Search code examples
ioshttphttpsapp-transport-security

In 2017, how should we handle LAN requests without HTTPS in respect to ATS settings?

As far as I understand in 2017 Apple will reject all apps that have Allow Arbitrary Loads enabled in Info.plist:

ATS settings

See also: https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/

Our app is controlling smart devices at the user's home. This said, we're not talking to the internet and only to LAN devices via HTTP. All these devices don't support HTTPS. How are we supposed to configure these App Transport Security Settings without having our app rejected by Apple?

Edit: Apple has delayed the SSL/ATS requirement to after 1/1/2017

Solution

  • Just to clarify, Apple will be rejecting apps that are using the ATS exception to disable ATS for apps submitted after 12/31/2016, unless there is a valid reason why the app must use the exception. We just don't know yet what reasons Apple will accept.

    So unfortunately, there is not a great solution for local network resources being blocked by ATS in iOS 9. As far as I can see, you have 2 options.

    1. Continue to support iOS 9, and add the global ATS exception, and hope that when you submit your app after 12/31/2016, Apple will accept your justification for the need to support iOS 9 and access local network resources with ATS disabled. Until 1/1/2017, it will be hard to know what types of justifications will be seen by Apple as reasonable, but Apple has made it clear that there will be a process for justifying an apps use of the ATS exceptions. If you go this route, I would try to push a small update to the app in early January with the ATS exception still in to see if you can make it through the process.

    2. Drop support for iOS 9, remove the blanket ATS exception (NSAllowArbitratyLoads), and use the NSAllowsLocalNetworking exception instead to turn off ATS protections only on local networking traffic. This is not supported on iOS9, so you'd need to have the new app be iOS 10 only. Basically, local traffic on iOS9 devices with only the NSAllowsLocalNetworking plist entry set to true would be blocked by ATS. Depending on your client base, this may be possible. iOS 9 users would still be able to get the last version of the app before your iOS 10 release.

    Edit:

    So it looks like Apple is using some custom behavour in iOS 10 to allow apps on iOS 10 to be more secure, while allowing backwards compatibility in iOS 9. If you include both the NSAllowsArbitraryLoads and the NSAllowsLocalNetworking in your info.plist, iOS9 will only recognize the NSAllowsArbitraryLoads entry, and allow all traffic (not great from a security standpoint, but will work for your local network traffic). In iOS 10, the use of the NSAllowsLocalNetworking will cause iOS 10 to ignore the NSAllowsArbitraryLoads entry, meaning your app will ensure ATS is enforced for non-local connections, but allow the local connections to go through. Obviously, you should test your app on both iOS 9 and 10, but this would be ideal from a security standpoint if you still need to support iOS 9. It is important to note that you would still need to provide justification to Apple, but given that Apple put this functionality in to handle this exact scenario, I would be willing to bet that backwards compatibility would be an accepted justification.

    From Apple's documentation:

    In iOS 10 and later, and macOS 10.12 and later, the value of this key is ignored if any of the following keys are present in your app’s Info.plist file:

    NSAllowsArbitraryLoadsForMedia
NSAllowsArbitraryLoadsInWebContent
NSAllowsLocalNetworking