search

tdlib / td

Cross-platform library for building Telegram clients
https://core.telegram.org/tdlib
Boost Software License 1.0
7.05k stars 1.44k forks source link

WatchOS Standalone Application - Connection issue: HTTP Insecure Requests #2740

Closed whiteHatCip closed 9 months ago

whiteHatCip commented 9 months ago

Hi, I am new to TDLib and TDLibKit. I've been digging into these libraries for just a couple weeks so far and everything seems to be quite fine except for one thing:

When I run the application, I create a tdlibclient instance and in the update handler I run the setTdLibParameters function. Once done, I keep getting these warnings for insecure http requests:

[Updates] [debug] Starting handler
[ 3][t 4][1704344174.582313060][Td.cpp:2609][#1][!MultiTd]   Create Td with layer 169, database version 14 and version 52 on 4 threads
[ 3][t 4][1704344174.584079980][Td.cpp:4121][#1][!Td][&td_requests]  Sending update: updateOption {
  name = "version"
  value = optionValueString {
    value = "1.8.23"
  }
}
[ 3][t 4][1704344174.584203004][Td.cpp:4121][#1][!Td][&td_requests]  Sending update: updateOption {
  name = "commit_hash"
  value = optionValueString {
    value = ""
  }
}
[ 3][t 0][1704344174.584208965][Client.cpp:293][&td_requests]    End to wait for updates, returning object 0 0x600000c54f90
[ 3][t 4][1704344174.584319114][Td.cpp:4121][#1][!Td][&td_requests]  Sending update: updateAuthorizationState {
  authorization_state = authorizationStateWaitTdlibParameters {
  }
}
[ 3][t 4][1704344174.584327936][Td.cpp:3001][#1][!Td][&td_requests]  Receive request 1: getOption {
  name = "version"
}
[ 3][t 4][1704344174.585586071][Td.cpp:4138][#1][!Td][&td_requests]  Sending result for request 1: optionValueString {
  value = "1.8.23"
}
[ 3][t 4][1704344174.585790157][Td.cpp:3001][#1][!Td][&td_requests]  Receive request 2: setLogVerbosityLevel {
  new_verbosity_level = 2
}
[cache] [debug] Database path: /Users/user/Library/Developer/CoreSimulator/Devices/C0383F4D-36B2-45BC-9302-07912C0A3063/data/Containers/Data/Application/18BFFB2A-7BC7-4065-B4FA-58F231F19294/Library/Application Support/TWatchGram/cache.sqlite
[cache] [notice] Started StorageService
[file:///Users/user/Library/Developer/CoreSimulator/Devices/C0383F4D-36B2-45BC-9302-07912C0A3063/data/Containers/Data/Application/18BFFB2A-7BC7-4065-B4FA-58F231F19294/Library/Caches/]
Info.plist contained no UIScene configuration dictionary (looking for configuration named "Default Configuration")
[ 2][t 1][1704344174.883208036][TdDb.cpp:428][#1][!RunOnSchedulerWorker] Set PRAGMA user_version = 14
[ 2][t 4][1704344174.898053169][AuthDataShared.cpp:117][#1][!Td] DcId{1} [auth_key_id:0][state:Empty][created_at:0][last_used:0]
[ 2][t 4][1704344174.903321266][Session.cpp:271][#1][!SessionProxy:1:main]   Generate new session_id 7226529417071772451 for auth key 0 for main DC1
[ 2][t 4][1704344174.909845113][Session.cpp:271][#1][!SessionProxy:1:main]   Generate new session_id 10831482835837301747 for auth key 0 for main DC1
PDTask <291D928D-25D7-4D82-A7E3-C82F86FD3862>.<1> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSErrorFailingURLStringKey=http://149.154.175.50:443/api, NSErrorFailingURLKey=http://149.154.175.50:443/api, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataPDTask <291D928D-25D7-4D82-A7E3-C82F86FD3862>.<1>",
    "LocalDataTask <291D928D-25D7-4D82-A7E3-C82F86FD3862>.<1>"
), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataPDTask <291D928D-25D7-4D82-A7E3-C82F86FD3862>.<1>, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
Task <291D928D-25D7-4D82-A7E3-C82F86FD3862>.<1> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSErrorFailingURLStringKey=http://149.154.175.50:443/api, NSErrorFailingURLKey=http://149.154.175.50:443/api, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <291D928D-25D7-4D82-A7E3-C82F86FD3862>.<1>",
    "LocalDataPDTask <291D928D-25D7-4D82-A7E3-C82F86FD3862>.<1>",
    "LocalDataTask <291D928D-25D7-4D82-A7E3-C82F86FD3862>.<1>"
), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <291D928D-25D7-4D82-A7E3-C82F86FD3862>.<1>, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
PDTask <FDEA4F3B-DB33-4215-8B70-76F40FD1FE5F>.<2> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSErrorFailingURLStringKey=http://149.154.175.50:80/api, NSErrorFailingURLKey=http://149.154.175.50:80/api, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataPDTask <FDEA4F3B-DB33-4215-8B70-76F40FD1FE5F>.<2>",
    "LocalDataTask <FDEA4F3B-DB33-4215-8B70-76F40FD1FE5F>.<2>"
), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataPDTask <FDEA4F3B-DB33-4215-8B70-76F40FD1FE5F>.<2>, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
Task <FDEA4F3B-DB33-4215-8B70-76F40FD1FE5F>.<2> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSErrorFailingURLStringKey=http://149.154.175.50:80/api, NSErrorFailingURLKey=http://149.154.175.50:80/api, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <FDEA4F3B-DB33-4215-8B70-76F40FD1FE5F>.<2>",
    "LocalDataPDTask <FDEA4F3B-DB33-4215-8B70-76F40FD1FE5F>.<2>",
    "LocalDataTask <FDEA4F3B-DB33-4215-8B70-76F40FD1FE5F>.<2>"
), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <FDEA4F3B-DB33-4215-8B70-76F40FD1FE5F>.<2>, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
PDTask <A4DBEFCB-7C16-4366-B1ED-24E3DF7E69BE>.<3> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSErrorFailingURLStringKey=http://149.154.175.50:5222/api, NSErrorFailingURLKey=http://149.154.175.50:5222/api, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataPDTask <A4DBEFCB-7C16-4366-B1ED-24E3DF7E69BE>.<3>",
    "LocalDataTask <A4DBEFCB-7C16-4366-B1ED-24E3DF7E69BE>.<3>"
), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataPDTask <A4DBEFCB-7C16-4366-B1ED-24E3DF7E69BE>.<3>, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
Task <A4DBEFCB-7C16-4366-B1ED-24E3DF7E69BE>.<3> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSErrorFailingURLStringKey=http://149.154.175.50:5222/api, NSErrorFailingURLKey=http://149.154.175.50:5222/api, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <A4DBEFCB-7C16-4366-B1ED-24E3DF7E69BE>.<3>",
    "LocalDataPDTask <A4DBEFCB-7C16-4366-B1ED-24E3DF7E69BE>.<3>",
    "LocalDataTask <A4DBEFCB-7C16-4366-B1ED-24E3DF7E69BE>.<3>"
), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <A4DBEFCB-7C16-4366-B1ED-24E3DF7E69BE>.<3>, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
PDTask <E3DA30BA-E26F-4F42-8896-6CF5ADDF6ED0>.<4> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSErrorFailingURLStringKey=http://[2001:b28:f23d:f001::a]:443/api, NSErrorFailingURLKey=http://[2001:b28:f23d:f001::a]:443/api, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataPDTask <E3DA30BA-E26F-4F42-8896-6CF5ADDF6ED0>.<4>",
    "LocalDataTask <E3DA30BA-E26F-4F42-8896-6CF5ADDF6ED0>.<4>"
), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataPDTask <E3DA30BA-E26F-4F42-8896-6CF5ADDF6ED0>.<4>, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
Task <E3DA30BA-E26F-4F42-8896-6CF5ADDF6ED0>.<4> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSErrorFailingURLStringKey=http://[2001:b28:f23d:f001::a]:443/api, NSErrorFailingURLKey=http://[2001:b28:f23d:f001::a]:443/api, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <E3DA30BA-E26F-4F42-8896-6CF5ADDF6ED0>.<4>",
    "LocalDataPDTask <E3DA30BA-E26F-4F42-8896-6CF5ADDF6ED0>.<4>",
    "LocalDataTask <E3DA30BA-E26F-4F42-8896-6CF5ADDF6ED0>.<4>"
), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <E3DA30BA-E26F-4F42-8896-6CF5ADDF6ED0>.<4>, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}

I noticed that there's these two lines in TDLib's ConnectionCreator.cpp file, @ line 682

#if TD_DARWIN_WATCH_OS
  only_http = true;
#endif

Could this be the reason why on watchOS the requests are using the http protocol, in place of https?

Maybe this is something to ask on the TDLib issues directly?

This is annoying because in order to be able to get the connection to telegram servers to work, I need to set domain exceptions for the url that TDLib uses to make requests.

I will really appreciate any insight on this matter. Thank you in advance.

levlam commented 9 months ago

Telegram doesn't use TLS for encryption and instead uses MTProto protocol to transfer encrypted data. HTTP is used only as a transport for the encrypted data and doesn't impose any security issues for Telegram. As you mentioned in the issue description, you can acknowledge that the requests are secure by adding to NSExceptionDomains all IP addresses from https://github.com/tdlib/td/blob/d963044eb9b8bb075e3f63b8bfd8da735c4c37d9/td/telegram/net/ConnectionCreator.cpp#L1232-L1252

whiteHatCip commented 9 months ago

@levlam thank you for your kind and quick reply. I thought that this was not going to be a security issue since everything is encrypted before transferring data. What I am more concerned about is the fact that I will be uploading my application to the AppStore and remember that Apple is quite strict about the security policy for secure loads.

Do you know if using http requests with exception domains will prevent the application from being accepted? I understand that this is not a concern of TDLib's, but maybe you can help me anyway. Thanks again!

levlam commented 9 months ago

Apple's documentation doesn't mention that whitelisting of specific domains requires special approvement. That's all I know.