NSAppTransportSecurity and 3rd Party dylibs

Jim_Cramer · September 22, 2016, 9:50pm

Hi All,

I have a standard Xojo Mac desktop application that makes a call (via declare) into a 3rd party .dylib and has been working well for about a year. The 3rd party dylib recently started failing on a connection it makes to an insecure web service (“http://”) while running on Sierra. My first thought was to simply add the NSAppTransportSecurity key to my plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>NSAppTransportSecurity</key>
  <dict>
    <key>NSExceptionDomains</key>
    <dict>
      <key>myinsecurewebsite.net</key>
      <dict>
        <key>NSIncludesSubdomains</key>
        <true/>
        <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
        <true/>
      </dict>
    </dict>
  </dict>
</dict>
</plist>

No luck there, so I created a simple test app in Xcode, linking to the same dylib, with the above plist, and it works fine.

I thought any 3rd party dylibs I call from Xojo would inherit the NSAppTransportSecurity settings from the calling process? Hopefully, I’m missing something simple.

Beatrix_Willius · September 23, 2016, 4:43am

How does the dylib call fail? Can’t you use https? Have you contacted the dylib author about the error message?

Jim_Cramer · September 23, 2016, 10:05am

Hi Beatrix,

The call fails just like it does in Xcode when that info.plist entry is removed. I could use https, but I shouldn’t be forced to use it. And yes, I’m in contact with the author of the 3rd party Dylib.

I’m more curious about why these plist entries work in Xcode, and not Xojo.

-Jim

Greg_O_Lone · September 23, 2016, 11:40am

[quote=288282:@Jim Cramer]Hi Beatrix,

The call fails just like it does in Xcode when that info.plist entry is removed. I could use https, but I shouldn’t be forced to use it. And yes, I’m in contact with the author of the 3rd party Dylib.

I’m more curious about why these plist entries work in Xcode, and not Xojo.

-Jim[/quote]
How are you adding those entries to the plist? PlistBuddy?

Jim_Cramer · September 23, 2016, 11:52am

Hi Greg,

I’m manually adding them via textedit, but I’ve also copied the plist from the xcode application that works. I’ve also tried using:

<key>NSAppTransportSecurity</key>
        <dict>
            <key>NSAllowsArbitraryLoads</key>
            <true/>
        </dict>

Greg_O_Lone · September 26, 2016, 1:49pm

First of all, Apple is moving away from allowing insecure connections, so in the long run it would probably be better to solve it on the server end. You can however add the plist keys, but you must do this before the app is signed. I suggest adding a post-build Build script with the following code, just to make sure it is getting in the exact right place:

Dim ShellAppName as String = CurrentBuildAppName.ReplaceAll(" ","\\ ") Dim cmd as string = "/usr/libexec/PlistBuddy -c ""Add NSAppTransportSecurity Dict"" " + _ CurrentBuildLocation + "/" + ShellAppName + "/Info.plist" Call DoShellCommand(cmd) cmd = "/usr/libexec/PlistBuddy -c ""Add NSAppTransportSecurity:NSAllowsArbitraryLoads Bool YES"" " + _ CurrentBuildLocation + "/" + ShellAppName + "/Info.plist" Call DoShellCommand(cmd)

Jim_Cramer · September 28, 2016, 3:29am

Hi Greg,

dylibs called from Xojo via declare don’t seem to inherit the plist entries from the main application. Ill post an example application tomorrow to illustrate this, Or, I’m completely wrong and I’ll eat my hat,

Regards,

Jim