iOS Tutorial ATS - App Transport Security

Discussion in 'iOS Tutorials' started by Erel, Dec 18, 2016.

  1. Erel

    Erel Administrator Staff Member Licensed User

    ATS is a security feature that prevents applications to make non-ssl http connections. This means that when ATS is enabled applications can only access https urls.

    Starting from 1/1/2017, ATS must be enabled on new or updated applications.
    This means that you need to add this line to the main module:
    Code:
    #ATSEnabled: True
    If you are only calling https urls or not making any calls then you don't need to do anything else.
    Note that ATS is not enforced when making calls to ip addresses. Only when making calls to host names.

    If you are making unsecured calls to specific domains then you can add an exclusion to those domains
    Code:
    #PlistExtra: <key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><false/>
    #PlistExtra: <key>NSExceptionDomains</key><dict>
    'list the excluded domains (example.com and b4x.com)
    #PlistExtra: <key>example.com</key><dict><key>NSIncludesSubdomains</key><true/><key>NSExceptionAllowsInsecureHTTPLoads</key><true/></dict>
    #PlistExtra: <key>b4x.com</key><dict><key>NSIncludesSubdomains</key><true/><key>NSExceptionAllowsInsecureHTTPLoads</key><true/></dict>
    'end of excluded domains
    #PlistExtra: </dict>
    #PlistExtra: </dict>
    If you want to show non-secure pages in WebView and allow the user to navigate to other domains as well:
    Code:
    #PlistExtra: <key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/>
    #PlistExtra: <key>NSAllowsArbitraryLoadsInWebContent</key><true/>
    #PlistExtra: </dict>
    Note that NSAllowsArbitraryLoads is true this time. NSAllowsArbitraryLoadsInWebContent is only applied on iOS 10+. When it is applied it cancels NSAllowsArbitraryLoads.
    Apps with this key require a justification: https://developer.apple.com/library...Keys.html#//apple_ref/doc/uid/TP40009251-SW59

    Another option which is relevant if you are targeting iOS 9+ is to use SafariController from the iUI9 library.

    SafariController is a powerful embedded browser: https://www.b4x.com/android/forum/threads/iui9-safari-controller.70552/#content
    SafariController can access all pages. No need to add any exclusion.
     
    Last edited: Dec 18, 2016
    Humberto, joilts, Ohanian and 2 others like this.
  2. Pendrush

    Pendrush Active Member Licensed User

    Can we use NSAllowsArbitraryLoadsForMedia?
     
  3. Erel

    Erel Administrator Staff Member Licensed User

    Pendrush likes this.
  4. joilts

    joilts Member Licensed User

    Is it possible to use self-signed Certificates in this situation?
     
  5. Erel

    Erel Administrator Staff Member Licensed User

    Yes. But you will need to install the certificate on each device (like with the B4I certificate).

    You can use the excluded domains feature instead.

    Note that there are now free SSL certificates that you can us: https://letsencrypt.org/
     
    joilts likes this.
  6. Erel

    Erel Administrator Staff Member Licensed User

  7. fabton1963

    fabton1963 Member Licensed User

    I'm using letsencrypt certificate in my server but, if I set ATSEnabled true,I cannot open remote page using webview
     
  8. Erel

    Erel Administrator Staff Member Licensed User

    I guess that the certificate is not recognized by your device. Do you see any error message?
     
Loading...