App Transport Security will be required ?

What are the implications of the announcement that apps wil be required to adopt App Transport Security?


Does this mean that new app submissions will not be permitted to use the "allows arbitrary loads" flag in the .plist? Will existing apps in the App Store be affected by this policy change, or only app updates?


If we have an app that requires the arbitrary loads flag to be set (because we direct the user to 3rd party websites that are outside our control), I'm assuming that the new .plist flag `NSAllowsArbitraryLoadsInWebContent` will allow us to continue that behaviour. This flag is ignored in iOS9 however - so how can we continue to provide this functionality under iOS9 if arbitrary loads are disallowed ?

This is potentailly an app-breaking change for us, unless we require iOS10.

Thanks

Replies

(bump)

I'm asking as well. I think this will affect every single app that runs a web server within the iOS app like GCDWebserver.

So many apps will break....

OK found out more. The solution is simple for now. Since we are working on a local network. Tell ATS that the local network is domain can be insecure.

So if you are talking to another iPad named: anipadserver

you can address the ipad as: http://anipadserver.local

Now in the plist, you make an exception for local.

It works. I was able to turn off arbitrary loads.


See this thread:


https://forums.developer.apple.com/thread/6205


  1. <key>NSAppTransportSecurity</key>
  2. <dict>
  3. <key>NSExceptionDomains</key>
  4. <dict>
  5. <key>local</key>
  6. <dict>
  7. <key>NSExceptionAllowsInsecureHTTPLoads</key>
  8. <true/>
  9. <key>NSIncludesSubdomains</key>
  10. <true/>
  11. </dict>
  12. </dict>
  13. </dict>