In Xcode, many deprecation warnings regarding 3.9.2 and whitelist

258 views
Skip to first unread message

Steve Husting

unread,
Dec 30, 2015, 1:23:08 PM12/30/15
to phonegap
When I did cordova build ios and opened the file in Xcode, there were many deprecated messages regarding cordova 3.9.2 and whitelist. I'm confused by these warnings because I upgraded to cordova 5.4.1. And platform ios was upgraded to 3.9.2 beforehand. 

In config.xml, there is no mention of a whitelist; however, the plugins folder does have the whitelist plugin. 

Are these warnings harmful? (See screen grab.) The app runs fine in the simulator on my Mac. Previously, it ran with flying colors in my Android. 

--------------------------------

Mac Environment:
OS X Yosemite 10.10.5
Mac Mini (Mid 2010)

cordova -v = 5.4.1

cordova platform ? =
Android 4.1.1
iOS 3.9.2

cordova plugin list =
cordova-plugin-inappbrowser 1.1.1 "InAppBrowser"
cordova-plugin-splashscreen 3.0.0 "Splashscreen"
cordova-plugin-whitelist 1.2.0 "Whitelist"

Xcode 6.3.1

Not using PhoneGap or PhoneGap Build
Framework: Zurb Foundation

Jesse Monroy

unread,
Dec 30, 2015, 7:59:32 PM12/30/15
to phonegap

On Wednesday, December 30, 2015 at 11:23:08 AM UTC-7, Steve Husting wrote:
When I did cordova build ios and opened the file in Xcode, there were many deprecated messages regarding cordova 3.9.2 and whitelist. I'm confused by these warnings because I upgraded to cordova 5.4.1. And platform ios was upgraded to 3.9.2 beforehand. 

Hey Steve,
you are correct these are strange messages after an upgrade. I will try to communicate with Shazron Abdullah (one of the persons on the iOS team), that this needs to be a better message.

The message you are getting is because the Cordova team voted to NOT use the whitelist system for iOS.
To read the detail read

HOW TO apply the Cordova/Phonegap the whitelist system

The breakdown.-> 5. Apple's ATS (App Transport Security)


Apple's ATS (App Transport Security) is a whitelist system exclusive to iOS. It required as of iOS9. It is implemented in the Info.plist. The blog indicates parts of the whitelist system are now cross-compile to ATS elements. See Apache Cordova iOS 3.9.2 02 Nov 2015 and Cordova iOS 4.0.0 08 Dec 2015.


Somewhere I also have a link to actual mailing list discussion, if you are interested.


IN SHORT, the whitelist plugin is NOT used for iOS9. However, the <access (...)> XML element will still be used in the config.xml.


Let me know, if you need more details.

Jesse


Steve Husting

unread,
Dec 31, 2015, 10:50:49 AM12/31/15
to phonegap
In my plist, I see that the ATS for Allow Arbitrary Loads is set to YES, which is what I want. (Because there are links to HTTP sites that I don't control and can't change to HTTPS.) So I will ignore all the other warnings. Thanks Jesse.

Steve Husting

unread,
Dec 31, 2015, 11:35:08 AM12/31/15
to phonegap
I added the following information to my article on making iOS apps at https://iphonedevlog.wordpress.com/2014/06/24/using-cordova-3-5-cli-on-mac-os-x-mavericks-to-build-ios-apps/

Does this match up with your understanding of what we need to do?

Add the Whitelist Plugin

This has been deprecated for platform ios 3.9.2. We don't include the Cordova whitelist plugin for iOS9.


However, Apple is incorporating strict security protocols for iOS9 and beyond with their new Application Transport Security. They require that our app's external connections go only to servers incorporating HTTPS and other security. If your app already connects only to URLs that begin with HTTPS, you are probably good to go (though there is more to it than that -- see the resource link following).


But what if your connections go to HTTP and not HTTPS? What if you don't have access to the HTTP servers to upgrade them to HTTPS? Then you'll need to opt out of ATS by allowing all connections (or all connections with some exceptions; see the resource below). 


In Xcode, open /Resources/xxx-info.plist. Click on the arrow for App Transport Security  Settings. You'll see that Allow Arbitrary Loads has been set to YES, which means your app is inherently insecure; it will allow all connection, including HTTP. I believe this was set because in our config.xml we have the line, <access origin="*" />, which allows all connections. (The info.plist is populated by the information in config.xml.)


Resource:
http://code.tutsplus.com/articles/apple-tightens-security-with-app-transport-security--cms-24420

Jesse Monroy

unread,
Dec 31, 2015, 9:48:43 PM12/31/15
to phonegap
Pretty close, except for one piece - TLSv1.2.
This is an OpenSSL thing. I don't have all the details, but I seem to recall it is something to with the driver.

As it is, Apple is "requiring" (by setting it to the default in their library) to v1.2

From one of my References on ATS  Examples

APPLE Information Property List Key Reference: NSAppTransportSecurity
https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33


Scroll down to NSExceptionMinimumTLSVersion

An optional string value that specifies the minimum Transport Layer Security (TLS) version for connections. Use this key to describe your app’s intended network behavior for a domain whose security attributes you have control over. See also NSThirdPartyExceptionMinimumTLSVersion.

Valid values are:

  • TLSv1.0

  • TLSv1.1

  • TLSv1.2

Default value is TLSv1.2.


This means the client and server are supposed to use TLSv1.2, or their equivalent. You can override the setting to a lower version, but these are shown to be insecure.


I think that's it.

Jesse

Reply all
Reply to author
Forward
0 new messages