iOS and App Transport Security Settings

Some time ago, Apple added a security feature to iOS that requires all domains that an app needs to connect to without HTTPS be white-listed in the info.plist file.

It’s pretty simple, you create a Dictionary object with the name of NSAppTransportSecurity and then add a key with the name NSAllowsArbitraryLoads and the bool value of True.  This will basically bypass the security system and allow your app to read from any website.

The problem coming down the pipe, is they are going to turn this ‘temp’ feature off sometime this year.  When they do, an App using this scheme will not be able to read from a non-HTTPS URL.

To get around this you need to explicitly add domains to your white-list.  Not too hard, but it needs to be done.

In the NSAppTransportSecurity, create another dictionary with the name NSExceptionDomains.  Then create another dictionary for each domain you’ll need access to, with the root domain as the name.  Inside that dictionary, add two items – NSTemporaryExceptionAllowsInsecureHTTPLoads with a bool value of TRUE, and NSIncludesSubdomains also with a bool value of TRUE.

That will let you read from those domains in the future, even when Apple kill NSAllowsArbitraryLoads.

The following is an extract from one of our apps which allows the app to read from purplebuttons.com.

<dict>
<key>purplebuttons.com</key>
<dict>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>

Leave a Reply