2

Under iOS 9, I've used the accepted answer here: Transport security has blocked a cleartext HTTP

I added the entries to my Info.plist file under NSAppTransportSecurity. My app seems to be functioning properly, as well as executing all of the requests for which I've accounted for. I am still receiving the error:

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

My problem is that I can't find where in my app codebase this is coming from and I do NOT want to allow all domains (lazy option referenced in the accepted answer I credited). Is there a way to raise an exception for it so that I can find the source of the warning?

Community
  • 1
  • 1
Manu Kanthan
  • 197
  • 15
  • Don't switch off ATS - it's bad practice. Also, how can you possibly be loading a resource from the internet and not know what is loading it? If you are using someone else's code (from Github or a provided library) but don't understand what it does then you shouldn't use that code. Having said that, you can debug what the problem is and what HTTP requests are being used (which should point you to the problem library). Instructions to do this are about halfway down the page: http://timekl.com/blog/2015/08/21/shipping-an-app-with-app-transport-security/ – Robotic Cat Oct 07 '15 at 13:37
  • 2
    Thanks for the reply. I don't want to switch off ATS. This is why I wanted to raise an exception so I can find which the offending line of code. And I don't think it's reasonable to expect to be familiar with every line of code in every third party library. Again, finding the offending request will make me MORE familiar with the code and I can choose whether or not I want to use it going forward. – Manu Kanthan Oct 07 '15 at 14:05
  • @ManuKanthan the networking diagnostics that you are using is probably the best way of knowing which requests are blocked. Its pretty verbose, but good. – Aaron Oct 07 '15 at 14:21
  • Since it's been raised, and Manu appears already to have answered the actual question: switching off ATS is not automatically bad practice. For example you may be in a position with something like an advertising framework whereby the vendor explicitly documents that requests may be issued for _any_ domain. If your use case is that it's impossible to know all the domains you'll access in advance then switching it off is the only logical way to proceed. – Tommy Oct 07 '15 at 14:29
  • You can try using charles proxy to see the requests going out and add exceptions if not too many links. – user2084611 Apr 13 '16 at 18:08

2 Answers2

6

Using this link (http://timekl.com/blog/2015/08/21/shipping-an-app-with-app-transport-security/) from the comment above, I found that switching the environment variable CFNETWORK_DIAGNOSTICS to 1 produces a detailed log of all the requests.

This allowed me to trace the requests coming from a webView where I'm loading my own domain, which in turn loads things like MixPanel and Google Analytics. Entering those domains into the Info.plist file fixes the issue, however, we're instead simply going to load the https versions of these libraries.

Manu Kanthan
  • 197
  • 15
0

Use an http analyzer such as Charles Proxy (30 day free trial) to find all the URL's being called.

zaph
  • 111,848
  • 21
  • 189
  • 228
  • I would suggest using "Proxy" from Websecurify. Charles is the worst and not functioning Proxy available. It's expensive, unreliable and the UI looks awful. "Proxy" does work good, has some bugs, but I prefer it over Charles a lot. Also you can do request manipulations with it. – Julian F. Weinert Oct 07 '15 at 13:35
  • Rant about costs: If we want great tools we need to be ready to pay for them. In many trades such as construction and particularly repair (think automotive) the worker must spend thousands of dollars for tools. We are so spoiled by free tools we are reluctant to spend $50 on a tool and that action it is reducing the ability of tool makers to recover the time spent on creating them and we end up tool poor. In contrast hardware designers have sophisticated tools and are willing to pay substantial amounts for them. I've worked for multi-billion $ companies that would not spend $50, how sad. – zaph Oct 07 '15 at 14:02
  • Okay. "Expensive". I wouldn't want to pay this price for a Java-Based application that isn't optimised for OS X. I downloaded it, spent about 4 hours full of swearing until I decided to get something better. For me, Charles does not work reliably. – Julian F. Weinert Oct 07 '15 at 14:08
  • The UX is amazingly bad, everything looks windowsy instead of macy, the tableviews are somewhat self-brew and there is no parsing / display of structured data. – Julian F. Weinert Oct 07 '15 at 14:10
  • Yes – Proxy offers HTTPS inspection and also manipulation. It comes with a trusted CA and saves everything to the Keychain. – Julian F. Weinert Oct 07 '15 at 14:11
  • I'm still not the biggest fan of Proxy. It has some bugs and drawbacks as well. But it's overall performance is better. Also it looks like an OS X Application (similar to Xcode) – Julian F. Weinert Oct 07 '15 at 14:12
  • iDevice requests? What does a proxy need to "allow" iOS Devices to be inspected? – Julian F. Weinert Oct 07 '15 at 14:13
  • Yes. The is basically the definition of a proxy server. ANY proxy server will allow to inspect the traffic by other devices as far as it has an inspection feature. This is the point about a proxy server. As it says: it is a server! – Julian F. Weinert Oct 07 '15 at 14:16
  • Don't confuse proxy with sniffer tools like tcpdump / Wireshark – Julian F. Weinert Oct 07 '15 at 14:17
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/91617/discussion-between-julian-and-zaph). – Julian F. Weinert Oct 07 '15 at 14:27
  • Wireshark is something different. Wireshark is a TCP dumper. It gathers as much (TCP-) data as it can from the Aether. A proxy is asked to redirect an request to a web server and send it's response back to the original client. This way you can "change" your public IP for example or – if the proxy outputs the requests somewhere – inspect the *real* traffic. – Julian F. Weinert Oct 07 '15 at 14:33
  • I tried Proxy and for some reason I could not get it to work on either of two Macs. I must be doing something wrong or there is something about the systems. Anyway, I'm deleting most of my comments, they irrelevant to the question. The point is to examine the requests on the network, use the proxy/analyzer of your choice, Charles is what I use and recommend but there are other solutions available. – zaph Oct 07 '15 at 15:12