DGoyal-esristaff

Handling App Transport Security in iOS 9

Blog Post created by DGoyal-esristaff Employee on Sep 17, 2015

If you've upgraded your development environment to the recently released XCode 7, you might have noticed that your apps started encountering problems when making network connections. Don't worry, you're not alone. Our samples also encounter the same problems when built using iOS 9 SDK.

 

If you're wondering what's wrong, here's the deal. Apple started enforcing more stringent policies regarding network connections for apps built with iOS 9. These policies block plain HTTP connections and require that you exclusively use secure HTTPS connections that support forward secrecy. Details can be found in Apple's Technote

 

While these changes have a noble goal - to make your app more secure - they do pose problems when third-party services you rely upon don't meet all of Apple's guidelines. On occasion, you may deliberately want to use plain HTTP connections to avoid unnecessary overhead for information that isn't sensitive and doesn't need to be protected. Fortunately, Apple provides a way to ease these policy restrictions in your app.

 

We've updated our samples to relax these restrcitions by adding the following declaration to the info.plist file -

 

    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>arcgisonline.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
            <key>arcgis.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
        </dict>
    </dict>

 

This change allows the samples to make HTTPS connections without requiring forward secrecy. It also permits plain HTTP connections to ArcGIS Online so that the samples can quickly load basemap layers and use sample services without needing the data to be encrypted. ArcGIS Online already supports HTTPS connections using industry leading TLS 1.2 so you can choose to use HTTPS exclusively in your app if you so desire, and we'll soon be adding support for forward secrecy ciphers so that your apps can connect to ArcGIS Online without needing to change your app's transport security policies.

Outcomes