Unity and iOS 9 App Transport Security – HTTP

I’m finishing one turn based Multiplayer game (at Mukutu Game Studio), which has our own server implementation and, at least for now, works using HTTP requests. The implementation that we have now works perfectly and suit our needs because there’s no visible sensitive data… BUT, after iOS 9 launch, the game just “died” “:D”

Looking at Xcode 7 logs I found this:

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app’s Info.plist file

which basically means: “Your app is using HTTP which is not secure, we at Apple will soon force you to use HTTPS, sooo … yep … get a SSL”.

This is actually a good thing, it’ll make the data transport more secure and avoid problems. Anyway, if you need a fast temporary solution, you can solve this “problem” (it works today – 09/22/2015) by adding an exception directly on the info.plist file. Unity should provide a way to do this automatically but I don’t really know if there’s one. I’m still using 4.6.8f1 at work.

This fix is basically to force a permission to do the HTTP requests (not HTTPS). We need to add a bunch of XML nodes to the info.plist file, but basically the ones that matters are: NSExceptionAllowsInsecureHTTPLoads = true and NSExceptionRequiresForwardSecrecy = false

If you’re familiar with XML, you can add the following to your info.plist file using some Editor:

<key>NSAppTransportSecurity</key>
	<dict>
		<key>NSAllowsArbitraryLoads</key>
		<false/>
		<key>NSExceptionDomains</key>
		<dict>
			<key>domain.com</key>
			<dict>
				<key>NSExceptionAllowsInsecureHTTPLoads</key>
				<true/>
				<key>NSExceptionMinimumTLSVersion</key>
				<string>TLSv1.1</string>
				<key>NSExceptionRequiresForwardSecrecy</key>
				<false/>
				<key>NSIncludesSubdomains</key>
				<false/>
				<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
				<false/>
				<key>NSThirdPartyExceptionMinimumTLSVersion</key>
				<string>TLSv1.1</string>
				<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
				<false/>
			</dict>
		</dict>
	</dict>

 

Obviously you want to change the “domain.com” to your correct domain.

If you don’t want to mess around with the XML, you can change it directly on Xcode (Idk why would you like to do this .. but it’s possible).. Just click on the (+) sign, select the key type accordingly and you’ll end up with the same result.

 

 

You can find more details about this here https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html