0 Replies
      Latest reply: Feb 6, 2017 5:50 AM by eskimo RSS
      eskimo Apple Staff Apple Staff (6,505 points)

        The latest OS releases (macOS 10.12, iOS 10, watchOS 3, tvOS 10) all contain an updated version of App Transport Security (ATS).  This post summarises the important changes.  While many of these were covered in depth in WWDC 2016 Session 706 What’s New in Security, some of them are new and I’ve highlighted them as such.

        Here’s a summary of ATS (and general TLS) changes in the new OS releases:

        • NSAllowsArbitraryLoadsInWebContent lets you have a strict ATS dictionary but still load arbitrary content in a web view (WKWebView, UIWebView, WebView)

        • [new since WWDC] NSAllowsLocalNetworking lets you opt out of ATS for local networking — To learn more, see the NSAppTransportSecurity section of the Information Property List Key Reference.

        • [new since WWDC] NSAllowsArbitraryLoadsForMedia lets you opt out of ATS for media resources — To learn more, see the NSAppTransportSecurity section of the Information Property List Key Reference.

        • NSRequiresCertificateTransparency lets you opt in to Certificate Transparency checking

        • cypher suites employing RC4 are now disabled by default

        • the SSLv3 protocol is now disabled by default at the Secure Transport layer

        • cypher suites employing SHA-1 or 3DES are still supported but you should consider moving away from them

        • [new since WWDC] NSURLConnection now honours the ATS minimum TLS version — Previously NSURLConnection would ignore the minimum TLS version prescribed by ATS (r. 23167645).  This bug has been fixed.  If you’re using NSURLConnection for your networking, make sure to run your app on the latest released OS to ensure that it still works as expected.

        Finally, at WWDC we announced that by the end of 2016 App Review will require “reasonable justification” for many ATS exceptions.  This is not a technical change in the OS but rather a new App Review policy.  The WWDC presentation has the general background to this but if you’re looking for specific details you should read the App Store Review for ATS section of the ATS documentation.  In addition, you should monitor the News and Updates page to learn more about any future changes to this policy; it even has a handy RSS feed.

        [new since WWDC] A recent Apple Developer News post indicates that this deadline has been extended into 2017; read Supporting App Transport Security for details.

        For more background on ATS, see:

        Finally, check out this App Transport Security tip.

        Share and Enjoy

        Quinn “The Eskimo!”
        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
        let myEmail = "eskimo" + "1" + "@apple.com"

        Change History

        • 29 Oct 2015 — First posted.

        • 2 Aug 2016 — Updated to cover the WWDC 2016 announcements and the changes since then.

        • 12 Aug 2016 — Updated to cover NSAllowsArbitraryLoadsForMedia, which I missed in the last update.

        • 15 Aug 2016 — Updated the discussion of NSAllowsArbitraryLoadsInWebContent to specifically call out that UIWebView and WebView are now covered by this key.

        • 16 Aug 2016 — Updated to specifically call out the App Store Review for ATS section of the ATS documentation.

        • 15 Sep 2016 — Minor editorial changes.

        • 23 Nov 2016 — Corrected the name of NSAllowsArbitraryLoadsForMedia, which was previously incorrectly listed as NSAllowsArbitraryLoadsInMedia.  This change is based on a corresponding change in the 2016-11-14 revision of the Information Property List Key Reference.

        • 22 Dec 2016 — Updated with a reference to yesterday’s Apple Developer News post.

        • 6 Feb 2017 — Added a recommendation to monitor the News and Updates page.