52

I develop my iOS app using a local server running on my dev box. When testing on devices, I connect directly via an IP address, which is over HTTP and not HTTPS (so I don't have to deal with self-signed certs while in development, which the device wouldn't even like anyways).

I thought that this would be sufficient:

enter image description here

However, cannot get it to work without also adding NSAllowsArbitraryLoads = YES, AKA this:

enter image description here

Now, I will have to remember to remove this when rolling a production build but not during development...arg. Should the NSExceptionDomains work with IP addresses, and if not, is there anything else I can do without also enabling NSAllowsArbitraryLoads?

esilver
  • 27,713
  • 23
  • 122
  • 168

4 Answers4

52

Hard-coded IP address wont work in iOS9. I also faced the same issue. Tried all permutations & combinations of available solutions. Finally, had to use a proper domain name.

So, NO.In iOS9 you just can't get away with hard-coded IP addresses.

PanxShaz
  • 760
  • 9
  • 12
  • 3
    I came across this link: https://forums.developer.apple.com/thread/6205 about allowing IP address on the LAN. Unfortunately, there is no current solution, but a feature request has been submitted. – David L Sep 14 '15 at 02:27
  • 2
    Did anyone find an official documentation stating this? Is this an Apple bug, or is this intended? – Nathan H Sep 21 '15 at 11:16
  • 6
    This is intended only, for security purpose. Apple mentioned this during WWDC-2015 http://www.internetsociety.org/deploy360/blog/2015/06/apple-will-require-ipv6-support-for-all-ios-9-apps/ – PanxShaz Sep 21 '15 at 12:16
  • 3
    IP addresses won't work as specified by documentation, https://developer.apple.com/library/prerelease/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33 table 2 – Gabriele Mar 18 '16 at 11:25
  • 1
    This answer is incorrect. If you disable ATS, connections to IP addresses work just fine. – Avi Aug 31 '16 at 11:52
  • 1
    @Avi you're right, however, esilver was looking for a workaround that doesn't require disabling ATS otherwise, there is a risk that he forgets when pushing to production. – anasaitali Aug 31 '16 at 14:27
  • Simplest then to just use different info.plist files. You can have a different info.plist per build type. – Avi Aug 31 '16 at 15:56
  • Check http://stackoverflow.com/a/32704702/2017049 on how to disable ATS for Debug builds only, allowing IP address for testing. – lionello Sep 01 '16 at 11:04
26

is there anything else I can do without also enabling NSAllowsArbitraryLoads?

One workaround is to use xip.io, as explained by QJeffR in this Apple Developer Forums thread (which was shared by David L in his comment):

A DNS call to (for example) 10.0.1.8.xip.io will resolve to 10.0.1.8, allowing use of the domain instead of the IP address for the NSExceptionDomains key.

Community
  • 1
  • 1
TachyonVortex
  • 8,242
  • 3
  • 48
  • 63
  • This works for those that need to (for various reasons) connect to an IP address instead of a domain name, or to connect to LAN IP addresses. This also works for LAN addresses, but the iOS must have an internet connection to be able to access the xip.io service. Then all you need is to allow "xip.io" and subdomains in the App Transport Security Settings. – wilsontgh Jan 06 '16 at 09:52
  • Wouldn't this just route all your insecure traffic through an unknown xip.io server? – Efren Apr 26 '17 at 05:55
  • DNS calls don't route traffic, they just "map" domain names with ip addresses. – Pochi Jan 09 '18 at 04:53
5

As @PanxShaz said you can't put an hardcoded IP address but you can use an easy workaround:

  1. Open your /etc/hosts file using sudo and add a new local domain name for your ip address. Example:

    192.168.99.100 docker-host.localhost

  2. Then flush your DNS :

    dscacheutil -flushcache

  3. And finally use this new local domain in your app transport security exceptions.

Community
  • 1
  • 1
anasaitali
  • 1,504
  • 21
  • 30
  • 1
    This is not possible on iOS without jailbreaking. – Avi Aug 31 '16 at 11:53
  • @Avi Yes, it is possible, simply because this is actually done on you mac. The purpose here is to offer a workaround when developing. – anasaitali Aug 31 '16 at 14:23
  • Unless your iOS device is using your mac for DNS, it won't work. Maybe on the simulator. – Avi Aug 31 '16 at 15:54
4

If you are targeting iOS 10+, just set the NSAllowsLocalNetworking flag.

Herman Kan
  • 2,253
  • 1
  • 25
  • 32