iOS9 10 ATS

Dear forum members,


In WWDC 2016 sessions, it was published that applications in App Store will be required to use ATS(App Transport

Security) within this year.

I'd like to confirm the following things about ATS.


1. Is my below recognition correct?

iOS9:

- It is 'recommended' to enable ATS.

- We can disable ATS functions in setting in the application(info.plist) or inside specific domain.

iOS10:

- It is 'mandatory' to enable ATS.

- HTTP communication enables only the case of web viewing with the configuration of applications(NSAllowsArbitraryLoadsInWebContent).

2. Is it included about using ATS in case of normal web browsing with using Safari, Chrome or Firefox etc..?

3. Does HTTPS in normal web browsing need to use TLS 1.2 or more?

4. Is it official information that ATS requirement will become mandatory from 2017/1/1?


Best regards,

Replies

There have been some technical changes in this space (for example,

NSAllowsArbitraryLoadsInWebContent
) but, for the most part, iOS 10 and iOS 9 behave the same way with regards ATS. The important changes here are business changes. Once this requirement is in place, App Review will require that you provide reasonable justification for your ATS exception dictionary.

The above obviates a lot of your specific questions but there are some that are still valid. You wrote:

2. Is it included about using ATS in case of normal web browsing with using Safari, Chrome or Firefox etc..?

If you’re creating a program that allows access to arbitrary web sites you will need a wide-ranging ATS exception. Specifically:

  • If you’re using UIWebView, you will need to use

    NSAllowsArbitraryLoads
    . In this case you should include an explanation as to why it’s necessary for you to continue using UIWebView rather than WKWebView.
  • If you’re using WKWebView, take advantage of

    NSAllowsArbitraryLoadsInWebContent
    .
  • If you’re using SFSafariViewController, you shouldn’t need any ATS exceptions; SFSafariViewController acts just like Safari with regards ATS.

3. Does HTTPS in normal web browsing need to use TLS 1.2 or more?

I need you to be more specific about what you mean by normal web browsing. If you’re asking whether Safari requires TLS 1.2, the answer is no.

4. Is it official information that ATS requirement will become mandatory from 2017/1/1?

We haven’t published an exact date as to when this change will take place. If you’re looking for updates, I suggest you monitor our News and Updates page (it even has an RSS feed).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi, thank you for your reply


I read in the NSAppTransport Security : "To support older versions of iOS and OS X, you can employ this key and still manually configure ATS. To do so, set this key’s value to

YES
and also configure the
NSAllowsArbitraryLoads
key in your ATS dictionary."


What i understand is in iOS10, it will use NSAllowsArbitraryLoadsInWebContent (so it's okay for review)

and in ios9.0, it will use NSAllowsArbitraryLoads.

It says Apple will require a good explanation to use NSAllowsArbitraryLoads but in the case we want to be compatible with ios9.0 we don't have any other choice (if we want to load HTTP request)


Am i wrong ? To have NSAllowsArbitraryLoadsInWebContent and NSAllowsArbitraryLoads will be enough for review to understand it's only used in webviews ?

It says Apple will require a good explanation to use

NSAllowsArbitraryLoads
but in the case we want to be compatible with [iOS 9.0] we don't have any other choice …

Right. And, at least IMO, that constitutes reasonable justification for you using

NSAllowsArbitraryLoads
.

IMPORTANT I don’t work for App Review and thus can’t give definitive opinions on their behalf. You can always contact App Review directly.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for your time,


I asked the Review Team and linked to this post.


When i get an answer, i'll post it here if that's okay and if they didn't post anything here, so people can get the exact answer.

Any news on this?

Any news on this?

Since the last post on this thread back in Jun we’ve updated the ATS documentation to cover this case. See my App Transport Security pinned post for a link to the latest docs.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Probably a little thick here, but where is that pinned post? Not seeing it.

It also took me a while to find the post: https://forums.developer.apple.com/message/15705#15705 The documentation about ATS review can be found here: https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59 But there is no specific mention of apps that need to have NSAllowsArbitraryLoads activated because their deployment target is iOS 9 or earlier.

thumbworksbob wrote:

Probably a little thick here, but where is that pinned post?

Sorry, that’s my bad, I fluffed up the reference in my post. I’ve fixed my that now.

fabb wrote:

But there is no specific mention of apps that need to have NSAllowsArbitraryLoads activated because their deployment target is iOS 9 or earlier.

The

NSAllowsArbitraryLoadsInWebContent
row in Table 2 says:

To support older versions of iOS and OS X, you can employ this key and still manually configure ATS. To do so, set this key’s value to YES and also configure the NSAllowsArbitraryLoads subkeys.

There’s similar text in the

NSAllowsLocalNetworking
row.

I’ll repeat that I don’t work for App Review, and thus can’t give definitive answers on their behalf, but the intent here seems pretty clear to me.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

hello , I have some another questions about ats .

situation :

  1. Not long ago, Apple delayed the mandatory use of https .
  2. Our app that has been released, not fully forced to use https. Because some request in WKWebView does not suppot https yet.

questions:

If the requirement of using https was necessary:

  1. Then could I still use http in webView by setting the “Allow Arbitrary Loads in Web Content” as “YES” and setting the “Allow Arbitrary Loads” as “NO” in the new version?
  2. In addition, would the requirement impact the app that has been released ?

Thanks for your time to read my message. I would be very grateful for your answer.

I have some another questions about ats.

Please start a new thread for this question. Now that ATS is a relatively mature technology, I’d like to draw the line under these older threads rather than let them run on forever.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 5 Jun through to Fri, 9 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

got it !

Thanks