Community

Handling App Transport Security in iOS 9

2682
4
09-17-2015 01:12 PM
Labels (1)
DiveshGoyal
by Esri Regular Contributor
Esri Regular Contributor
0 4 2,682
‎09-17-2015 01:12 PM

If you've upgraded your development environment to the recently released XCode 7, you might have noticed that your apps started encountering problems when making network connections. Don't worry, you're not alone. Our samples also encounter the same problems when built using iOS 9 SDK.

If you're wondering what's wrong, here's the deal. Apple started enforcing more stringent policies regarding network connections for apps built with iOS 9. These policies block plain HTTP connections and require that you exclusively use secure HTTPS connections that support forward secrecy. Details can be found in Apple's Technote

While these changes have a noble goal - to make your app more secure - they do pose problems when third-party services you rely upon don't meet all of Apple's guidelines. On occasion, you may deliberately want to use plain HTTP connections to avoid unnecessary overhead for information that isn't sensitive and doesn't need to be protected. Fortunately, Apple provides a way to ease these policy restrictions in your app.

We've updated our samples to relax these restrcitions by adding the following declaration to the info.plist file -

    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>arcgisonline.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
            <key>arcgis.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
        </dict>
    </dict>

This change allows the samples to make HTTPS connections without requiring forward secrecy. It also permits plain HTTP connections to ArcGIS Online so that the samples can quickly load basemap layers and use sample services without needing the data to be encrypted. ArcGIS Online already supports HTTPS connections using industry leading TLS 1.2 so you can choose to use HTTPS exclusively in your app if you so desire, and we'll soon be adding support for forward secrecy ciphers so that your apps can connect to ArcGIS Online without needing to change your app's transport security policies.

0 Kudos
4 Comments
ChrisKarcher
by
New Contributor
‎09-18-2015 10:37 AM

Hi Divesh,

Thanks for the post.  I ran into this issue just a few minutes ago.

Do you have a timeframe for when https://server.arcgisonline.com will be updated to use certificate that's signed with a more recent non-SHA-1 signature?  I'd prefer to not add a security exception in my app if at all possible.

DiveshGoyal
by Esri Regular Contributor
Esri Regular Contributor
‎09-18-2015 01:09 PM

I don't have a definite time frame as yet, but we'll try to get it into one of our regularly scheduled updates in the coming months.

0 Kudos
MichaelDavis3
by
Occasional Contributor III
‎09-24-2015 05:06 PM

FYI - this seems to apply to authentication against AGOL for app licensing purposes as well.

0 Kudos
marius
by
New Contributor III
‎11-14-2016 02:10 PM

According to Apple, starting with January 2017, ATS will be mandatory, and apps using the exception keys will be rejected.

Is there any chance we get a patch update for the stable SDK, so we can submit updates after January 2017?

Here's a blog post re ATS https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/  that provides some details on that.

Thank you