I am trying to configure App Transport security, but I am always getting a response from Security Scan that it is not properly configured. I am using Appcelerator SDK 7.0.1 for iOS.
Scan result:
App Transport Security
App Transport Security (ATS), which is a networking security feature that ensures network connections employ the most secure protocols and ciphers, was found to be misconfigured.
NSAllowsArbitraryLoads set YES
This is a part of my tiapp.xml
<property name="ios.whitelist.appcelerator.com" type="bool">false</property>
<ios>
<enable-launch-screen-storyboard>true</enable-launch-screen-storyboard>
<use-app-thinning>true</use-app-thinning>
<plist>
<dict>
<key>UISupportedInterfaceOrientations~iphone</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
</array>
<key>UISupportedInterfaceOrientations~ipad</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
<string>UIInterfaceOrientationPortraitUpsideDown</string>
</array>
<key>UIRequiresPersistentWiFi</key>
<false/>
<key>UIPrerenderedIcon</key>
<false/>
<key>UIStatusBarHidden</key>
<false/>
<key>UIStatusBarStyle</key>
<string>UIStatusBarStyleDefault</string>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
</dict>
</plist>
</ios>
It is done as specified in documentation: http://docs.appcelerator.com/platform/latest/#!/api/Titanium.Network
What am I doing wrong? Thanks in advance for help.
Setting NSAllowsArbitraryLoads to true disables ATS, meaning that all URL's will be allowed and no restriction is configured. This is how it is configured by default in Titanium, to ensure backwards compatibility for apps upgrading to newer SDK versions. It can be overridden to either specify allowed domains (whitelisting) or by disabling NSAllowsArbitraryLoads.
The docs are still incorrect as Nirman pointed, so I just updated them (as I couldn't find the pull request mentioned earlier).