App Transport Security blocking loading images

[mayankverma]

Even though this is an https connection to itunes, I am still getting this error. And the images doesn't load. However, if I set "NSAllowsArbitraryLoads" to "YES" it works. I don't want to set it "YES" because of obvious security issues.

How do I get around this?

thanks

[JanC]

Hi,
you are right, all the images in the iTunes API have http url:

  "results": [
    {
      "screenshotUrls": [
        "http://a1.mzstatic.com/us/r30/Purple5/v4/5f/1f/6f/5f1f6f60-822f-eada-8378-62e0a1000909/screen1136x1136.jpeg",
        "http://a4.mzstatic.com/us/r30/Purple3/v4/d6/59/d8/d659d88c-ca02-1599-6284-f985184fb08c/screen1136x1136.jpeg",
        "http://a1.mzstatic.com/us/r30/Purple3/v4/56/39/41/5639412f-ab11-144d-e519-57ecf33c37c0/screen1136x1136.jpeg",
        "http://a1.mzstatic.com/us/r30/Purple3/v4/d6/4e/1d/d64e1d95-f61f-b97b-6c2a-ab10e9b5f2dc/screen1136x1136.jpeg"
      ],

Unfortunately, their HTTPs version do not have a valid certificate so it would fail as well

https://a1.mzstatic.com/us/r30/Purple5/v4/5f/1f/6f/5f1f6f60-822f-eada-8378-62e0a1000909/screen1136x1136.jpeg

You could disable ATS only for this domain mzstatic.com but it is not guaranteed that those images will be hosted there all the time

    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>mzstatic.com</key>
            <dict>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSIncludesSubdomains</key>
                <true/>
            </dict>
        </dict>
    </dict>

So I think the only way is to enable NSAllowsArbitraryLoads

cheers

[mayankverma]

cool... I tried my own implementation and had same issue... Now I am loading it through my app website so I still have control over my security front... :)

[JanC]

cool