Is ATS policy have been changed in iOS 13 and Allow Arbitrary Loads now doesn't work?

Xcode 11 beta 3, iOS 13 in plist I have:


<key>NSAllowsArbitraryLoads</key>
<true/>



And all http requests work prior iOS 13. In iOS 13 I'm seeing in console:


Cannot start load of Task <...>.<1> since it does not conform to ATS policy Task <...>.<1> finished with error [-1022] Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.,


Is ATS policy have been changed in iOS 13? I can't find any info about it.

We have not, as far as I know, changed anything related to

NSAllowsArbitraryLoads
in iOS 13.0 beta. Moreover, it seems to be working for me. Here’s what I did:
  1. I started with Xcode 11.0b4 (sorry I can’t use b3, I just installed b4 last night).

  2. I created a new project from the iOS > Single View App template.

  3. I added this code and wired a button up to call it:

    @IBAction func testAction(_ sender: Any) {     let url = URL(string: "http://example.com/")!     let request = URLRequest(url: url, cachePolicy: .reloadIgnoringLocalCacheData, timeoutInterval: 60.0)     URLSession.shared.dataTask(with: request) { (data, response, error) in         if let error = error as NSError? {             NSLog("task transport error %@ / %d", error.domain, error.code)             return         }         let response = response as! HTTPURLResponse         let data = data!         NSLog("task finished with status %d, bytes %d", response.statusCode, data.count)     }.resume() }

    .

  4. I ran the app in the simulator. When I click the button the request is blocked by ATS.

  5. I then added the following to my

    Info.plist
    :
    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
    </dict>

    .

  6. Building and running the app again, the request now works.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Maybe it's iOS 13 b3 problem, i'll install b4 and try it

Very strange, I see this ATS error message only in legacy project. I thought the problem is caused by old AFNetworking lib that I use here. But I added this code in one of my vc:


NSURL *url = [NSURL URLWithString:@"http:// some http address"];

    NSURLRequest *request = [[NSURLRequest alloc] initWithURL:url];

    [[NSURLSession.sharedSession dataTaskWithRequest:request completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) {
    
        NSString *responseString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
    
        NSLog(@"responseString: %@ | error: %@", responseString, error);
    }] resume];


And I saw this again:


Cannot start load of Task <A7D75915-79A7-447D-AFB3-F500C02A985A>.<3> since it does not conform to ATS policy

2019-07-18 16:59:06.866724+0500 rosneft-brands[86437:9533719] responseString: | error: Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x600000c66280 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://some http address, NSErrorFailingURLKey=http://some http address, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}



How could it be? Something wrong with project itself? Exactly for iOS 13

I see this ATS error message only in legacy project.

What does that project’s

NSAppTransportSecurity
property look like?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

It's look like this:


<key>NSAppTransportSecurity</key>
  <dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
  </dict>

Is that from the

Info.plist
file in the project? Or the
Info.plist
file from the built binary? If it’s the former, please check the latter. It’s possible that something in the build system is munging your ATS dictionary.

You can dump the

Info.plist
of the built binary as follows:
$ plutil -convert xml1 -o /dev/stdout /Users/quinn/Library/Developer/Xcode/DerivedData/Test372104-ffjdjbuzyaqmlkhevkptfrstqqcv/Build/Products/Debug-iphonesimulator/Test372104.app/Info.plist
…
<dict>
    …
    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
    </dict>
    …
</dict>
</plist>

You’ll have to adjust the path to point to your app in your

DerivedData
directory.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

This is from both

OK then, I’m kinda running out of ideas )-:

With regards the code from your 18 Jul post, I presume you’ve copied that exact same code to a new test project and it worked.

Does this reproduce in the simulator?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Yep, in simulator I see the same:


Cannot start load of Task <...>.<3> since it does not conform to ATS policy

2019-09-10 14:17:21.778761+0500 Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x600001395140 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://..., NSErrorFailingURLKey=http://..., NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}

I've found the root cause. I'm using cocoapods and one of dependencies was


pod 'CCInfiniteScrolling', :git => 'https://github.com/Dalein/CCInfiniteScrolling.git', :branch => 'daleijn'


Exacly this pod somehow throws an ATS error.


You can easily repeat it. just create new Objc project, add Allow Arbitrary Loads = true.


Then


Pod:


platform :ios, :deployment_target => '9.3'
# ignore all warnings from all pods
inhibit_all_warnings!

def all_pods
pod 'CCInfiniteScrolling', :git => 'https://github.com/Dalein/CCInfiniteScrolling.git', :branch => 'daleijn'
end



target "TestNetworking" do
  all_pods

end



post_install do |installer|
  installer.pods_project.build_configurations.each do |config|
    config.build_settings.delete('CODE_SIGNING_ALLOWED')
    config.build_settings.delete('CODE_SIGNING_REQUIRED')
  end
end



Then add in vc:


NSURL *url = [NSURL URLWithString:@"http:/..."];
    NSURLRequest *request = [[NSURLRequest alloc] initWithURL:url];
   
    [[NSURLSession.sharedSession dataTaskWithRequest:request completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) {
        NSString *responseString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
        NSLog(@"responseString: %@ | error: %@", responseString, error);
    }] resume];

And you'll see the ATS error.

Well, that’s… interesting. I took a quick look at this [1] and turned up something interesting. CCInfiniteScrolling depends on JRSwizzle, and then uses that to swizzle methods on built-in Apple types. This puts it way outside of the realm of what DTS supports.

I’m not sure how this manages to break ATS, but my advice here is clear: Don’t swizzle Apple types in production code. Consequently, I recommend that you break your dependency on this code. If you do that but continue to have ATS problems, let me know.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] I don’t use CocoaPods and I don’t have time to install it in this context.

Additionally, this dependency somehow forbids to use app in cellular. Even https only work in WI-FI.

That’s very strange. I can’t imagine the developers are doing this deliberately. You should definitely file a bug report with them.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Is ATS policy have been changed in iOS 13 and Allow Arbitrary Loads now doesn't work?
 
 
Q