iOS9 ATS: what about HTML5 based apps?

Question

According to the documentation from https://developer.apple.com/library/content/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-SW14, Apple forces to use HTTPS over HTTP in iOS 9.

App Transport Security

App Transport Security (ATS) lets an app add a declaration to its Info.plist file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.

What does that mean for web applications, esp. Sencha Touch and Cordova/PhoneGap based ones? My web app can be configured to any server address, so there's no way I can whitelist them in a plist file. Will this only be applicable for applications that use native requests (via NSURLRequest etc.)?

Answer 1

If you are not sure of which URL your application will connect or if you connect to many URLs, you can bypass the ATS (App Transport Security) by adding following keys in info.plist file.

<key>NSAppTransportSecurity</key> 
<dict>
    <key>NSAllowsArbitraryLoads</key> <true/> 
</dict>

Answer 2

How to deal with the SSL in iOS9，One solution is to do like:

As the Apple say :

iOS 9 and OSX 10.11 require TLSv1.2 SSL for all hosts you plan to request data from unless you specify exception domains in your app's Info.plist file.

The syntax for the Info.plist configuration looks like this:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>yourserver.com</key>
    <dict>
      <!--Include to allow subdomains-->
      <key>NSIncludesSubdomains</key>
      <true/>
      <!--Include to allow insecure HTTP requests-->
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
      <!--Include to specify minimum TLS version-->
      <key>NSTemporaryExceptionMinimumTLSVersion</key>
      <string>TLSv1.1</string>
    </dict>
  </dict>
</dict>

If your application (a third-party web browser, for instance) needs to connect to arbitrary hosts, you can configure it like this:

<key>NSAppTransportSecurity</key>
<dict>
    <!--Connect to anything (this is probably BAD)-->
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

If you're having to do this, it's probably best to update your servers to use TLSv1.2 and SSL, if they're not already doing so. This should be considered a temporary workaround.

As of today, the prerelease documentation makes no mention of any of these configuration options in any specific way. Once it does, I'll update the answer to link to the relevant documentation.

Here is a Demo（Demo1）

Answer 3

Try this: cordova plugin add https://github.com/robertklein/cordova-ios-security.git

It will add the following part to the *-Info.plist file during build process:

<key>NSAppTransportSecurity</key> 
<dict>
  <key>NSAllowsArbitraryLoads</key> <true/> 
</dict>

Answer 4

Apple actually doesn't force anything, they simply have a framework setup to default-to and thereby encourage greater security for the benefit of the app and users of its services. What this means is that until the hybrid tooling integrates the details into existing products adjustments need to be made to the appropriate configuration files with some understanding of the details (see linked answer+comment below it). After spending time with this exact problem I suggest initially developing locally allowing arbitrary loads and bypassing ATS. If ATS is needed for app-store approval, once you're ready to begin testing with a wider group of users, turn ATS on (and arbitrary loads off explicitly) then tune the exceptions to default settings as needed. The main question to ask for each domain is whether to allow subdomains, adjust TLS versions as needed, and whether to also allow insecure http. My app has 20 or so domains with the intention of passing other requests to other apps. If it were a web browser I'd have specific settings for my services (that I control and know) and allow the rest to be arbitrary.