You can find a summary of the recent changes to ATS in my App Transport Security pinned post. However, I can’t match up any of those changes to the observed behaviour you’re seeing.
My best guess is that the server you’re talking to is redirecting you to an IP address. iOS 10 is more lenient about allowing connections to IP addresses than iOS 9 was. My recommendation is that you compare the traffic on the wire:
Create a build without
NSAllowsArbitraryLoadsset, run that, and record the pattern of request it makes.
Repeat the previous step with a build that includes
Compare the logs from steps 1 and 2. You should see be able to (roughly) match up the initial requests and then see where the log from step 1 stops and the log from step 2 continues.
Share and Enjoy
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"