple.com and trying to reach it. When I set NSTemporaryExceptionAllowsInsecureHTTPSLoads to NO it failed and complained about it not being secure.
This may be obvious to most people but with the little documentation out there I hope this helps.
Upvotes: 4
Related Questions
- iOS9 App Transport Security
- Enable Allow arbitrary Loads of App Transport Security Setting not working in XCODE 9.2 and iOS 11.2
- Api Call Error in Xcode 7 / iOS 9 (how to setup App Transport Security in plist)
- iOS 9: App Transport Security
- (ATS) Application Transport Security iOS 9
- Getting App Transport Security problems
- NSAppTransportSecurity option not listed in Xcode plist editor
- App Transport Security issue iOS9
- App Transport Security on Safari Extension
- iOS Secure Configuration Parameters