ATS: NSAllowsLocalNetworking have side-effects on remote networking

Originator:rocco.zanni
Number:rdar://29553627 Date Originated:2016/12/07
Status:Open Resolved:
Product:iOS + SDK Product Version:10.1.1
Classification: Reproducible:Always
 
We noticed a weird side effect related to ATS configuration. This is the ATS-related section in the Info.plist file:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsLocalNetworking</key>
    <true/>
    <key>NSExceptionDomains</key>
    <dict>
        --- REDACTED ---
    </dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Because our app displays image and plays audio files from 3rd party servers we can't control nor predict at build time, we choose to globally disable ATS and enabled it using exceptions only for the domain we can control or we know we communicate with using https. While testing the app we noticed that downloading a file via NSURLSession.downloadTaskWithURL from a specific url: 

http://www.podtrac.com/pts/redirect.mp3/media.devchat.tv/iphreaks/iPS181_Swift_3_and_Swift_Migrations_with_Hesham_Salman.mp3

was triggering this ATS error: 

Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSErrorFailingURLStringKey=http://www.podtrac.com/pts/redirect.mp3/media.devchat.tv/iphreaks/iPS178_Swift_3_and_Swift_Migrations_with_Paul_Cantrell.mp3, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection., NSErrorFailingURLKey=http://www.podtrac.com/pts/redirect.mp3/media.devchat.tv/iphreaks/iPS178_Swift_3_and_Swift_Migrations_with_Paul_Cantrell.mp3}

This was weird because that domain nor all other domains involved by redirects are not in the ATS exception list, so ATS should disabled and the download should work. 

After some debugging we identified the issue in the presence of the NSAllowsLocalNetworking key in the Info.plist. That key was there because we thought it was needed for some development tools we use internally and we were not sure local network communication was already included in NSAllowsArbitraryLoads. Removing NSAllowsLocalNetworking from Info.plist fixed the issue. Before submitting this bug we also tried several times adding/removing that key, just to be sure we didn't hit a false positive.

Comments

This is expected and documented behavior. See https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html

"NSAllowsLocalNetworking: If you set this key’s value to YES, then App Transport Security ignores the value of the NSAllowsArbitraryLoads key in iOS 10 and later and in macOS 10.12 and later. This behavior supports adoption of App Transport Security protections while allowing embedded browsers to continue working in iOS 9 and earlier and in OS X v10.11 and earlier. (To obtain this behavior, set the value of this key to YES and set the value of the NSAllowsArbitraryLoads key to YES as well.)"

If you'd like your app to allow arbitrary loads, you should use only the NSAllowsArbitraryLoads key. This will allow local networking as well, so the other key is unnecessary.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!