We allow users to subscribe to calendars. Calendar subscriptions are rarely on SSL - and they are not "web content" … We can't ask for specific overrides because its user-entered input.
You should use
NSAllowsArbitraryLoads
. We continue to support this key for good reason: some apps need to be able to make insecure connections to arbitrary URLs input by the user. Previously
NSAllowsArbitraryLoads
was primarily used by web browsers, calendar apps, mail clients, and so on. It’s now no longer necessary for web browsers (due to
NSAllowsArbitraryLoadsInWebContent
) but it’s still relevant in the other cases.
Using
NSAllowsArbitraryLoads
will flag extra scrutiny during App Review but that does not mean you’ll automatically be rejected. Rather, you’ll have to provide
reasonable justification for your use.
One thing you can do to improve the security of your app is to add
NSExceptionDomains
entries for the sites that
should be secure. Let’s say your app talks to FooCal™, and the FooCal™ servers support ATS-compliant HTTPS. In that case you should add an
NSExceptionDomains
for
foocal.example.com
to your ATS exception dictionary so that ATS guarantees your security for those servers.
Similarly, if your app talks to servers you control (for analytics, say), you should make sure that they are ATS compliant and add them to
NSExceptionDomains
.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"