Images in the iTunes Search API don't use SSL
| Originator: | jay.whitsitt | ||
| Number: | rdar://29071499 | Date Originated: | 2 Nov 2017 |
| Status: | Open | Resolved: | |
| Product: | App Store / iTunes Search API | Product Version: | |
| Classification: | Security | Reproducible: | Always |
Summary: The "artworkUrl*" fields returned from the iTunes Search API use http, not https. Just replacing the protocol with https results in a certificate error due to a host name mismatch (host is is4.mzstatic.com but the certificate has a248.e.akamai.net). Our backend uses the iTunes Search API then serves some of that data to our iOS app. Due to the coming changes with iOS ATS policy in January, this may not work. Yes it's possible to setup an exception but not following the policy defeats its purpose. Steps to Reproduce: curl https://itunes.apple.com/lookup?id=302053341 Expected Results: Image resources with https URLs Actual Results: Image resources with http URLs
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!