Wrapped IPA files lose NSAppTransportSecurity settings
Closed this issue · 2 comments
Describe the bug:
Wrapped .ipa files always have their Info.plist modified to allow arbitrary HTTP requests
To Reproduce
Steps to reproduce the behavior:
- Build an .ipa where the Info.plist file either:
- Does not have any
NSAppTransportSecurity
set or - Has
NSAppTransportSecurity
set to something other than justNSAllowsArbitraryLoads
= YES
- Does not have any
- Wrap the .ipa file
- Unzip the wrapped .ipa file and examine the embedded Info.plist file
Expected behavior:
The NSAppTransportSecurity
section of the wrapped .ipa will match the NSAppTransportSecurity
section of the unwrapped .ipa
Intune app wrapping tool (please complete the following information):
- What version of the wrapper are you using? 15.4.0 (current latest)
- What platform is your app based in (Java, Xamarin based, Cordova, etc)? react-native
Additional context:
I haven't found anything in the documentation to suggest why the wrapping tool modifies the Info.plist file to allow arbitrary loads. We are also looking into adding Identity Pinning to our app, but the entirety of the NSAppTransportSecurity
section of our Info.plist file is wiped out by the wrapping tool.
Hi @ryanliljestrom - The app wrapping tool enables NSAllowsArbitraryLoads because of some old requirements of the ADAL authentication library which are no longer applicable. The app wrapper will still need to enable a different setting (NSAllowsArbitraryLoadsInWebContent) to ensure any applications which use SFSafariViewController work properly, however doing so should not clear the pre-defined settings under NSAppTransportSecurity. We'll address these issues in the next minor release.
Hi @ryanliljestrom - This issue should be addressed in our latest release (16.0.0)