IOS 9 Configurations: Application Migration Security App Configurations
I am currently working on an application that uses both HTTPS endpoints and HTTP endpoints. Now I want to comply with Application Transport Security for iOS9 by creating a dictionary NSExceptionDomains
in the plist, but the number of third-party endpoints my apps hit is dynamic and always growing, so doing that would be a rather tedious task.
So while I could just set NSAllowsArbitraryLoads
to YES
, I'd rather have ATS disabled by default, save for my handful of secure HTTPS endpoints. Is it possible to do this? I saw one blog post about someone setting up a plist this way.
But I can't find any information to support that this is a valid solution, and I don't know how to find out if the HTTPS request is using ATS. Does anyone know if this is possible or how to know if it works?
EDIT
It should be noted that the tags in the current application documentation are incorrect.
NSExceptionAllowInsecureHTTPLoads
NSExceptionRequiresForwardSecrecy
NSExceptionMinimumTLSVersion
NSThirdPartyExceptionAllowsInsecureHTTPLoads
NSThirdPartyExceptionMinimumTLSVersion
NSThirdPartyExceptionRequiresForwardSecrecy
Actually
NSTemporaryExceptionAllowsInsecureHTTPLoads
NSTemporaryExceptionRequiresForwardSecrecy
NSTemporaryExceptionMinimumTLSVersion
NSTemporaryThirdPartyExceptionAllowsInsecureHTTPLoads
NSTemporaryThirdPartyExceptionMinimumTLSVersion
NSTemporaryThirdPartyExceptionRequiresForwardSecrecy
source to share
After doing some more research, I was able to answer my own question. So basically you are saying that everything does not use ATS by default by setting NSAllowsArbitraryLoads
= YES.
But then, in your exception dictionary ( NSExceptionDomain
), you specify the endpoints that you want to act differently. This means that you can place HTTPS endpoints in this list and tell it to use ATS by setting NSTemporaryExceptionAllowsInsecureHTTPSLoads
to NO
. I was able to test this by putting an unsecured endpoint itunes.apple.com
and trying to cover it. When I installed NSTemporaryExceptionAllowsInsecureHTTPSLoads
in NO
, it failed and complained that it was not secure.
This may be obvious to most people, but with a little documentation in there, I hope this helps.
source to share