HTTPS in iOS

The ATS (App Transport Security) presented at WWDC 15,apple is an important way for Apple to drive network communications security. In IOS 9 and OS X 10.11, network access that is not HTTPS is forbidden by default. Of course, because such propulsion has a very wide impact, as a buffer, we can add a NSAppTransportSecurity dictionary to info.plist and set it to NSAllowsArbitraryLoads YES disable ATS. As shown in the following:

However, in WWDC 16, Apple said it would continue to tighten access restrictions on normal HTTP in IOS 10 and MacOS 10.12. From January 1, 2017 onwards, all new submission apps are not allowed NSAllowsArbitraryLoads to bypass ATS restrictions By default , that is, we'd better ensure that all of the app's network requests are HTTP S is encrypted, or you may experience trouble applying auditing.

With regard to this provision of WWDC 16, there are a few things to be explained below:

2. After I three times and Apple China Technical Support telephone communication (the most recent is December 21, 2016), Apple headquarters still do not have to enforce the use of HTTPS protocol communication notice, so the Chinese side will still be on the app by the past standard audit (the latest news is delayed, HTTPS://DEVELOPER.APPLE.COM/NEWS/?ID=12212016B);
4. By default our app can access HTTPS content that is strong enough to encrypt (TLS v1.2 above, AES-128 and SHA-2, and ECDHC, etc.). This is valid for all network requests, including NSURLSession streaming media accessed through avfoundation, and so on WebView .
6. You can continue to add to NSAllowsArbitraryLoads YES fully disable ATS, but if you do, you need to explain when you submit your app and why you need to access non-HTTPS content . In general, this option can be easily and rudely turned on, and apps that can't find a valid reason will be hard to pass .
8. compared to using   nsallowsarbitraryloads   will all HTTP content is open, choose to use   nsexceptiondomains   for a specific domain name, Open part of the HTTP domain name by setting the   under the domain name, nsexceptionallowsinsecurehttploads  . ,   Should be relatively easy to audit. " the domain name you need to access is a third-party server and they do not have an HTTPS domain name Adapter " is an optional reason to audit, but This should only be done for a specific domain name , rather than being fully open. if you have access to your own server, you may not be able to pass the reason .
10. For web browsing and video playback behavior, new NSAllowsArbitraryLoadsInWebContent and NSAllowsArbitraryLoadsForMedia keys are added to IOS 10. By setting them up YES , you can make online videos in your app UIWebView , or using them, WKWebView AVFoundation not restricted by ATS. Although it still needs to be explained at the time of review, this should be the preferred choice for most apps that use the relevant features. The bad news is that this key does not work in IOS 9 .

To summarize:

2. For API requests, it is basically necessary to use HTTPS, especially with your own server. This requires the backend to be upgraded to HTTPS as soon as possible. If you are using a third-party API, and they do not provide HTTPS support, you need to NSExceptionDomains add it in, and then explain it when you submit the review.
4. If the app only needs to support IOS 10 (which should not have been done by the company), and has the ability for users to freely enter the URL to browse, or the online video audio playback function, only add   nsallowsarbitraryloadsinwebcontent   and   Nsallowsarbitraryloadsformedia , and replace the component with   UIWebView   or   Wkwebview , and   the player in avfoundation   is available. If you still need to support IOS 9 and need access to Web pages and videos, you may only be able to turn on  , nsallowsarbitraryloads   Then submit the instructions and see the Apple The auditor's face decided not to let it pass.
6. It should be specifically stated that, when NSAllowsArbitraryLoads and NSAllowsArbitraryLoadsInWebContent or at the NSAllowsArbitraryLoadsForMedia same time, the behavior behaves differently depending on the system. Simply put, iOS 9 looks only NSAllowsArbitraryLoads while iOS 10 takes precedence over InWebContent ForMedia the parts. In IOS 10, if the latter two exist, they are ignored in the relevant section, and NSAllowsArbitraryLoads if they do not exist, NSAllowsArbitraryLoads the settings are followed.

Finally, there are several types of development work that may be involved with iOS clients:

• Background interface;
• Picture, voice and other resource class files (usually configured to the CDN server);
• WebView;
• Client third-party SDK, such as Friends League, music, Baidu and so on.
• Hard-coded URL link.

The pie chart below is the occupancy ratio of iOS systems, which can be viewed at any time from Apple's official website: https://developer.apple.com/support/app-store/

Resources:

http://oncenote.com/2014/10/21/Security-1-HTTPS/

https://www.kancloud.cn/digest/ios-security/67013

HTTPS in iOS