What setting do I need to put in my info.plist
to enable HTTP mode as per the following error message?
Transport security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
Assume that my domain is example.com
.
This question is related to
ios
xcode
ios9
ios10
app-transport-security
If you are using Xcode 8.0+ and Swift 2.2+ or even Objective C:
If you want to allow HTTP connections to any site, you can use this keys:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
If you know which domains you will connect to add:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
I do not like editing the plist directly. You can easily add it to the plist using the GUI:
Now change the data in the main area:
Add Row
By default, iOS only allows HTTPS API. Since HTTP is not secure, you will have to disable App transport security. There are two ways to disable ATS:-
1. Adding source code in project info.plist and add the following code in root tag.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
2. Using project info.
Click on project on the project on the left pane, select the project as target and choose info tab. You have to add the dictionary in the following structure.
For those of you who want a more context on why this is happening, in addition to how to fix it, then read below.
With the introduction of iOS 9, to improve the security of connections between an app and web services, secure connections between an app and its web service must follow best practices. The best practices behavior is enforced by the App Transport Security to:
As explained in the App Transport Security Technote, when communicating with your web service, App Transport Security now has the following requirements and behavior:
- The server must support at least Transport Layer Security (TLS) protocol version 1.2.
- Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)
- Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.
- Invalid certificates result in a hard failure and no connection.
In other words, your web service request should: a.) use HTTPS and b.) be encrypted using TLS v1.2 with forward secrecy.
However, as was mentioned in other posts, you can override this new behavior from App Transport Security by specifying the insecure domain in the Info.plist
of your app.
To override, you will need to add the NSAppTransportSecurity
> NSExceptionDomains
dictionary properties to your Info.plist
. Next, you will add your web service's domain to the NSExceptionDomains
dictionary.
For example, if I want to bypass the App Transport Security behavior for a web service on the host www.yourwebservicehost.com then I would do the following:
Open your app in Xcode.
Find the Info.plist
file in Project Navigator and "right-mouse" click on it and choose the Open As > Source Code menu option. The property list file will appear in the right pane.
Put the following properties block inside of the main properties dictionary (under the first <dict>
).
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>www.example.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
If you need to provide exceptions for additional domains then you would add another dictionary property beneath NSExceptionDomains
.
To find out more about the keys referenced above, read this already mentioned technote.
Like many have noted, this is a feature issue that comes with iOS 9.0. They have added a thing called App Transport Security, and I too was annoyed when it broke my Apps.
You can bandage it with the NSAllowsArbitraryLoads key to YES under NSAppTransportSecurity dictionary in your .plist file, but ultimately you will need to re-write the code that forms your URLs to form the HTTPS:// prefix.
Apple has re-written the NSUrlConnection class in iOS 9.0. You can read about it in NSURLConnection.
Else, you may have to back out of iOS 9.0 until you have time to implement the correct solution.
On 2015-09-25 (after Xcode updates on 2015-09-18):
I used a non-lazy method, but it didn't work. The followings are my tries.
First,
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>www.xxx.yyy.zzz</key>
<dict>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
And second,
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>www.xxx.yyy.zzz</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
Finally, I used the lazy method:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
It might be a little insecure, but I couldn't find other solutions.
Allow Arbitrary Loads
to NO
!!!You must always use HTTPS
for your networking stuff. But if you really can't, just add an exception to the info.plist
For example, if you are using http://google.com
and getting that error, You MUST change it to https://google.com
(with s) since it supports perfectly.
But if you can't somehow, (and you cant convince backend developers to support SSL), add JUST this unsecured domain to the info.plist
(instead of making it available for ALL UNSECURE NET!)
Update for Xcode 7.1, facing problem 27.10.15:
The new value in the Info.plist is "App Transport Security Settings". From there, this dictionary should contain:
This was tested and was working on iOS 9 GM seed - this is the configuration to allow a specific domain to use HTTP instead of HTTPS:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key> <!--Include your domain at this line -->
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
NSAllowsArbitraryLoads
must be false
, because it disallows all insecure connection, but the exceptions list allows connection to some domains without HTTPS.
According to Apple, generally disabling ATS will lead to app rejection, unless you have a good reason to do so. Even then, you should add exceptions for domains that you can access safely.
Apple has an excellent tool that tells you exactly what settings to use: In Terminal, enter
/usr/bin/nscurl --ats-diagnostics --verbose https://www.example.com/whatever
and nscurl will check whether this request fails, and then try a variety of settings and tell you exactly which one passes, and what to do. For example, for some third-party URL that I visit, this command told me that this dictionary passes:
{
NSExceptionDomains = {
"www.example.com" = {
NSExceptionRequiresForwardSecrecy = false;
};
};
}
To distinguish between your own sites and third-party sites that are out of your control, use, for example, the key NSThirdPartyExceptionRequiresForwardSecrecy.
NOTE: The exception domain in your plist should be in LOWER-CASE.
Example: you have named your machine "MyAwesomeMacbook" under Settings->Sharing; your server (for test purposes) is running on MyAwesomeMacbook.local:3000, and your app needs to send a request to http://MyAwesomeMacbook.local:3000/files..., your plist you will need to specify "myawesomemacbook.local" as the exception domain.
--
Your info.plist would contain...
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>myawesomemacbook.local</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
There are two solutions for this :
Solutions 1 :
Info.plist
file add a dictionary with key 'NSAppTransportSecurity
''Allow Arbitrary Loads'
Plist
structure should appear as shown in below image.
Solution 2 :
Info.plist
file add a dictionary with key 'NSAppTransportSecurity
'NSExceptionDomains
''MyDomainName.com'
of type NSDictionaryNSIncludesSubdomains
' of type Boolean
and value set as YES
NSTemporaryExceptionAllowsInsecureHTTPLoads
' of type Boolean
and value set as YES
Plist
structure should appear as shown in below image.
Solution 2 is preferred since it allows only selected domain whereas solution 1 allows all insecure HTTP connections.
See the forum post Application Transport Security?.
Also the page Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11.
For example, you can add a specific domain like:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key>
<dict>
<!--Include to allow subdomains-->
<key>NSIncludesSubdomains</key>
<true/>
<!--Include to allow HTTP requests-->
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<!--Include to specify minimum TLS version-->
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
</dict>
</dict>
</dict>
The lazy option is:
<key>NSAppTransportSecurity</key>
<dict>
<!--Include to allow all connections (DANGER)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
info.plist
is an XML file so you can place this code more or less anywhere inside the file.
Go to your Info.plist
Figuring out what settings to use can be performed automatically, as mentioned in this technote:
/usr/bin/nscurl --ats-diagnostics --verbose https://your-domain.com
Using NSExceptionDomains
may not apply an effect simultaneously due to target site may load resources (e.g. js
files) from external domains over http
. It can be resolved by adding these external domains to NSExceptionDomains
as well.
To inspect which resources cannot be loaded try to use Remote debugging. Here is a tutorial: http://geeklearning.io/apache-cordova-and-remote-debugging-on-ios/
For those who came here trying to find the reason why their WKWebView is always white and loads nothing (exactly as described here how do I get WKWebView to work in swift and for an macOS App) :
If all the rocket science above does not work for you check the obvious: the sandbox settings
Being new to swift and cocoa, but pretty experienced in programming I've spend about 20 hours to find this solution. None of dozens hipster-iOS-tutorials nor apple keynotes – nothing mentions this small checkbox.
For Cordova, if you want to add it into your ios.json, do the following:
"NSAppTransportSecurity": [
{
"xml": "<dict><key>NSAllowsArbitraryLoads</key><true /></dict>"
}
]
And it should be inside of:
"*-Info.plist": {
"parents": {
}
}
This is a quick workaround (but not recommended) to add this in the plist:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Which means (according to Apple's documentation):
NSAllowsArbitraryLoads
A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. Listed domains use the settings specified for that domain.The default value of NO requires the default App Transport Security behaviour for all connections.
I really recommend links:
which help me understand reasons and all the implications.
The XML (in file Info.plist) below will:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>PAGE_FOR_WHICH_SETTINGS_YOU_WANT_TO_OVERRIDE</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
disallow arbitrary calls for all pages, but for PAGE_FOR_WHICH_SETTINGS_YOU_WANT_TO_OVERRIDE
will allow that connections use the HTTP protocol.
To the XML above you can add:
<key>NSIncludesSubdomains</key>
<true/>
if you want to allow insecure connections for the subdomains of the specified address.
The best approach is to block all arbitrary loads (set to false) and add exceptions to allow only addresses we know are fine.
2018 Update:
Apple is not recommending switching this off - more information can be found in 207 session WWDC 2018 with more things explained in regards to security
Leaving the original answer for historic reasons and development phase
It may be worth mentioning how to get there...
Info.plist is one of the files below the Main.storyboard or viewController.swift.
When you click on it the first time, it usually is in a table format, so right click the file and 'open as' Source code and then add the code below towards the end, i.e.:
<key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/></dict>
Copy paste the code just above
"</dict>
</plist>"
which is at the end.
Transport security is available on iOS 9.0 or later. You may have this warning when trying to call a WS inside your application:
Application Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
Adding the following to your Info.plist will disable ATS:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
In swift 4 and xocde 10 is change the NSAllowsArbitraryLoads to Allow Arbitrary Loads. so it is going to be look like this :
<key>App Transport Security Settings</key>
<dict>
<key>Allow Arbitrary Loads</key><true/>
</dict>
Source: Stackoverflow.com