9 Replies
      Latest reply: Sep 11, 2016 7:46 AM by eskimo RSS
      kei_oshio Level 1 Level 1 (0 points)

        Dear forum members,

         

        In WWDC 2016 sessions, it was published that applications in App Store will be required to use ATS(App Transport

        Security) within this year.

        I'd like to confirm the following things about ATS.

         

                      1. Is my below recognition correct?

        iOS9:

                      - It is 'recommended' to enable ATS.

                      - We can disable ATS functions in setting in the application(info.plist) or inside specific domain.

        iOS10:

                      - It is 'mandatory' to enable ATS.

                      - HTTP communication enables only the case of web viewing with the configuration of applications(NSAllowsArbitraryLoadsInWebContent).

                      2. Is it included about using ATS in case of normal web browsing with using Safari, Chrome or Firefox etc..?

                      3. Does HTTPS in normal web browsing need to use TLS 1.2 or more?

                      4. Is it official information that ATS requirement will become mandatory from 2017/1/1?

         

        Best regards,

        • Re: iOS9 10 ATS
          eskimo Apple Staff Apple Staff (6,055 points)

          There have been some technical changes in this space (for example, NSAllowsArbitraryLoadsInWebContent) but, for the most part, iOS 10 and iOS 9 behave the same way with regards ATS.  The important changes here are business changes.  Once this requirement is in place, App Review will require that you provide reasonable justification for your ATS exception dictionary.

          The above obviates a lot of your specific questions but there are some that are still valid.  You wrote:

          2. Is it included about using ATS in case of normal web browsing with using Safari, Chrome or Firefox etc..?

          If you’re creating a program that allows access to arbitrary web sites you will need a wide-ranging ATS exception.  Specifically:

          • If you’re using UIWebView, you will need to use NSAllowsArbitraryLoads.  In this case you should include an explanation as to why it’s necessary for you to continue using UIWebView rather than WKWebView.

          • If you’re using WKWebView, take advantage of NSAllowsArbitraryLoadsInWebContent.

          • If you’re using SFSafariViewController, you shouldn’t need any ATS exceptions; SFSafariViewController acts just like Safari with regards ATS.

          3. Does HTTPS in normal web browsing need to use TLS 1.2 or more?

          I need you to be more specific about what you mean by normal web browsing.  If you’re asking whether Safari requires TLS 1.2, the answer is no.

          4. Is it official information that ATS requirement will become mandatory from 2017/1/1?

          We haven’t published an exact date as to when this change will take place.  If you’re looking for updates, I suggest you monitor our News and Updates page (it even has an RSS feed).

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: iOS9 10 ATS
              aDebKeyneo Level 1 Level 1 (0 points)

              Hi, thank you for your reply

               

              I read in the NSAppTransport Security : "To support older versions of iOS and OS X, you can employ this key and still manually configure ATS. To do so, set this key’s value to YES and also configure the NSAllowsArbitraryLoads key in your ATS dictionary."

               

              What i understand is in iOS10, it will use NSAllowsArbitraryLoadsInWebContent (so it's okay for review)

              and in ios9.0, it will use NSAllowsArbitraryLoads.

              It says Apple will require a good explanation to use NSAllowsArbitraryLoads but in the case we want to be compatible with ios9.0 we don't have any other choice (if we want to load HTTP request)

               

              Am i wrong ? To have NSAllowsArbitraryLoadsInWebContent and NSAllowsArbitraryLoads will be enough for review to understand it's only used in webviews ?

                • Re: iOS9 10 ATS
                  eskimo Apple Staff Apple Staff (6,055 points)

                  It says Apple will require a good explanation to use NSAllowsArbitraryLoads but in the case we want to be compatible with [iOS 9.0] we don't have any other choice …

                  Right.  And, at least IMO, that constitutes reasonable justification for you using NSAllowsArbitraryLoads.

                  IMPORTANT I don’t work for App Review and thus can’t give definitive opinions on their behalf.  You can always contact App Review directly.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: iOS9 10 ATS
                      aDebKeyneo Level 1 Level 1 (0 points)

                      Thank you for your time,

                       

                      I asked the Review Team and linked to this post.

                       

                      When i get an answer, i'll post it here if that's okay and if they didn't post anything here, so people can get the exact answer.