Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

iOS 9: Application Transport Security plist configurations

Tags:

security

ios

ios9

nsurl

plist

I am currently working on a application that uses both HTTPS endpoints and HTTP endpoints. Now I want to conform to Application Transport Security for iOS9 by making a NSExceptionDomainsdictionary in the plist, but the amount of 3rd party endpoints my application hits is dynamic and always growing so to do this would be a fairly tedious task.

So while I could just set NSAllowsArbitraryLoads to YES I would much rather have ATS off by default except for my handful of secure HTTPS endpoints. Is it possible to do this? I saw one blog post about someone configuring the plist this way.

enter image description here

But I cannot find any information verifying that this is a valid solution, nor do I know how to know if a HTTPS request is using ATS. Does anyone know if this is possible or how to know if this is working?

EDIT

It's worth mention that the tags in the current app documentation is incorrect.

NSExceptionAllowInsecureHTTPLoads NSExceptionRequiresForwardSecrecy NSExceptionMinimumTLSVersion NSThirdPartyExceptionAllowsInsecureHTTPLoads NSThirdPartyExceptionMinimumTLSVersion NSThirdPartyExceptionRequiresForwardSecrecy

Are Actually

NSTemporaryExceptionAllowsInsecureHTTPLoads NSTemporaryExceptionRequiresForwardSecrecy NSTemporaryExceptionMinimumTLSVersion NSTemporaryThirdPartyExceptionAllowsInsecureHTTPLoads NSTemporaryThirdPartyExceptionMinimumTLSVersion NSTemporaryThirdPartyExceptionRequiresForwardSecrecy

like image 387
Slowbro Avatar asked Oct 25 '25 03:10

Slowbro

1 Answers

After doing some more research I was able to answer my own question. So basically you are saying everything needs to default to not using ATS by setting NSAllowsArbitraryLoads = YES.

But then in your exceptions dictionary(NSExceptionDomain) you are specifying endpoints that you want to act differently. So that means you can put your HTTPS endpoints in this list and specify it to use ATS by setting NSTemporaryExceptionAllowsInsecureHTTPSLoads to NO. I was able to verify this by putting a unsecure endpoint itunes.apple.com and trying to reach it. When I set NSTemporaryExceptionAllowsInsecureHTTPSLoads to NO it failed and complained about it not being secure.

This may be obvious to most people but with the little documentation out there I hope this helps.

like image 52
Slowbro Avatar answered Oct 26 '25 16:10

Slowbro
Sign in to Comment

Related questions

Issues in PopoverView Controller preferredContentSize
Volume Slider in swift
When creating a series of NSTextContainers, how do I specify container breaks based on the text content?
Will an armv7-only app run on arm64 iOS devices?
In Swift, how do I animate a UIView with auto-layout like a page sliding in?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!