search

nessieisreal / nessie-ios-sdk

0 stars 5 forks source link

ATS is misconfigured #8

Open iwllyu opened 7 years ago

iwllyu commented 7 years ago

NessieTestProj/info.plist has the following which enables NSAllowsArbitraryLoads. This is bad as it allows all traffic, and makes the ATS ignore the NSExceptionDomains

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
    <key>NSExceptionDomains</key>
    <dict>
        <key>http://api.reimaginebanking.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

the minimum set of keys you need to to exclude api.reimaginebanking.com are

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>api.reimaginebanking.com</key>
        <dict>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>
coryz commented 7 years ago

I think this was enabled due to the fact that api.reimaginebanking.com doesn't work over https. We've been meaning to add that in for some time now...