10

Apple has changed its current App Transport Security model with the release of iOS 9. Since this I have the issue that my App doesn't trust certain web services anymore and will terminate with an error. I found a solution to "fix" this error and I'm wondering if the following solution which I added to the Info.plist file will prevent the App from being released in the Apple App Store. 

  <key>NSAppTransportSecurity</key>                                                                                                                                                                                                                                       
  <dict>                                                                                                                                                                                                                                                                  
      <key>NSAllowsArbitraryLoads</key>                                                                                                                                                                                                                                   
      <true/>                                                                                                                                                                                                                                                             
  </dict>

Does anybody know this?

Update:

Question is a duplicate to:

Does App Store reject submission if NSAllowsArbitraryLoads set to YES?

Community
  • 1
  • 1
ashiaka
  • 3,994
  • 8
  • 32
  • 45
  • Check this answer: http://stackoverflow.com/questions/32456848/ios9-does-not-load-insecure-resources-from-a-secure-page-ssl-https/32458692#32458692 – Kampai Sep 10 '15 at 06:56
  • Thx, but this doesn't answer my question - no reference to App Store releases. The answer provides another solution for my initial problem. – ashiaka Sep 10 '15 at 07:00
  • This is just a reference for you to get more information about revised App Transport Security by Apple. – Kampai Sep 10 '15 at 07:02
  • 1
    AFAICS it is the same question though but there is no real answer there either – Daij-Djan Sep 10 '15 at 07:09
  • yeah, I will remove my question if I won't get an answer to my question in the next 3 to 4 days. But currently it is more likely that my question will be answered than the other question, I guess. – ashiaka Sep 10 '15 at 07:12
  • It depends whether your app has a good reason to do this. A web browser that needs to access arbitrary URLs might. But if you have a need to access some very specific URL that doesn't meet security requirements, then turning App Transport Security off globally will not go down well. – gnasher729 Sep 10 '15 at 08:23
  • 1
    Apple has not stated that there is a requirement to use https with TLS 1.2 and forward security, just that it is the default and is urging support. Apple has provided options to use non-conforming http. Apple allows horrible security, much worse than http, just look at the horrible security seen Q&A here on SO. – zaph Sep 16 '15 at 04:45
  • So is there an answer for this? I don't think that kind of thing would happen. I want to update my app but this situation bugs me. Even though there is no officially documented thing about rejection in case usage of NSAllowArbitrartyLoads. – mkeremkeskin Sep 21 '15 at 11:53

1 Answers1

8

Of course they'll allow you to submit apps with that setting. They added that override because some apps can't feasibly be released without allowing non-HTTPS requests. It will be a long time before it will be practical to ban unencrypted HTTP.

You may have to provide an explanation of why you're using that exception, of course.

dgatwood
  • 10,129
  • 1
  • 28
  • 49
  • 1
    Not that long. Turns out was about 1 year. From Dec 2016 HTTPS will be required except for the web view. – O'Rooney Jun 28 '16 at 21:50
  • Web browsers have always been the major exception (hence my "long time"), but this policy has lots of other problems, such as the fact that you can't get a valid SSL cert for a Bonjour domain (requiring... shall we say "interesting" workarounds). I'm watching this section of Stack Overflow pretty carefully to try to help folks who run into those issues, but I expect that there will still be a number of apps that will require exceptions, and I suspect Apple will grant such exceptions, assuming the reasons for supporting HTTP are valid (e.g. user-entered URLs). – dgatwood Jun 29 '16 at 00:34
  • Could be; that's our situation, the user can enter any random data feed URL they want, not under our control. – O'Rooney Jun 29 '16 at 05:22
  • I would urge you to file a bug and tell what you want to do, and explain why HTTPS isn't possible. Refer to that bug when you submit and ask for an exception. – dgatwood Jun 30 '16 at 23:41