1

With iOS 9, Apple is mandating the use of HTTPS. While this is all good and secure, it forces me to convert all my dev/testing servers to HTTPS. I'm developing for Android and iOS.

Things I've already tried/looked at:

  1. Running iOS 8 - not a long term solution
  2. Self signed servers - requires adding code to both platforms.
  3. Adding root certificate - probably the way to go but expensive in terms of hours spent on this.

I'd like to know how other people are handling this. Ideally, I'd like a solution based on 3 (or not based on 1 and 2), which works well with simulator/emulator and doesn't require jumping through hoops and constant tinkering with root certificate on various devices.

I'll also take a solution for iOS only (e.g. #ifdef) as Android can stay on HTTP.

===================================================================== Update: 20 Dec

  1. My servers are IP address only. No domain name.
  2. Using plist settings is an option. However, an answer would have to be specific and complete. I would expect to see something like a script that removes plist settings for 'release' builds. I'm not a security person, but I suspect that leaving whitelisted IP addresses for attackers to use are a bad idea.
Roy Falk
  • 1,685
  • 3
  • 19
  • 45

3 Answers3

1

enter image description here

Please put this property in your info.plist if you want to work with HTTP/HTTPS with iOS9.

Amit Bhavsar
  • 1,273
  • 12
  • 23
  • It's not enough to be the fastest gun in the west. There are guidelines to how a good answer on stack overflow should look (http://stackoverflow.com/help/how-to-answer). Regardless, this would probably disable HTTPS enforcement indiscriminately, which is not what I wanted. – Roy Falk Dec 20 '15 at 06:46
1

App Transport Security is enabled by default when using NSURLSession, NSURLConnection in iOS9 You can opt-out of ATS for certain URLs in your Info.plist by using NSExceptionDomains. Within the NSExceptionDomains dictionary you can explicitly define URLs that you need exceptions for with ATS. The exceptions you can use are:

NSIncludesSubdomains
NSExceptionAllowsInsecureHTTPLoads
NSExceptionRequiresForwardSecrecy
NSExceptionMinimumTLSVersion
NSThirdPartyExceptionAllowsInsecureHTTPLoads
NSThirdPartyExceptionMinimumTLSVersion
NSThirdPartyExceptionRequiresForwardSecrecy

Each of these keys allows you to granularly disable ATS or particular ATS options on domains where you are unable to support them. You can refer the answers to this question here,

How do I load an HTTP URL with App Transport Security enabled in iOS 9?

Transport security has blocked a cleartext HTTP

Community
  • 1
  • 1
Ravi_sankar
  • 357
  • 2
  • 12
  • Thanks for the answer. I actually did see some of the above exceptions. What I'm looking for is a specific answer and not generic links to documentation. How do I write an app that works against a list of n servers (IP only) in HTTP but when compiled for release, would remove all mention of these settings. It's too dangerous to have a simple boolean. What happens if I forget to remove it prior to a release? Note that I refined my request in response to your solution. – Roy Falk Dec 20 '15 at 06:52
  • While this wasn't exactly what I was looking for, I appreciate the effort as it did help me and probably will help others. Therefore, I up voted your answer. Thank you. – Roy Falk Dec 21 '15 at 07:42
1

You can very easily add domain names for your development servers by using a free DNS provider. I use http://freedns.afraid.org/ and they have some shared domain names where you can add names for IP's you need. I sometimes do this just for internal servers to make it easier to remember where they are!

As for the plist; all you are doing when you whitelist a name like that is telling the phone app that it can talk to that server with HTTP. If you #ifdef DEBUG the ability for your app to talk to those endpoints, then you should have compiled out the ability of the end user to switch to it!

If you are still concerned about it and are looking to have a build step that removes the exemption then PlistBuddy is your friend. You can remove an exemption using the following command line.

/usr/libexec/PlistBuddy -c "Delete :NSAppTransportSecurity:NSExceptionDomains:my.devserver.com" Info.plist
Fiid
  • 1,852
  • 11
  • 22
  • 1
    You, my friend, have earned this bounty fair and square. PlistBuddy is exactly what I was looking for. I never thought to look for this and it solves the issue of plist entries making it to production. Thank you. – Roy Falk Dec 21 '15 at 07:41
  • Sweet! Glad it helped! – Fiid Dec 21 '15 at 19:39