Skip to main content

Delivering Mobile Apps


Applies only to Mobile Apps

Configure Accessible Domains for Your Mobile App

You can whitelist the domains that your mobile app can access to improve your mobile app's security. The access extended configuration entry allows you to define a set of domains that your mobile app can connect to. This will effectively block connections to all unknown (non-whitelisted) domains when using HTTP connections; if you configure this entry with a list of accessible domains and then try to establish an HTTP connection to a domain not allowed by the configuration entry, the connection to that domain will be blocked.

To define the list of accessible domains for your mobile app do the following:

  1. In Service Studio, select the module element in the module tree and, in the properties editor, open the "Extensibility Configurations" property editor window:

  2. Add new entries following the JSON template to configure the allowed domains and sub-domains for your mobile app, making any necessary adjustments if you already have some configurations defined. Each entry must have at least an origin field containing the allowed URL schema and the allowed domain or sub-domains, possibly using wildcards.

    In the example below, the first entry will allow the mobile app to communicate with using HTTP, while the second entry will allow the app to connect to all the sub-domains of, also using HTTP; with this configuration, all HTTP connections to other domains would be blocked.

  3. After defining the accessible domains, users must install an updated build of the mobile app on their devices for the changes to take effect.

Default Configuration

By default, when no access JSON extensibility configuration entry is defined, the accessible domains match the result of defining an entry with the following single list element:


This means that by default all domains are accessible, regardless of the exact protocol (HTTP or HTTPS) and domain name.

Blocking HTTP Connections

Limiting accessible domains using extended configuration entries is useful when using HTTP connections. Since all domains accessed through HTTPS are already using a secure transport channel, your application will be able to access any domain using HTTPS by design. To define limitations to the content that can be loaded using HTTPS connections, consider using Content Security Policy directives.

To block all HTTP connections to any domain, use a configuration similar to the one presented below:


In the example above, by declaring that the only allowed origin must have an HTTPS protocol (regardless of the exact domain and URL), you will be effectively blocking all HTTP connections to every domain.

Optional Fields

Applies only to iOS.

The only mandatory field in each list element (for both iOS and Android) is the origin field containing the allowed URL schema and domain. If this field is missing, your mobile app will not be generated successfully.

The following table lists the other available optional fields for specific iOS configurations:

Field Name Applies to Allowed Origin Values Default Value
minimum-tls-version iOS 9+ Any TLSv1.2
requires-forward-secrecy iOS 9+ Any true
requires-certificate-transparency iOS 10+ Any false
allows-arbitrary-loads-for-media iOS 10+ * false
allows-arbitrary-loads-in-web-content iOS 10+ * false
allows-local-networking iOS 10+ * false

Note that the last three fields can only be included in an access list element whose origin field contains a * value.

Check the relevant Cordova (Domain Whitelist Guide) and Apple (App Transport Security) documentation topics for more information on these fields.

Accessible Domains JSON Template

    "access": [
        // Use the entries below to define which domains your mobile app can connect to
            "origin": "<Protocol and URL of accessible domain>",
            "minimum-tls-version": "<Minimum required TLS version>",
            "requires-forward-secrecy": "<true_or_false>",
            "requires-certificate-transparency": "<true_or_false>"
        // use the following template to set these three iOS-only fields
            "origin": "*",
            "allows-arbitrary-loads-for-media": "<true_or_false>",
            "allows-arbitrary-loads-in-web-content": "<true_or_false>",
            "allows-local-networking": "<true_or_false>"
  • Was this article helpful?