App Transport Security, exception domain issue

Question

In an iOS app, I am having troubles with App Transport Security:

I have read many post on the net, but for some reason what I set in my Info.plist seems to be ignored. I have tried several possibilities, here is the last one:

<plist version="1.0">
<dict>
    ……..
    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>mydomain.net</key>
            <dict>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
        </dict>
    </dict>
    ……..
</dict>
</plist>

But whatever I set in the Info.plist I keep getting this message:

2016-03-25 13:21:17.234 MyApp[3587:1285514] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

What could I be missing?

Make sure that you don't have any hidden .plist file in your project. You can right click on your project from project navigator, click on show in finder and see if there is any other plist file. — Milan Gupta, Mar 26 '16 at 11:24

score 3 · Answer 1 · answered Jul 15 '16 at 15:40

3

You should not use :

`<key>NSAppTransportSecurity</key>
  <dict>
      <key>Allow Arbitrary Loads</key>
     <true/>
 </dict>`

This allows ALL unsecured links, unless if you do not care about security of information. The way you did it should be correct, maybe use the NSTemporaryThirdPartyExceptionAllowsInsecureHTTPLoads might help you!

Check this: App Transport Security

answered Jul 15 '16 at 15:40

Franclin Cabral

57
8

I agree with what you say. In reality it is not always so easy. For example if the purpose of your app is to allow the user to do something with a URL of her/his choice (like an internet browser for example) then you don't have much choice. Another case I had is when using http://www.startapp.com/ for banners. – Michel Jul 16 '16 at 05:00

score 3 · Answer 2 · answered Jul 09 '17 at 21:04

Explicitly define that you do not want to Allow Arbitrary Loads, then your exception will apply to that rule.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <false/>
    <key>NSExceptionDomains</key>
    <dict>
        <key>mydomain.net</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

score -1 · Answer 3 · answered Mar 26 '16 at 07:16

-1

i hope it will work for you.

<plist version="1.0">
<dict>
……..
  <key>NSAppTransportSecurity</key>
  <dict>
      <key>Allow Arbitrary Loads</key>
     <true/>
 </dict>
 ……..
  </dict>
  </plist>

answered Mar 26 '16 at 07:16

Satyanarayana

1,059
6
16

1

Unfortunately, I already tried and it did not work. On top of that, this solution is not recommended because not secure. Thanks anyway for the answer. – Michel Mar 26 '16 at 07:20

App Transport Security, exception domain issue

3 Answers3