CODEWITHSUNDEEP
titaniumappceleratortitanium-mobileappcelerator-titaniumnsapptransportsecurity
kreatywny
kreatywny

Reputation: 228

How to set App Transport Security in Appcelerator

I am trying to configure App Transport security, but I am always getting a response from Security Scan that it is not properly configured. I am using Appcelerator SDK 7.0.1 for iOS.

Scan result:

App Transport Security
App Transport Security (ATS), which is a networking security feature that ensures network connections employ the most secure protocols and ciphers, was found to be misconfigured.

NSAllowsArbitraryLoads set YES

This is a part of my tiapp.xml

<property name="ios.whitelist.appcelerator.com" type="bool">false</property>
<ios>
    <enable-launch-screen-storyboard>true</enable-launch-screen-storyboard>
    <use-app-thinning>true</use-app-thinning>
    <plist>
        <dict>
            <key>UISupportedInterfaceOrientations~iphone</key>
            <array>
                <string>UIInterfaceOrientationPortrait</string>
            </array>
            <key>UISupportedInterfaceOrientations~ipad</key>
            <array>
                <string>UIInterfaceOrientationPortrait</string>
                <string>UIInterfaceOrientationPortraitUpsideDown</string>
            </array>
            <key>UIRequiresPersistentWiFi</key>
            <false/>
            <key>UIPrerenderedIcon</key>
            <false/>
            <key>UIStatusBarHidden</key>
            <false/>
            <key>UIStatusBarStyle</key>
            <string>UIStatusBarStyleDefault</string>
            <key>NSAppTransportSecurity</key>
            <dict>
                <key>NSAllowsArbitraryLoads</key>
                <true/>
            </dict>
        </dict>
    </plist>
</ios>

It is done as specified in documentation: http://docs.appcelerator.com/platform/latest/#!/api/Titanium.Network

What am I doing wrong? Thanks in advance for help.

Upvotes: 1

Views: 452

Answers (2)

Hans Kn&#246;chel
Hans Kn&#246;chel

Reputation: 11552

Setting NSAllowsArbitraryLoads to true disables ATS, meaning that all URL's will be allowed and no restriction is configured. This is how it is configured by default in Titanium, to ensure backwards compatibility for apps upgrading to newer SDK versions. It can be overridden to either specify allowed domains (whitelisting) or by disabling NSAllowsArbitraryLoads.

The docs are still incorrect as Nirman pointed, so I just updated them (as I couldn't find the pull request mentioned earlier).

Upvotes: 1

Nirmal Patel
Nirmal Patel

Reputation: 5168

We need to set NSAllowsArbitraryLoads key to NO to enable ATS and get rid of the security warning.

I think the documentation is wrong. I have submitted a CR on github to update the doc page.

Upvotes: 1

Related Questions