App TranSport security, allow arbitrary load not working after upgrade to IOS 10.1

ios ios10 app-transport-security
Lê Khánh Vinh picture Lê Khánh Vinh · Nov 9, 2016 · Viewed 15k times · Source

I have an app that works fine in ios 9 and 10.0 (I have add the App Transport Security blocking with “Allow Arbitrary Loads = YES” to my info.plist. But after upgrade to 10.1 and Xcode 8.1 there seem to be a problem with the App Transport Security. I can not connect to server. My server only support up to TLS 1.1

Showing this error 

Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.

May be IOS 10.1 ignore the .plist info. (Note that on 9.3 till 10.0 it is still working fine).

My .plist file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleDevelopmentRegion</key>
    <string>en</string>
    <key>CFBundleDisplayName</key>
    <string>SingPost</string>
    <key>CFBundleExecutable</key>
    <string>${EXECUTABLE_NAME}</string>
    <key>CFBundleIdentifier</key>
    <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>${PRODUCT_NAME}</string>
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
    <string>1.8.7</string>
    <key>CFBundleSignature</key>
    <string>????</string>
    <key>CFBundleURLTypes</key>
    <array>
        <dict>
            <key>CFBundleURLSchemes</key>
            <array>
                <string>fb1540614276180366</string>
            </array>
            <key>Item 0</key>
            <string>fb1540614276180366</string>
        </dict>
    </array>
    <key>CFBundleVersion</key>
    <string>1.8.7</string>
    <key>FacebookAppID</key>
    <string>1540614276180366</string>
    <key>FacebookDisplayName</key>
    <string>Singpost</string>
    <key>LSRequiresIPhoneOS</key>
    <true/>
    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
        <key>NSAllowsArbitraryLoadsInWebContent</key>
        <true/>
        <key>NSExceptionDomains</key>
        <dict>
            <key>prdesb1.singpost.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
                <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
            <key>mobile.singpost.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
                <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
        </dict>
    </dict>
    <key>NSCameraUsageDescription</key>
    <string>$(PRODUCT_NAME) camera use</string>
    <key>NSLocationAlwaysUsageDescription</key>
    <string>    </string>
    <key>NSLocationWhenInUseUsageDescription</key>
    <string>    </string>
    <key>NSPhotoLibraryUsageDescription</key>
    <string>$(PRODUCT_NAME) uses photos</string>
    <key>UIAppFonts</key>
    <array>
        <string>OpenSans-Regular.ttf</string>
        <string>OpenSans-Bold.ttf</string>
        <string>OpenSans-Semibold.ttf</string>
        <string>OpenSans-Light.ttf</string>
        <string>OpenSans-LightItalic.ttf</string>
    </array>
    <key>UIBackgroundModes</key>
    <array>
        <string>remote-notification</string>
    </array>
    <key>UIRequiredDeviceCapabilities</key>
    <array>
        <string>armv7</string>
    </array>
    <key>UIRequiresFullScreen</key>
    <true/>
    <key>UISupportedInterfaceOrientations</key>
    <array>
        <string>UIInterfaceOrientationPortrait</string>
    </array>
    <key>UISupportedInterfaceOrientations~ipad</key>
    <array>
        <string>UIInterfaceOrientationPortrait</string>
    </array>
</dict>
</plist>

I fix my add exeptiondomain but have this error in console

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) –

Edit from suggestion. I change my plist to

<key>mobile.singpost.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
                <key>NSExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
            <key>mysam.sg</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
                <key>NSExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>

Answer

breakingobstacles picture breakingobstacles · Nov 16, 2016

By specifying NSAllowsArbitraryLoadsInWebContent, you are overriding NSAllowsArbitraryLoads on iOS 10.

In iOS 10 and later, and macOS 10.12 and later, the value of [the NSAllowsArbitraryLoads] key is ignored if any of the following keys are present in your app’s Info.plist file:

  • NSAllowsArbitraryLoadsForMedia
  • NSAllowsArbitraryLoadsInWebContent
  • NSAllowsLocalNetworking

Source: App Transport Security dictionary primary keys (Apple)

Additionally, the NSExceptionDomain dictionaries you have provided don't seem to match the current documented format. Specifically, the keys don't match:

  • NSTemporaryExceptionAllowsInsecureHTTPLoads should be NSExceptionAllowsInsecureHTTPLoads

  • NSTemporaryExceptionMinimumTLSVersion should be NSExceptionMinimumTLSVersion

  • NSTemporaryExceptionRequiresForwardSecrecy should be NSExceptionRequiresForwardSecrecy

Related questions

Transport security has blocked a cleartext HTTP

What setting do I need to put in my info.plist to enable HTTP mode as per the following error message? Transport security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured …

Read More
Xcode error: Code signing is required for product type 'Application' in SDK 'iOS 10.0'

I have Xcode 8 installed on OS X El Capitan. I get this error: Signing for "target" requires a development team. Select a development team in the project editor. Code signing is required for product type 'Application' in SDK 'iOS 10.0'

Read More
Hide strange unwanted Xcode logs

When using the Xcode 8+ and creating a new blank project, the following logs appear when running the application: 2016-06-13 16:33:34.406093 TestiOS10[8209:100611] bundleid: com.appc.TestiOS10, enable_level: 0, persist_level: 0, propagate_with_activity: 0 2016-06-13 16:33:34.406323 TestiOS10[8209:100607] Created DB, header sequence number = 248 2016…

Read More