Why your Web View Doesn’t Work in iOS9 — and what to do about it

While updating my tutorial for UIWebView I came across a problem I had heard about but had not experienced. I had even heard a claim that a lot of apps are broken or rejected because of this. Apple has increased security on web accesses, and it does crash a web view rather quickly. I’m going to show you the problem and a few ways to work around it.

Suppose you had a scene on the storyboard that is a simple web view:

Enable images to see

You wired it up to this view controller.

class ViewController: UIViewController {

    @IBOutlet weak var webView: UIWebView!
    
    override func viewDidLoad() {
        super.viewDidLoad()
        //let url = NSURL(https://www.youtube.com/watch?v=bp_U-ZAWNM0)
        let url = NSURL(string: "http://makeapppie.com")
        let requestObj = NSURLRequest(URL: url!)
        webView.loadRequest(requestObj)
    }

}

Then build and run. Unfortunately, you get an empty website:

Enable images to see

and an error message in the console:


2015-10-21 05:53:28.435 WebSecurityDemo[24907:1371951] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

 

The error message states that sites using http:// are insecure. Sites using https:// work fine. For example, if you change the url to this:

let url = NSURL(string: "https://www.youtube.com/watch?v=bp_U-ZAWNM0")
//let url = NSURL(string: "http://makeapppie.com")

You get the YouTube page.

Enable images to see

One solution is have all the pages you go to be secure pages. If you own a website, set it up for better security. That doesn’t work in all cases, and we need to get around that message at times.

We can change the security settings in the info.plist. The broad option is to shut it down completely for the app. In the Navigator, right-click on plist.info. Select Open As > Source Code.

Enable images to see

In the XML code that appears add this just under the first tag:

Enable images to see

The NSAppTransportSecurity is a dictionary you add to the info.plist to set web preferences for the web security. Adding a key of NSAllowsArbitraryLoads and its value to true opens up the app to all web sites.Change the url back to makeAppPie.com

//let url = NSURL(string: "https://www.youtube.com/watch?v=bp_U-ZAWNM0")
let url = NSURL(string: "http://makeapppie.com")

Build and run. We get the website now.

Enable images to see

However, this is also the least secure way of doing this. Apple may frown on a broad use of the web, and your app is far from secure. A better way is to use specific exceptions. Change the NSAppTransportSecurity in the info.plist to this:

Enable images to see

The NSExceptionDomains key makes a dictionary of excepted domains. Each key in this dictionary is a domain excepted from security, depending on settings in its own dictionary. You can use all or some of the keys. The keys and their default settings can be found in Apple’s App Transport Security Technote. Most likely NSExceptionAllowsInsecureHTTPLoads or NSThirdPartyExceptionAllowsInsecureHTTPLoads and NSIncludesSubdomains will be the important ones.

Build and run.It almost works:

Enable images to see

We’re missing the header image. Here’s the problem with NSExceptionDomains: you have to find all of them. If a website uses stuff outside the domain, it will fail. As makeapppie.com is a WordPress hosted site, we added wordpress.com to the domain exceptions:

Enable images to see

Build and run:

Enable images to see

There’s still errors since we’re getting the message still, but we do get the header image. However, the fonts are wrong, since they come from Google. Going into the HTML for the page, You’d find a lot of domains we need to add.

The point is, if you use web pages in your app, make sure to know where everything is coming from, and account for it in your exceptions. In a content management system like WordPress, that might be a herculean task. On a self made site, that might be easy. I added wordpress.com for expediency. It would be better if I added only the subdomain I needed. Try to keep things tight to keep the secure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s