Modify Info.plist

baik · January 20, 2016, 3:01pm

Hi

does anybody know how to add automaticaly a key (in my case is NSAppTransportSecurity) to Info.plist in a IOS App ?
I must use a template or it is via project.xml ?

Thanks you

singmajesty · January 20, 2016, 10:29pm

You must do this using a template right now, I believe, but I’m interested in hearing ideas for improving iOS extension support to allow support without overriding templates

aWaKeNiNG · January 21, 2016, 12:01pm

It is curious. I need to modify the NSAppTransportSecurity too, because ios is reporting me the error:

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

It would be great to edit directly from the project.xml. But the template solution could be valid right now.

baik · January 21, 2016, 2:55pm

I’m very interrest too !

Thantks for your reply.

singmajesty · January 21, 2016, 8:12pm

Do you think this should be in the standard Info.plist template file we use? Are there negative effects to adding this?

baik · January 22, 2016, 3:12pm

If you don’t put it while you target ios 9.2, the app will crash instantly if you access to a file (image,video,…) in http.

singmajesty · January 23, 2016, 5:40pm

Does someone want to do a pull request?

aWaKeNiNG · January 23, 2016, 8:07pm

Ok. This week i will try to do it.

We have two ways to avoid this. In a general form:

<key>NSAppTransportSecurity</key>  
     <dict>  
          <key>NSAllowsArbitraryLoads</key><true/>  
     </dict>

And a custom form, where the user can add multiple domains:

<key>NSAppTransportSecurity</key>
<dict>
	<key>NSAllowsArbitraryLoads</key>
	<false/>
	<key>NSExceptionDomains</key>
	<dict>
		<key>WWW.DOMAIN.COM</key>
		<dict>
			<key>NSExceptionAllowsInsecureHTTPLoads</key>
			<true/>
		</dict>
	</dict>
</dict>

The first way would be the easy way. But i don’t know if Apple looks favorably that.
I’m using the second way right now.

What do you think?

singmajesty · January 24, 2016, 5:32am

Perhaps the issue is more about security for the application itself, not regarding the phone. Whether you explicitly or implicitly allow access to some URL, I’m not sure if it affects Apple, more so the potential of insecure HTTPS connections and man-in-the-middle attacks trying to securely connect to a backend server. I don’t know

Does this setting affect any required permissions upon install, or anything else that’s noticeable? If not, it seems we might want a general wildcard access to URLs and then users can refine it to be more specific if they want

aWaKeNiNG · January 24, 2016, 7:13pm

Mmm, yes i’m agree about the security.

Ok, i have thought something like that:

<ios insecure-http-allowed="*"/>
or
<ios insecure-http-allowed="www.domain1.com|www.domain2.org"/>

The user can accept all domains or only custom domains, where it can contain multiple with the OR operator.

aWaKeNiNG · January 26, 2016, 10:38pm

PR created here