Hacker News new | ask | show | jobs
by 220V_USKettle 3000 days ago
Do iOS apps not require cert pinning by default for their respective APIs/whitelisted https domains?
1 comments
tzahola 3000 days ago
Whitelisted domains? What? Never heard of that in iOS.
link
paws 3000 days ago
Apple introduced App Transport Security[1] with iOS 9. The setting is configured in your app's Info.plist[2].

[1] https://developer.apple.com/library/content/releasenotes/Gen...

[2] https://stackoverflow.com/a/48089038/2044952

link
tzahola 3000 days ago
Yep. App Transport Security mandates that you have to explicitly whitelist the domains [0] which you want to access via plain http. This however, has nothing to do with certificate pinning, which the OP was mentioning.

[0] Of course you can use the blanket NSAllowsArbitraryLoads to allow plain HTTP everywhere.

link