Basit ZIa Basit ZIa - 1 month ago 43
iOS Question

Apple App Transport Security (ATS) for Enterprise Application

I am developing an enterprise application. So far every thing was working fine in simulator but when i deploy it on physical devices it crashes. Crash is happening because app is connecting to web services via "HTTP" instead of "HTTPS".

I have added the ATS exceptions in

info.plist
file. I need to know that enterprise application will continue to work after 2016 (Apple's Deadline) with
HTTP
?

Application will be hosted in our own servers, and apple doesn't review the enterprise applications.

Update 1
I just need to know enterprise application will continue to work after 2016 with this ATS exceptions or not ?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDisplayName</key>
<string>xxxxxxxx</string>
<key>CFBundleIdentifier</key>
<string>com.xxxxxxx.xxx</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleVersion</key>
<string>1.009</string>
<key>LSRequiresIPhoneOS</key>
<true/>
<key>MinimumOSVersion</key>
<string>9.0</string>
<key>UIDeviceFamily</key>
<array>
<integer>2</integer>
</array>
<key>UILaunchStoryboardName</key>
<string>LaunchScreen</string>
<key>UIMainStoryboardFile</key>
<string>Main</string>
<key>UIRequiredDeviceCapabilities</key>
<array>
<string>armv7</string>
</array>
<key>UISupportedInterfaceOrientations~ipad</key>
<array>
<string>UIInterfaceOrientationLandscapeLeft</string>
<string>UIInterfaceOrientationLandscapeRight</string>
</array>
<key>UIMainStoryboardFile~ipad</key>
<string>Main</string>
<key>UIAppFonts</key>
<array>
<string>Fonts/Montserrat-Black.otf</string>
<string>Fonts/Montserrat-Bold.otf</string>
<string>Fonts/Montserrat-ExtraBold.otf</string>
<string>Fonts/Montserrat-Regular.otf</string>
</array>

<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>http://xxxxxxx.xxxxx.xxx</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>

</dict>

Answer

Any Apple App Store Submissions starting 2017, still can request a App Transport Security (ATS) exception that will be reviewed by Apple. You will need to highly restrict your exception list and not allowed blanket arbitrary http loads. The reviewers can still reject your submission and request additional information.

i.e. Apps requesting US Government NOAA Images over a non-secure channel might to allowed since NOAA currently does not support HTTPS/SSL for those weather radar images.... Again, up to the Apple reviewers...

WKWebView, UIWebView, WebView:

NSAllowsArbitraryLoadsInWebContent lets you have a strict ATS dictionary but still load arbitrary content in a web view (WKWebView, UIWebView, WebView)

Non-secure local networking:

NSAllowsLocalNetworking allows loading of local resources without disabling ATS for the rest of your app

Media content that is already encrypted:

NSAllowsArbitraryLoadsInMedia disables all ATS restrictions for media that your app loads using the AV Foundation framework. Employ this key only for loading media that are already encrypted, such as files protected by FairPlay or by secure HLS, and that do not contain personalized information.

Enterprise Applications:

These do not get Apple reviewed, thus disabling ATS is allowed until a possible future version of iOS that would disallow non-secure traffic, but that is far from a best practice

  • Enterprise data accessed non-securely?

If your Enterprise app requires non-secure local network-based resources, use the new NSAllowsLocalNetworking exception instead.

If your Enterprise app requires non-secure Enterprise resources obtained over the public internet, you might have security issues that are beyond the scope of just iOS App Transport Security issues.