Skip to content

Instantly share code, notes, and snippets.

@mlynch
Last active August 6, 2023 07:31
Show Gist options
  • Save mlynch/284699d676fe9ed0abfa to your computer and use it in GitHub Desktop.
Save mlynch/284699d676fe9ed0abfa to your computer and use it in GitHub Desktop.
Disable App Transport Security in iOS 9
<!--
This disables app transport security and allows non-HTTPS requests.
Note: it is not recommended to use non-HTTPS requests for sensitive data. A better
approach is to fix the non-secure resources. However, this patch will work in a pinch.
To apply the fix in your Ionic/Cordova app, edit the file located here:
platforms/ios/MyApp/MyApp-Info.plist
And add this XML right before the end of the file inside of the last </dict> entry:
PASTE HERE
</dict>
</plist>
-->
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
@mirkonasato
Copy link

Hopefully at some point this should be handled by the Cordova whitelist plugin, right?

@tal-moshayov
Copy link

is there a way to put this code in the config.xml rather than plist? I understand it's best practice not to include the platform folder under source control

@leokrlewis
Copy link

Thanks this fixed the issue for my app which I simply allow users to specify a website they want to go to nothing more.

@simonprickett
Copy link

I achieve similar to the suggested hook by using this as an iOS before build step (configured using a hook element in config.xml):

#!/bin/bash

echo "Adjusting plist for App Transport Security exception."
val=$(/usr/libexec/plistbuddy -c "add NSAppTransportSecurity:NSAllowsArbitraryLoads bool true" platforms/ios/MyProject/MyProject-Info.plist 2>/dev/null)
echo "Done"

Doesn't require external dependencies as plistbuddy is already installed. I have to capture the return value of plistbuddy as if the key exists already it will return with an error which stops the Cordova build process which isn't what you want.

@iRoachie
Copy link

Does not seem to work for me. Still stuck on the splash screen.

@timothydang
Copy link

agreed with @hammady's comment above. There's a real risk getting rejected by Apple setting NSAllowsArbitraryLoads to true

Try this instead

<key>NSExceptionDomains</key>
  <dict>
    <key>localhost</key>
    <dict>
      <key>NSIncludesSubdomains</key>
      <false/>
      <key>NSExceptionAllowsInsecureHTTPLoads</key>
      <false/>
      <key>NSExceptionRequiresForwardSecrecy</key>
      <true/>
      <key>NSExceptionMinimumTLSVersion</key>
      <string>TLSv1.2</string>
      <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
      <false/>
      <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
      <true/>
      <key>NSThirdPartyExceptionMinimumTLSVersion</key>
      <string>TLSv1.2</string>
      <key>NSRequiresCertificateTransparency</key>
      <false/>
    </dict>
  </dict>

@ashconnell
Copy link

There is no risk of getting rejected by using a public API option. In the future they might make it mandatory but for now its fine.

@rajeshwarpatlolla
Copy link

After adding the patch into my ionic app, i am always getting an error error: process launch failed: timed out trying to launch app when i try to run ionic run ios --device. If i don't include the patch then i am able to install the app in to the real device successfully, but the api calls are not working because of the transport security (https) issues.

@weexpectedTHIS
Copy link

Thanks for the work-around but there should be a better way by now!

@camaleo
Copy link

camaleo commented Oct 7, 2015

It works for me: thank you!

@jayrmotta
Copy link

Although some say not to use arbitrary loads set to true I've faced many problems like pointing to an image on an external host (ssl enabled) that returned an error probably because of the version of ssl or something like that.

Even developers on apple's forums say that the soluction is enabling arbitrary loads: https://forums.developer.apple.com/thread/4988

I'm following @djett41 tip, added that hook to my project and the <dict> and now everything is working. Thanks for that 👍

@TheMattRay
Copy link

Quick update: it looks like arbitrary loads is now enabled in the latest Ionic. I just did a platform remove and platform add of ios and, after building, the dictionary for this patch was in the plist file. Can someone else confirm this? The changelog has become fairly outdated.

@ZenSide
Copy link

ZenSide commented Nov 30, 2015

Following @TheMattRay, using 1.1.1 Ionic version had do the work for me : allowing arbitrary loads by edit of *-Info.plist on iOS build.

@NurdinDev
Copy link

screen shot 2015-12-23 at 13 48 30

i have like this issue who fix this ?

@amaanr
Copy link

amaanr commented Mar 13, 2016

Please see error log below, not sure what this means. It happens when I call the geolocation event a second time. On app load, it fires and returns the geolocation correctly however.

Mar 12 18:11:12 C02QJA6VG8WP ids_simd[7977]: (Error) IDSSimulatorSupport: <IDSSimSupportLocalServer.m __68-[IDSSimSupportLocalServer setNetworkSimulation:enabled:completion:]_block_invoke:561> message send of data { ControlCmd = SetNetSimulationEnabledCmd; Enabled = 0; ServiceName = "com.apple.private.alloy.sockpuppet.classd"; } failed with error Error Domain=com.apple.idssimualtorsupport.errors Code=2 "(null)" UserInfo={NSUnderlyingError=0x7fa318605870 {Error Domain=NSMachErrorDomain Code=268435459 "(ipc/send) invalid destination port"}} Mar 12 18:11:12 C02QJA6VG8WP companionappd[7983]: (Error) WatchKit: <SPTransport.m __67-[SPTransport service:account:identifier:didSendWithSuccess:error:]_block_invoke:430> __67-[SPTransport service:account:identifier:didSendWithSuccess:error:]_block_invoke identifier (861176EA-8C17-480C-B3D6-2343311CE521), serviceName ((null)), success: 0 error, domain: com.apple.identityservices.error, code: 23 Mar 12 18:11:12 C02QJA6VG8WP sharingd[7988]: 18:11:12.480 : Failed to send SDURLSessionProxy startup message, error Error Domain=com.apple.identityservices.error Code=23 "Timed out" UserInfo={NSLocalizedDescription=Timed out, NSUnderlyingError=0x7ffcdac23440 {Error Domain=com.apple.ids.idssenderrordomain Code=12 "(null)"}} Mar 12 18:11:12 C02QJA6VG8WP companionappd[7983]: (Error) WatchKit: <SPCompanionAppServer.m __75-[SPCompanionAppServer sendProtobuf:sender:timeOut:allowInsecureTransport:]_block_invoke:900> sendProtobuf failed, error : Error Domain=com.apple.identityservices.error Code=23 "Timed out" UserInfo={NSLocalizedDescription=Timed out, NSUnderlyingError=0x7f94d3200ca0 {Error Domain=com.apple.ids.idssenderrordomain Code=12 "(null)"}} Mar 12 18:11:12 C02QJA6VG8WP companionappd[7983]: (Error) WatchKit: <SPTransport.m __67-[SPTransport service:account:identifier:didSendWithSuccess:error:]_block_invoke:430> __67-[SPTransport service:account:identifier:didSendWithSuccess:error:]_block_invoke identifier (BE95B243-9493-44FF-AF82-8A550712C77E), serviceName ((null)), success: 0 error, domain: com.apple.identityservices.error, code: 23 Mar 12 18:11:12 C02QJA6VG8WP companionappd[7983]: (Error) WatchKit: <SPCompanionAppServer.m __75-[SPCompanionAppServer sendProtobuf:sender:timeOut:allowInsecureTransport:]_block_invoke:900> sendProtobuf failed, error : Error Domain=com.apple.identityservices.error Code=23 "Timed out" UserInfo={NSLocalizedDescription=Timed out, NSUnderlyingError=0x7f94d1f00520 {Error Domain=com.apple.ids.idssenderrordomain Code=12 "(null)"}}

@arcreative
Copy link

Anyone know how to get NSExceptionRequiresForwardSecrecy to false without editing by hand? This is absoludicrous, I keep publishing unusable builds because my *-Info.plist keeps getting wiped out every build...

@arcreative
Copy link

And for the record, I have it under NSExceptionDomains so I can choose which one is acceptable for now.

@arcreative
Copy link

@simonprickett's solution is working for me, cheers 🍻

@kittykumas
Copy link

I tried all above methods with no luck. Please help!
The weirdest part is the xcode keep automatic change all the keys name by itself, I open the info. plist file side by side with xcode view. it shows different entries on the key. xcode keep omit "NS" and add "setting" in the end. Xcode version is 7.3.1
ats_xcode731

@matheusleite
Copy link

I don't have success 😢 I have tried everything but my API requests don't work on iOS.

@royken
Copy link

royken commented May 18, 2017

same issue with me, this is my code :
$http.get(my.api.com).then(function(response) { console.log("fresh", JSON.stringify(response)); }, function(error) { console.log(error); })
it returns good value on android (emulator and device), on navigators, but not on iOS. It instead return a null value as data and no error is logged

@purn3ndu
Copy link

purn3ndu commented May 19, 2017

@matheusleite and @royken. I am facing the same issue using Ionic. Did you guys find a work around?
For me the http requests work if I start a new project, but does not work for my old projects. Everything works in the old projects except for http requests. I have tried reinstalling the cordova whitelist plugin but no luck. Have been trying to solve this for a few days now. Seems like all went south after the ionic 3 upgrade. :/

@royken
Copy link

royken commented May 20, 2017

@purnendu91 i'm still on ionic 1, and still have the same issue. My api does not work on iOS 10

Cordova CLI: 6.5.0 
Ionic CLI Version: 2.1.17
Ionic App Lib Version: 2.1.7
ios-deploy version: 1.9.1 
ios-sim version: 5.0.13 
OS: macOS Sierra
Xcode version: Xcode 8.2 Build version 8C38

@zubair1024
Copy link

I have tried all the methods above and still haven't been able to solve the issue.

@nourallahtq
Copy link

thanks man you help me 👍

@MrRavalB
Copy link

I have the same issue, please provide Solution...

@manuelphdev
Copy link

Same issue here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment