IOS9 ATS HTTP Request Security Considerations

I'm a little confused about this aspect of the platform.

I have been attempting to allow my application to make plain HTTP requests and have so far failed. I've gone through a vast selection of examples and none, including the Xamarin suggested way listed here have worked for me (iPhone Simulator).

The issue I have is the application I'm building has a feature to show an image. That image could come from any domain that may or may not even have a certificate. Yet I'm also advised not to turn ATS off, for obvious reasons. My plist entry looks like this:

  <key>NSAppTransportSecurity</key>
  <dict>
    <key>NSExceptionDomains</key>
    <dict>
      <key>www.domain.com</key>
      <dict>
        <key>NSExceptionAllowsInsecureHTTPLoads</key>
        <true/>
        <key>NSExceptionMinimumTLSVersion</key>
        <string>TLSv1.1</string>
        <key>NSIncludesSubdomains</key>
        <true/>
      </dict>
    </dict>
  </dict>

This isn't working in my simulator, I still get the Plain HTTP Blocked error message. My Image loading code looks like this:

using (var url = new NSUrl(uri))
{
    using (var data = NSData.FromUrl(url))
    {
        return UIImage.LoadFromData(data);
    }
}

One very confused factor is that the API I'm working with is non SSL development version. I'm only making HTTP requests using HttpClient yet those work without any issues. Is HttpClient somehow bypassing ATS?

Best Answer

Answers

  • JamesGreen.8031JamesGreen.8031 GBMember ✭✭

    @adamkemp Indeed, I think it is a valid reason as well and thanks for your post. Just wish I could actually get the opt out to work now!

  • rmaciasrmacias USBeta, University ✭✭✭✭✭

    You might want to look at this article:

    http://www.neglectedpotential.com/2015/06/working-with-apples-application-transport-security/

    Specifically, it looks like NSAllowsArbitraryLoads will disable ATS altogether, so you'll have to add that to your Info.plists file.

    The Xamarin example only shows how to keep ATS enabled, but disable it for only certain domains. (i.e. you should replace the "www.domain.com" with the actual domain name you want to exclude). That would be the optimal way to do it. However, it sounds like you do have a valid business case to disable ATS all together, so you can do that by adding NSAllowsArbitraryLoads to your Info.plist file.

  • JamesGreen.8031JamesGreen.8031 GBMember ✭✭

    I had already tried this approach and it didn't work, will have another look at this in the next few days as it becomes more pertinent.

Sign In or Register to comment.