ios - Apple App Transport Security (ATS) for Enterprise Application -


i developing enterprise application. far every thing working fine in simulator when deploy on physical devices crashes. crash happening because app connecting web services via "http" instead of "https".

i have added ats exceptions in info.plist file. need know enterprise application continue work after 2016 (apple's deadline) http?

application hosted in our own servers, , apple doesn't review enterprise applications.

update 1 need know enterprise application continue work after 2016 ats exceptions or not ?

    <?xml version="1.0" encoding="utf-8"?> <!doctype plist public "-//apple//dtd plist 1.0//en" "http://www.apple.com/dtds/propertylist-1.0.dtd"> <plist version="1.0"> <dict>     <key>cfbundledisplayname</key>     <string>xxxxxxxx</string>     <key>cfbundleidentifier</key>     <string>com.xxxxxxx.xxx</string>     <key>cfbundleshortversionstring</key>     <string>1.0</string>     <key>cfbundleversion</key>     <string>1.009</string>     <key>lsrequiresiphoneos</key>     <true/>     <key>minimumosversion</key>     <string>9.0</string>     <key>uidevicefamily</key>     <array>         <integer>2</integer>     </array>     <key>uilaunchstoryboardname</key>     <string>launchscreen</string>     <key>uimainstoryboardfile</key>     <string>main</string>     <key>uirequireddevicecapabilities</key>     <array>         <string>armv7</string>     </array>     <key>uisupportedinterfaceorientations~ipad</key>     <array>         <string>uiinterfaceorientationlandscapeleft</string>         <string>uiinterfaceorientationlandscaperight</string>     </array>     <key>uimainstoryboardfile~ipad</key>     <string>main</string>     <key>uiappfonts</key>     <array>         <string>fonts/montserrat-black.otf</string>         <string>fonts/montserrat-bold.otf</string>         <string>fonts/montserrat-extrabold.otf</string>         <string>fonts/montserrat-regular.otf</string>     </array>    <key>nsapptransportsecurity</key>   <dict>     <key>nsexceptiondomains</key>     <dict>       <key>http://xxxxxxx.xxxxx.xxx</key>       <dict>         <key>nsexceptionminimumtlsversion</key>         <string>tlsv1.0</string>         <key>nsexceptionrequiresforwardsecrecy</key>         <false/>         <key>nsexceptionallowsinsecurehttploads</key>         <true/>         <key>nsincludessubdomains</key>         <true/>       </dict>     </dict>   </dict>  </dict>

any apple app store submissions starting 2017, still can request app transport security (ats) exception reviewed apple. need highly restrict exception list , not allowed blanket arbitrary http loads. reviewers can still reject submission , request additional information.

i.e. apps requesting government noaa images on non-secure channel might allowed since noaa not support https/ssl weather radar images.... again, apple reviewers...

wkwebview, uiwebview, webview:

nsallowsarbitraryloadsinwebcontent lets have strict ats dictionary still load arbitrary content in web view (wkwebview, uiwebview, webview)

non-secure local networking:

nsallowslocalnetworking allows loading of local resources without disabling ats rest of app

media content encrypted:

nsallowsarbitraryloadsinmedia disables ats restrictions media app loads using av foundation framework. employ key loading media encrypted, such files protected fairplay or secure hls, , not contain personalized information.

enterprise applications:

these not apple reviewed, disabling ats allowed until possible future version of ios disallow non-secure traffic, but far best practice

  • enterprise data accessed non-securely?

if enterprise app requires non-secure local network-based resources, use new nsallowslocalnetworking exception instead.

if enterprise app requires non-secure enterprise resources obtained on public internet, might have security issues beyond scope of ios app transport security issues.


Comments

Post a Comment

Popular posts from this blog

aws api gateway - SerializationException in posting new Records via Dynamodb Proxy Service in API -

i getting "__type": "com.amazon.coral.service#serializationexception" as reply in postman & in test console in api gateway trying post record directly dynamodb using api proxy services.. referring aws article - https://aws.amazon.com/blogs/compute/using-amazon-api-gateway-as-a-proxy-for-dynamodb/ here's mapping { "tablename": "tablenamegoeshere", "item": { "id" : "$context.requestid" "eventname" : "$input.path('$.eventname')", "timestamp" : $input.path('$.timestamp'), "answers": "$util.parsejson($input.path('$.answers'))" } } update: did asked ... , worked if try add array of json objects gives me above same error - here's trying now. please - couldnt find on google well #set($inputroot = $input.path('$')) { "tablename": "answer", "item": {
Read more

asp.net - Problems sending emails from forum -

i have been redesigning site has message board, has been written guy looked after site. it has few problems , written in .asp , uses .mdb files database. you can see whole thing here . feel free post if helps, test thing have set using original files , new database. the basic problem when posts message, supposed email sent them, have posted it. when replies, originator supposed message, replier has been posted. i’d have thought @ point in process there should script/file in postmessage.asp? the postmessage.asp page below. <% option explicit %> <!-- #include virtual="common/adovbs.inc" --> <html> <head> <meta http-equiv="content-type" content="text/html; charset=windows-1252"> <meta name="generator" content="microsoft frontpage 4.0"> <meta name="progid" content="frontpage.editor.document"> <title>new page 2</title> <base target="_self"
Read more