search

apache / cordova-ios

Apache Cordova iOS
https://cordova.apache.org/
Apache License 2.0
2.16k stars 990 forks source link

cordova-ios 6.0.0 iOS App rejection - No HTTPS access #915

Closed gtsopour closed 3 years ago

gtsopour commented 4 years ago

Hello guys, I have submitted an iOS App using WKWebView with latest cordova-ios 6.0.0 but it got rejected multiple times because they cannot Login or access our APIs through HTTPS requests. But I cannot reproduce this issue neither in the simulators nor in a real device through Test Flight distribution (we have installed the App in 3 real devices with different networks, even under VPN). I have enabled even the CORS server side, I have adapted the NSAppTransportSecurity as of below but not lack. Do you have any ideas or any suggestions? This is happening only in Apple side during their reviews.

<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
  <key>{MY_DOMAIN}</key>
  <dict>
    <key>NSExceptionAllowsInsecureHTTPLoads</key>
    <true/>
    <key>NSExceptionMinimumTLSVersion</key>
    <string>TLSv1.0</string>
    <key>NSIncludesSubdomains</key>
    <true/>
  </dict>
</dict>
</dict>
breautek commented 4 years ago

If your app is behind a login form, you have to supply a username and password to apple that they can use to login to the app. There is form fields in the itunes connect for your app. Have you done this?

gtsopour commented 4 years ago

@breautek Yes of course. And I have replied to them multiple times with the right credentials. But again it seems not a Login issue but a network issue. I am not receiving any requests from them at all.

timbru31 commented 4 years ago

This sounds a lot like a backend issue, not a Cordova one. Have you, e.g., any IP/region whitelisting in place?

gtsopour commented 4 years ago

@breautek @timbru31 The App is working from several real devices through the Test Flight distribution. We are located in different countries and we have not any issues at all. Only the Apple reviewers cannot login/access. We put some more logs and it seems that no requests are reaching our servers from them.

When they upload their screenshots, I see that they are always under VPN. I think the issue is related to their VPN in combination with the WKWebView and its CORS/XHR restrictions. I have submitted with both HTTP and HTTPS protocols (after adapting our services) without any lack.

Can you see any strange thing to my configuration? I am using cordova-ios 6.1.0 with the WKWebView in the core. Am I missing something in the WKURLSchemeHandler definition? Please note that we even enabled the CORS server side without any success.

Again note that only the Apply reviewers has the issue and nobody of us.

<?xml version='1.0' encoding='utf-8'?>
<widget android-versionCode="100038" id="" version="1.0.6" xmlns="http://www.w3.org/ns/widgets">
  <name></name>
  <description>
  </description>
  <content src="index.html" />
  <plugin name="cordova-plugin-whitelist" spec="1" />
  <access origin="*" />
  <access origin="*.pushwoosh.com" />
  <allow-navigation href="*" />
  <allow-intent href="http://*/*" />
  <allow-intent href="https://*/*" />
  <allow-intent href="tel:*" />
  <allow-intent href="sms:*" />
  <allow-intent href="mailto:*" />
  <allow-intent href="geo:*" />
  <platform name="android">
    <allow-intent href="market:*" />
  </platform>
  <platform name="ios">
    <allow-navigation href="http://127.0.0.1/*" />
    <allow-navigation href="http://www.{MY_DOMAIN}.com/*" />
    <allow-navigation href="http://data.{MY_DOMAIN}.com/*" />
    <allow-navigation href="http://video.{MY_DOMAIN}.com/*" />
  </platform>
  <preference name="scheme" value="http" />
  <preference name="hostname" value="127.0.0.1" />
  <preference name="StatusBarOverlaysWebView" value="false" />
  <preference name="StatusBarBackgroundColor" value="#132934" />
  <preference name="StatusBarStyle" value="lightcontent" />
  <preference name="android-usesCleartextTraffic" value="true" />
  <preference name="AllowInlineMediaPlayback" value="true" />
  <preference name="DisallowOverscroll" value="true" />
  <preference name="webviewbounce" value="false" />
  <preference name="AutoHideSplashScreen" value="true" />
  <preference name="SplashShowOnlyFirstTime" value="false" />
  <icon  />
  <platform name="ios">
    <icon  />
  </platform>
  <platform name="android">
    <splash />
  </platform>
  <platform name="ios">
    <splash />
  </platform>
  <plugin name="phonegap-plugin-barcodescanner" spec="~7.1.2" />
  <plugin name="cordova-android-support-gradle-release" spec="~3.0.0" />
  <plugin name="cordova-plugin-telerik-imagepicker" spec="~2.3.3" />
  <plugin name="cordova-plugin-device" spec="~2.0.3" />
  <plugin name="cordova-plugin-dialogs" spec="~2.0.2" />
  <plugin name="cordova-plugin-screen-orientation" spec="~3.0.2" />
  <plugin name="cordova-plugin-whitelist" spec="~1.3.4" />
</widget>
breautek commented 4 years ago

The only thing that is strange that I see is I don't think WKURLSchemeHandler plays nicely with http or https (or any other standard protocols). It's suppose to be for defining how to handle custom schemes. That's why the cordova blog post uses app in its example. But honestly I'm not that knowledgable with URL schemes and I don't know if this is a source of your problem or not. I'd be kinda surprised if it was.

I can say that I have no issues with apple using my provided login for my apps, but none of my apps are on cordova-ios@6 yet. I have one app on cordova-ios@5.1.1 using the wkwebview plugin, and another app also on cordova-ios@5.1.1, but using the ionic webview (with their implementation of scheme handlers).

NiklasMerz commented 4 years ago

I also think you cannot use http or https or any other standard protocol as your custom scheme in the app. WKURLSchemeHandler should not allow that but I wonder why that works for you.

I am using the Ionic Webview plugin, too and that blocks these schemes. It has been a while since I played around with that setting but I will do it again probably soon. :-)

breautek commented 3 years ago

After reading this a second time (few months later...) I realise that my original interpretation was completely wrong. It's not that they cannot connect to your servers, it's that they want you to use HTTPS instead of HTTP, unless if you have a really good reason why you can't use HTTPS.

The rejection is related to NSAllowsArbitraryLoads.

If you have this set to true, it must be limited to scope as much as possible, with proper justification.

Some examples of acceptable justifications are:

In your case, if {MY_DOMAIN} is controlled by you, then you should install TLS on it and route your app through https. If it's not controlled by you, then you must explain that.

If you're using these settings, you must provide this information explaining why your app cannot use secure connections by default. See Apple Docs for more info.

Since this isn't a bug with Cordova, I'll be close this issue. However if you require more assistance, I'll invite you to our Slack.