4

Embedding a map in my app causes many HTTP requests to be produced, of the form:

http://gspe19.ls.apple.com/tile.vf?flags=1&style=1&size=2&scale=0&v=99999999&z=99&x=9999&y=9999&checksum=1&sid=999999&accessKey=XXXXXX

This is the tile data that is displayed on the map as one scrolls around. However, the use of HTTP is an information disclosure issue - anyone eavesdropping on the network can identify where you are looking at, and potentially man-in-the-middle attack the data to feed you incorrect information or try to trigger bugs.

Is there any way to force MapKit to send these requests over HTTPS instead? The API documentation is unclear on this.

Opine Parens
  • 41
  • 2
  • Report this to Apple. This is probably something only Apple can fix. – Robotic Cat Jul 05 '16 at 22:55
  • I'd like to find an app workaround too, as any fix would presumably only apply to future iOS versions. Unless it receives these URLs in full from the map API, perhaps - then could just be an API response modification on their end. – Opine Parens Jul 05 '16 at 23:04

1 Answers1

1

This seems a bit like overkill, but you could replace the map content entirely to use your own server so it won't talk to apple's server to load map data.

NSString *template = @"https://c.tile.openstreetmap.org/{z}/{x}/{y}.png";
overlay = [[MKTileOverlay alloc] initWithURLTemplate:template];
overlay.canReplaceMapContent = YES;
[map addOverlay:overlay level:MKOverlayLevelAboveLabels];

You could also test to see if MKMapSnapshotter is also insecure. If it is not you could use it in a MKTileOverlay subclass that implements loadTileAtPath:result:.

Jon Rose
  • 8,373
  • 1
  • 30
  • 36