Transport Security has Blocked a cleartext HTTP
up vote 527 down vote favorite
192

What setting do i need to put in my info.plist to enable http mode as per the error message:

Transport security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.



StackOverflow

enter image description hereYou have to set the NSAllowsArbitraryLoads key to YES under NSAppTransportSecurity dictionary in your .plist file. Hope this helps!

Plist configuration



This is a quick workaround (but not recommended) to add this in the plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Which means (according to Apple's documentation):

NSAllowsArbitraryLoads A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. Listed domains use the settings specified for that domain.

The default value of NO requires the default App Transport Security behaviour for all connections.

I really recommend links:

which help me understand reasons and all the implications.

The xml (in Info.plist) below will:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <false/>
    <key>NSExceptionDomains</key>
    <dict>
        <key>PAGE_FOR_WHICH_SETTINGS_YOU_WANT_TO_OVERRIDE</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

disallow arbitrary calls for all pages but for PAGE_FOR_WHICH_SETTINGS_YOU_WANT_TO_OVERRIDE will allow that connections use http protocol.

To the xml above you can add:

<key>NSIncludesSubdomains</key>
<true/>

if you want to allow insecure connections for the subdomains of the specified address.

The best approach is to block all arbitrary loads (set to false) and add exceptions to allow only addresses we know are fine.

For interested readers



Tested and working on iOS 9 GM seed - this is the configuration to allow a specific domain to use HTTP instead of HTTPS:

<key>NSAppTransportSecurity</key>
<dict>
      <key>NSAllowsArbitraryLoads</key>
      <false/>
       <key>NSExceptionDomains</key>
       <dict>
            <key>yourdomain.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
            </dict>
       </dict>
</dict>

NSAllowsArbitraryLoads must be false because it disallows all insecure connection, but exceptions list allows connection to some domains without https.



Its works for me too, just copy and past on your info.plist:

<key>NSAppTransportSecurity</key>
<dict>
      <key>NSAllowsArbitraryLoads</key>
      <false/>
       <key>NSExceptionDomains</key>
       <dict>
            <key>yourdomain.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
            </dict>
       </dict>
</dict>


Transport security is available on iOS 9.0 or later. You may have this Warning when trying to call a WS inside your application.

"Application Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file."

Adding the following to your Info.plist will disable ATS:

<key>NSAppTransportSecurity</key>  
     <dict>  
          <key>NSAllowsArbitraryLoads</key><true/>  
     </dict>


PList Screenshot to understand better

Add a new item NSAppTransportSecurity in plist file with type Dictionary, then add sub item NSAllowsArbitraryLoads in dictionary of type Boolean, and set bool value YES. This work for me, hope works for you guys...Cheers!



For those of you who want a more context on why this is happening, in addition to how to fix it, then read below.

With the introduction of iOS 9, to improve the security of connections between an app and web services, secure connections between an app and its web service must follow best practices. The best practices behavior is enforced by the App Transport Security to:

  • prevent accidental disclosure, and
  • provide a default behavior that is secure.

As explained in the App Transport Security Technote, when communicating with your web service, App Transport Security now has the following requirements and behavior:

  • The server must support at least Transport Layer Security (TLS) protocol version 1.2.
  • Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)
  • Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.
  • Invalid certificates result in a hard failure and no connection.

In other words, your web service request should: a.) use HTTPS and b.) be encrypted using TLS v1.2 with forward secrecy.

However, as was mentioned in other posts, you can override this new behavior from App Transport Security by specifying the insecure domain in the Info.plist of your app.


To override, you will need to add the NSAppTransportSecurity > NSExceptionDomains dictionary properties to your Info.plist. Next, you will add your web service's domain to the NSExceptionDomains dictionary.

For example, if I want to bypass the App Transport Security behavior for a web service on the host www.yourwebservicehost.com then I would do the following:

  1. Open your app in Xcode.

  2. Find the Info.plist file in Project Navigator and "right-mouse" click on it and choose the Open As > Source Code menu option. The property list file will appear in the right pane.

  3. Put the following properties block inside of the main properties dictionary (under the first <dict>).


<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.yourwebservicedomain.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

If you need to provide exceptions for additional domains then you would add another dictionary property beneath NSExceptionDomains.

To find out more about the keys referenced above, read this already mentioned technote.



In Xcode 7 we need to do like this

In Info.plist add NSAppTransportSecurity As Dictionary & child as NSAllowsArbitraryLoads As Boolean value to be YES



<key>NSAppTransportSecurity</key>  
<dict>  
     <key>NSAllowsArbitraryLoads</key><true/>  
</dict>

this code add into info.plist



on 2015.9.25.Fri

(after xcode updates on 2015.9.18.Fri)

I used non-lazy method, but it didn't work. Followings are my tries.

first,

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.xxx.yyy.zzz</key>
        <dict>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

and second,

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.xxx.yyy.zzz</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

Finally, I used lazy method.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

It might be a little insecure, but I couldn't find other solutions.



Like many have noted, this is a feature issue that comes with iOS 9.0. They have added a thing called App Transport Security, and I too was annoyed when it broke my Apps. You can bandage it with the NSAllowsArbitraryLoads key to YES under NSAppTransportSecurity dictionary in your .plist file, but Ultimately you will need to re-write the code that forms your URLs to form the HTTPS:// prefix. Apple has re-written the NSUrlConnection class in iOS 9.0. you can read about it here: https://developer.apple.com/library/prerelease/ios/documentation/Cocoa/Reference/Foundation/Classes/NSURLConnection_Class/index.html#//apple_ref/doc/uid/TP40003755 Else, you may have to back out of iOS 9.0 until you have time to implement the correct solution.



Figuring out what settings to use can be performed automatically, as mentioned in this technote:

/usr/bin/nscurl --ats-diagnostics --verbose https://your-domain.com


May be worth mentioning how to get there..

Info.plist is one of the file below the Main.storyboard or viewController.swift

when you click on it first time it usually is in a table format,so right click the file and 'open as' Source code and then add the code below towards the end, i.e

 <key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/></dict>

copy paste the code just above

 "</dict>
</plist>"

which is at the end



I was adding the security check in tests info.plist. Adding the security check in main info.plist solved the problem :)



Update for Xcode 7.1 , facing the Problem 27.10.15:

The new value in the Info.plist is "App Transport Security Settings". From there, this dictionairy should contain:

  • Allow Arbitrary Loads = YES
  • Exception Domains (insert here your http domain)

Hope this helps you.



For me adding NSAppTransportSecurity and NSExceptionDomains directly into the info.plist file via the standard XCode Editor did not work. (Adding it to the file in a textedit in the style mentioned above did work fine.)

After adding it via the textedit, info.plist looks like this: enter image description here

Therefore, I think you have to type this words into info.plist if you do it directly by XCode. These words ("App Transport ..." and "Exception Do ..") are also suggest by XCode if you begin to type them into the textfield.

Please correct me if my assumption is wrong.



I do not like editing the plist directly. You can easily add it to the plist using the GUI:

  • Click on the Info.plist in the Navigator on the left.
  • Now change the data in the main area:

    • On the last line add the +
    • Enter the name of the group: App Transport Security Settings
    • Right click on the group and select Add Row
    • Enter Allow Arbitrary Loads
    • Set the value on the right to YES

Example



Here are the settings visually:

visual settings for NSAllowsArbitraryLoads in info.plist via Xcode GUI



Development Example

Here is a screenshot of a plist which keeps ATS intact (=secure) but allows that connections to localhost can be made via HTTP instead of HTTPS. Works in Xcode 7.1.1

enter image description here



I have added the following in info.plist (Xcode 7.1)

enter image description here



Best just to go into Plist file within Xcode and:

  1. Select/Create "App Transport Security Settings"
  2. Add "Allow Arbitrary Loads" and Change Boolean from NO to YES


Viewed : 178984
Asked : July 6, 2015, 12:00 am

Top Related


New Related