Вопрос: Безопасность транспорта заблокировала простой текст HTTP


Какую настройку мне нужно поставить info.plistдля включения режима HTTP в соответствии со следующим сообщением об ошибке?

Безопасность транспорта заблокировала открытый ресурс HTTP (http: //)   поскольку он небезопасен. Временные исключения можно настроить через   файл Info.plist вашего приложения.

Xcode

Предположим, что мой домен example.com,


1260


источник


Ответы:


Если вы используете Xcode 8.0 и Swift 3.0 или Swift 2.2 или даже Objective C:

Enter image description here

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
    <key>NSExceptionDomains</key>
    <dict>
        <key>example.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

211



Использование:

Enter image description here

Вы должны установить NSAllowsArbitraryLoads ключ к ДА под NSAppTransportSecurity словарь в вашем файле .plist.

Plist configuration


884



Вот настройки визуально:

visual settings for NSAllowsArbitraryLoads in info.plist via Xcode GUI


787



Посмотреть сообщение Безопасность при транспортировке приложений? ,

Также страница Настройка исключений безопасности транспорта приложений в iOS 9 и OSX 10.11 ,

Например, вы можете добавить определенный домен, например:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>example.com</key>
    <dict>
      <!--Include to allow subdomains-->
      <key>NSIncludesSubdomains</key>
      <true/>
      <!--Include to allow HTTP requests-->
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
      <!--Include to specify minimum TLS version-->
      <key>NSTemporaryExceptionMinimumTLSVersion</key>
      <string>TLSv1.1</string>
    </dict>
  </dict>
</dict>

Ленивый вариант:

<key>NSAppTransportSecurity</key>
<dict>
  <!--Include to allow all connections (DANGER)-->
  <key>NSAllowsArbitraryLoads</key>
      <true/>
</dict>

Заметка:

info.plistявляется XML-файлом, поэтому вы можете разместить этот код более или менее где угодно внутри файла.


681



Это было протестировано и работало на семенах iOS 9 GM - это конфигурация, позволяющая конкретный домен для использования HTTP вместо HTTPS:

<key>NSAppTransportSecurity</key>
<dict>
      <key>NSAllowsArbitraryLoads</key> 
      <false/>
       <key>NSExceptionDomains</key>
       <dict>
            <key>example.com</key> <!--Include your domain at this line -->
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
            </dict>
       </dict>
</dict>

NSAllowsArbitraryLoadsдолжно быть false, поскольку он запрещает все небезопасное соединение, но список исключений позволяет подключиться к некоторые доменов без HTTPS.


293



This is a quick workaround (but not recommended) to add this in the plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Which means (according to Apple's documentation):

NSAllowsArbitraryLoads
A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. Listed domains use the settings specified for that domain.

The default value of NO requires the default App Transport Security behaviour for all connections.

I really recommend links:

which help me understand reasons and all the implications.

The XML (in file Info.plist) below will:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <false/>
    <key>NSExceptionDomains</key>
    <dict>
        <key>PAGE_FOR_WHICH_SETTINGS_YOU_WANT_TO_OVERRIDE</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

disallow arbitrary calls for all pages, but for PAGE_FOR_WHICH_SETTINGS_YOU_WANT_TO_OVERRIDE will allow that connections use the HTTP protocol.

To the XML above you can add:

<key>NSIncludesSubdomains</key>
<true/>

if you want to allow insecure connections for the subdomains of the specified address.

The best approach is to block all arbitrary loads (set to false) and add exceptions to allow only addresses we know are fine.

For interested readers


123



For those of you who want a more context on why this is happening, in addition to how to fix it, then read below.

With the introduction of iOS 9, to improve the security of connections between an app and web services, secure connections between an app and its web service must follow best practices. The best practices behavior is enforced by the App Transport Security to:

  • prevent accidental disclosure, and
  • provide a default behavior that is secure.

As explained in the App Transport Security Technote, when communicating with your web service, App Transport Security now has the following requirements and behavior:

  • The server must support at least Transport Layer Security (TLS) protocol version 1.2.
  • Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)
  • Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.
  • Invalid certificates result in a hard failure and no connection.

In other words, your web service request should: a.) use HTTPS and b.) be encrypted using TLS v1.2 with forward secrecy.

However, as was mentioned in other posts, you can override this new behavior from App Transport Security by specifying the insecure domain in the Info.plist of your app.


To override, you will need to add the NSAppTransportSecurity > NSExceptionDomains dictionary properties to your Info.plist. Next, you will add your web service's domain to the NSExceptionDomains dictionary.

For example, if I want to bypass the App Transport Security behavior for a web service on the host www.yourwebservicehost.com then I would do the following:

  1. Open your app in Xcode.

  2. Find the Info.plist file in Project Navigator and "right-mouse" click on it and choose the Open As > Source Code menu option. The property list file will appear in the right pane.

  3. Put the following properties block inside of the main properties dictionary (under the first <dict>).


<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.example.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

If you need to provide exceptions for additional domains then you would add another dictionary property beneath NSExceptionDomains.

To find out more about the keys referenced above, read this already mentioned technote.


111



I do not like editing the plist directly. You can easily add it to the plist using the GUI:

  • Click on the Info.plist in the Navigator on the left.
  • Now change the data in the main area:

    • On the last line add the +
    • Enter the name of the group: App Transport Security Settings
    • Right click on the group and select Add Row
    • Enter Allow Arbitrary Loads
    • Set the value on the right to YES

Example


64



Apple Document 1

Apple Document 2

There are two solutions for this :

Solutions 1 :

  1. In Info.plist file add a dictionary with key 'NSAppTransportSecurity'
  2. Add another element inside dictionary with key 'Allow Arbitrary Loads'

Plist structure should appear as shown in below image.

Solution 1

Solution 2 :

  1. In Info.plist file add a dictionary with key 'NSAppTransportSecurity'
  2. Add another element inside dictionary with key 'NSExceptionDomains'
  3. Add element with key 'MyDomainName.com' of type NSDictionary
  4. Add element with key 'NSIncludesSubdomains' of type Boolean and value set as YES
  5. Add element with key 'NSTemporaryExceptionAllowsInsecureHTTPLoads' of type Boolean and value set as YES

Plist structure should appear as shown in below image.

Solution 2

Solution 2 is preferred since it allows only selected domain whereas solution 1 allows all insecure HTTP connections.


22



Transport security is available on iOS 9.0 or later. You may have this warning when trying to call a WS inside your application:

Application Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

Adding the following to your Info.plist will disable ATS:

<key>NSAppTransportSecurity</key>
<dict>
     <key>NSAllowsArbitraryLoads</key><true/>
</dict>

19



Development Example

Here is a screenshot of a plist which keeps ATS intact (=secure), but allows that connections to localhost can be made via HTTP instead of HTTPS. It works in Xcode 7.1.1.

Enter image description here


13



Figuring out what settings to use can be performed automatically, as mentioned in this technote:

/usr/bin/nscurl --ats-diagnostics --verbose https://your-domain.com

12