Does App Store Reject Submission If Nsallowsarbitraryloads Set to Yes

  • Home
  • Languages
  • iOS
  • Does App Store Reject Submission If Nsallowsarbitraryloads Set to Yes

Does App Store reject submission if NSAllowsArbitraryLoads set to YES?

UPDATE: Apple will reject Apps not conforming to ATS after the end of Dec 2016.

Source

However, If you need to load a http:// resource only in web (UIWebView/WKWebView/SafariViewController) then the following should suffice.

NOTE: This key is available only from iOS 10.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoadsInWebContent</key>
    <true/>
</dict>

Setting NSAllowsArbitraryLoads in iOS 9 - Will Apple reject the app?

Update:

Apple announced that iOS apps have until January 1, 2017, to enable App Transport Security.

So,if you plan submit app to app store after 2017,please turn on ATS.

Also,see this link

====== Old answer=====

My experience:

I submit my app at 9/17/2015, and have passed the app store review process and successfully released the app.

Here is the info.plist screenshot of my app.
Sample Image

So,I do not think apple will reject the app for this reason for now

Update:

My new app passed apple review process at 10/30/2015 with this key set to YES.

Can I publish my app to App store without https?

If you are using HTTP there is no reason for worries. Just place NSAllowsArbitraryLoads into your info.plist file.

There is so much misleading information available. But as per my experience its more preferred & compulsory to place the NSAllowsArbitraryLoads whether you are using HTTP or HTTPs.

Important Note :

  • I have worked with both types of connections with HTTP & with HTTPs in both the cases I am used to add NSAllowsArbitraryLoads into info.plist. I have never faced any sort of rejection due to it. So that I am suggesting you to do the same.

Hope this helps to everyone.

Transport security has blocked a cleartext HTTP

If you are using Xcode 8.0+ and Swift 2.2+ or even Objective C:

Sample Image

If you want to allow HTTP connections to any site, you can use this keys:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

If you know which domains you will connect to add:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>example.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

Why does one have to add `NSAppTransportSecurity` and add the `NSAllowsArbitraryLoads` key to `YES`?

App Transport Security was introduced with iOS9 as an additional security feature when connecting your app to the web.

From Apple's documentation:

App Transport Security is a feature that improves the security of
connections between an app and web services. The feature consists of
default connection requirements that conform to best practices for
secure connections. Apps can override this default behavior and turn
off transport security.

One of the requirements is that all connections have to use HTTPS. This is why all connections that only use HTTP will fail on iOS9.

If you are using a service that is not available via HTTPS, you can still use it by overriding the App Transport Security. That's what the NSAppTransportSecurity dictionary in your Info.plist file is for. There you can define which App Transport Security requirement you wish to override.

For example NSAllowsArbitraryLoads disables all security requirements for any domains. You can define exceptions in the NSExceptionDomains dictionary, but if you don't do that all domains will be allowed to connect to your app without App Transport Security.

When you want to connect to a single domain that does not use HTTPS you should not use NSAllowsArbitraryLoads because that disables all the security for all domains. Instead you should specifically override the HTTPS requirement for this one domain only.

You can do that like this in your Info.plist file:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>yourdomain.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

To sum things up: App Transport Security is a good thing, because it encourages you to use HTTPS connections which are more secure than ordinary HTTP connections. Because you cannot always use HTTPS it offers you the opportunity to allow insecure connections. It is good practice to use these security overrides only exactly where you need them.

Displaying web images valid excuse for using NSAllowsArbitraryLoads?

Although I cannot be certain what Apple will consider a valid reason (since they haven't started enforcing, so we have no information to go off of), having user driven content in the app seems like it would be one of those scenarios that would require the broader NSAllowsArbitraryLoads exception.

What I would recommend, in order to show Apple that you've done all that you can to secure any communication you can, would be to do the opposite of the most common technique. Normally, apps will leave ATS enabled (by leaving the default of NSAllowsArbitraryLoads as NO) while adding exception domains that disable ATS for certain domains. If I were you, I would do the opposite - set NSAllowsArbitraryLoads to YES, since you can't know what URLS might need ATS exceptions, then add exception domains for the domains that you control in the app (assuming there is some main server you get most of the app content from). This ensures communications with your server are secured using ATS standards, while all outside of the known servers will be exempt from ATS requirements.So turn ATS off, but turn it back on for domains in your control.

From this great article on some common ATS configurations, you can see how you would set things up this way ("Example C: ATS disabled, with some exceptions"):

Sample Image

To me, this would be a good sign to Apple that you are trying as much as possible to comply with the spirit of ATS.

How do I load an HTTP URL with App Transport Security enabled in iOS 9?

See Apple’s Info.plist reference for full details (thanks @gnasher729).

You can add exceptions for specific domains in your Info.plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>
    </dict>
</dict>

All the keys for each excepted domain are optional. The speaker did not elaborate on any of the keys, but I think they’re all reasonably obvious.

(Source: WWDC 2015 session 703, “Privacy and Your App”, 30:18)

You can also ignore all app transport security restrictions with a single key, if your app has a good reason to do so:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

If your app does not have a good reason, you may risk rejection:

Setting NSAllowsArbitraryLoads to true will allow it to work, but Apple was very clear in that they intend to reject apps who use this flag without a specific reason. The main reason to use NSAllowsArbitraryLoads I can think of would be user created content (link sharing, custom web browser, etc). And in this case, Apple still expects you to include exceptions that enforce the ATS for the URLs you are in control of.

If you do need access to specific URLs that are not served over TLS 1.2, you need to write specific exceptions for those domains, not use NSAllowsArbitraryLoads set to yes. You can find more info in the NSURLSesssion WWDC session.

Please be careful in sharing the NSAllowsArbitraryLoads solution. It is not the recommended fix from Apple.

— kcharwood (thanks @marco-tolman)


Related Topics

Add a Button on Right View of Uitextfield in Such Way That, Text Should Not Overlap the Button

How to Set Image in Tabbar Not Tint Color in iOS

Navigationbar Bar, Tint, and Title Text Color in iOS 8

iOS 7 Round Framed Button

When Should Translatesautoresizingmaskintoconstraints Be Set to True

Dynamic Size Uicollectionview Cell

Why on Xcode 11, Uicollectionviewcell Changes Size as Soon as You Scroll (I Already Set Size in Sizeforitem Atindexpath:)

Xmppframework - Retrieve Archived Messages from Openfire Server

How to Call Method from One Class in Another (Ios)

Swift: How to Execute an Action When Uitabbaritem Is Pressed

Swiftui Holding Reference to Deleted Core Data Object Causing Crash

Issue with Unsafepointer<Uint8> in SQLite Project in Swift

Make Rest API Call in Swift

Uiview Backgroundcolor Disappears When Uitableviewcell Is Selected

Simply Mask a Uiview with a Rectangle

Add Uipickerview in Uiactionsheet from iOS 8 Not Working

iOS 11 Uitabbar Uitabbaritem Positioning Issue

How to Programmatically Add a Proxy to an Nsurlsession


Leave a reply



Submit