App Transport Security needs better local network handling
Originator: | squarefrog | ||
Number: | rdar://26913661 | Date Originated: | 2016-06-21 |
Status: | Open | Resolved: | |
Product: | Product Version: | ||
Classification: | Reproducible: | Always |
Summary: With the announcement that ATS will be required from 1 Jan 2017, I implore you to visit how this will affect local networks. Many UPnP/DLNA devices (Sonos, Phillips Hue, WiFi Hard Drives) make insecure network calls on the local network. It is not possible or necessary to retrofit HTTPS/TLS into these existing products. Therefore the only option is to set `NSAllowsArbitraryLoads = true` to disable ATS. Suggestion: Introduce a key `NSAllowsArbitraryLoadsLocalNetworkOnly`. When this key is set to true, it allows unencrypted http communication between devices on the same local network (IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and IPv6 fd00::/8, and 127.0.0.1 for development purposes). Steps to Reproduce: Use any UPnP/DLNA application Expected Results: Functionality should work as expected, while still allowing ATS to be used for external calls. Actual Results: ATS must be disabled to make the insecure local calls. Version: 9.3.2 (13F69 Notes: Configuration: Any iOS device
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
squarefrog
Confirmed in iOS 10, there is no way to disable ATS for Local Network only.
Apple Developer Relations
Please verify this issue with the latest iOS beta build and update your bug report at https://bugreport.apple.com/ with your results.
iOS 10 beta (Build: 14A5261v) https://developer.apple.com/download/