3

We are an online payments app which allows users to pay to different merchants through credit, debit cards or net banking. Since apple has introduced App Transport Security in IOS 9.0, we are facing issues while loading different bank urls in UIWebView.

ATS requires all bank sites to be TLS 1.2 compliant but most of the banks are still using SSL or TLS 1.0. Based on various stack overflow answers to bypass this either we have to explicitly allow that particular domain to be SSL or TLS 1.0 compliant or we can make use of NSAllowsArbitraryLoads to allows all the bank urls. Since we can't keep track of all the bank urls we want to use NSAllowsArbitraryLoads approach.

Does apple rejects the app which use NSAllowsArbitraryLoads?

Does enabling NSAllowsArbitraryLoads in IOS 9 disables TLS or SSL checking altogether or does it only removes TLS 1.2 enforcement.

user3090166
  • 41
  • 3

1 Answers1

1

Setting NSAllowsArbitraryLoads will disable TLS/SSL checking altogether so you will be able to issue plain http calls. There are separate keys, NSExceptionMinimumTLSVersion and NSThirdPartyExceptionMinimumTLSVersion, that allow you to specify an older version of TLS. For more information, see: https://developer.apple.com/library/prerelease/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33 .

I cannot speak to what Apple will and will not reject and their guidelines are subject to change. However, the documentation indicates that NSAllowsArbitraryLoads is meant for debugging and development so you probably should not submit with it.

If you have too many bank partners to manage, you can create a Run-Script Pre-Action to your Build that will set the exceptions for all your partners in your Info.plist.

Carlos Macasaet
  • 1,176
  • 7
  • 23