WebViewGold is a useful tool that can turn your mobile or responsive website into a mobile app within minutes – no matter wether it’s about HTTPS or HTTP content. However, when it comes to security, it’s crucial for some apps to ensure that our apps only connect to secure, HTTPS websites.
By default, WebViewGold also allows connections to non-HTTPS sites. This is determined by the setting NSAllowsArbitraryLoadsInWebContent in the Info.plist file of your app. If you want to tighten your app’s security by preventing it from connecting to non-HTTPS site content, you’ll need to remove or set this key to NO. In this article, we’ll guide you through the process of doing this.
BTW, you might also want to check out the independent blockfaultyandselfsignedhttpscerts option in Config.swift which blocks content signed with self-signed SSL (user) certificates & faulty SSL certificates.
Understanding NSAllowsArbitraryLoadsInWebContent
Before we dive in, let’s understand what NSAllowsArbitraryLoadsInWebContent does. This key is part of Apple’s App Transport Security (ATS) settings, which are designed to enhance the security of connections between your app and web services. When set to YES, NSAllowsArbitraryLoadsInWebContent allows your app to make arbitrary network connections (i.e., non-HTTPS) when using WebViewGold for iOS
Step-By-Step Guide to Remove or Set NSAllowsArbitraryLoadsInWebContent to NO
Step 1: Open Your WebViewGold Project in Xcode
Start by launching Xcode, then open your WebViewGold-based app project. In the Project Navigator (the left panel in Xcode), find and click on your .xcodeproj or .xcworkspace file.
Step 2: Access the Info.plist File
Next, navigate to the Info.plist file. Once you find it, click to open it.
Step 3: Locate NSAllowsArbitraryLoadsInWebContent
With your Info.plist file open, look for the NSAppTransportSecurity key. This key should be a dictionary (indicated by a dropdown arrow). Click the arrow to expand it and reveal the nested keys.
Inside this key dictionary, locate the NSAllowsArbitraryLoadsInWebContent key.
Step 4: Remove or Modify NSAllowsArbitraryLoadsInWebContent
If you want to completely remove this setting, simply select the NSAllowsArbitraryLoadsInWebContent row and hit the Delete key on your keyboard.
However, if you’d rather keep the key but ensure that it does not allow non-HTTPS connections, click on the Value column of the NSAllowsArbitraryLoadsInWebContent row. It should currently say YES – click on this and it will change to NO.
Step 5: Save and Close
Once you’ve made your changes, save your Info.plist file and close it. You’ve now successfully removed or disabled the NSAllowsArbitraryLoadsInWebContent key.
Summary
After making this change, your WebViewGold-based app will reject any non-HTTPS connections. This means that if your app needs to connect to a non-HTTPS site for any reason, it will fail to do so. It’s essential to ensure that all web content your app needs to access is served over HTTPS.
By following the steps outlined above, you can enhance the security of your WebViewGold usesrs by preventing it from accessing non-HTTPS content.
You might also want to check out the independent blockfaultyandselfsignedhttpscerts option in Config.swift which blocks content signed with self-signed SSL (user) certificates & faulty SSL certificates.
Happy (no-)coding with WebViewGold!
