All geek questions in one place

Disable application transport security in Xcode 9.2?

I cannot disable Application Transport Security (ATS) in Xcode 9.2. I (for many years) disabled ATS when starting builds against my local server environment.

<key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict>

In Xcode 9.2, a simple request (runs against a local Rails application in http mode):

  let session = URLSession(configuration: .default) let url = URL(string: "http://store.dev/api/products.json")! let task = session.dataTask(with: url) { data, response, error in print(data) print(response) print(error) } task.resume()

with error message

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9802, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x60c00024afb0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://store.dev/api/products.json, NSErrorFailingURLStringKey=https://store.dev/api/products.json, _kCFStreamErrorDomainKey=3}

This exact request (the same project) succeeds in Xcode 9.1.

In both cases, I build against the goal of deploying iOS 11.1. You can see that Xcode is changing the URL from http to https, which I don't want.

Here is a link to a super base project that works in Xcode 9.1, but with an error in 9.2 ( https://github.com/chrismanderson/ats-sample ).

I also tried disabling ATS only for the local store.dev domain, and again it works on Xcode 9.1, but not on 9.2.

+5
source share
2 answers

I did not initially put this together, but I think what happens with the fact that with iOS 11 Apple supports HSTS . I believe that the support of HSTS preload lists in conjunction with the recently published Google addition of .dev TLD to the HSTS preload list probably triggers an iOS attempt to force you to use https, which does not work (I missed that you are trying to use a local domain. dev for testing, which is really a key element here).

I think your only solution is to change your local test domain to something other than the .dev domain. If you do this, you can connect and it will not try to force you to use https in your local local environment.

In short, Google obtained the rights to the .dev top-level domain and recently added it to the HSTS pre-boot list in order to force communication with .dev domains. On devices that support HSTS preload lists, this will redirect all traffic through HTTPS, which will cause errors on servers that do not support HTTPS.

+5
source

In the navigator on the left side of the screen in Xcode, click the main project file, in which all files and folders are stored. Click on the "Information" tab. In the "Custom properties of iOS targets" section, you used the option to change application transport security (ATS) settings. This is not explicitly stated, but is still available.

When you hover over options, you should see + in a small circle. Press here. Xcode will prompt you to create an "application category". In the list that appears, scroll up and select "Transport Application Security Settings".

Click on this option. After this is created, it will prompt you to change the BOOL value (the default should be "NO"). In the far right corner you should see a set of up and down arrows. Click on this to change BOOL to Yes.

-1
source

Source: https://habr.com/ru/post/1273900/

More articles:


All Articles