App Transport Security REQUIRED January 2017

This thread has been locked by a moderator.

As the title notes, Apple announced that ATS will be REQUIRED of all apps as of January 2017.

This also means the exceptions that currently exist will no longer exist. Which means for most of

us who use our own domains to host our websites but don't pay extra for https that those domains

will no longer be accessable in iOS.


Is there a work around for this that will be usable in January? If not, what the heck is Apple thinking?

Up vote post of RLKingSoftware
113k views

Replies

Hi, Thanks for the solution "NSAllowsArbitraryLoadsInWebContent".


I am working on applicaiton which are going to load pages into WebView this will help me only for iOS10.


Will you please help me what i should do for iOS9 and iOS8?

Thanks for this super bit of info!


Just a quick query around the documentation of the ATS keys.


It says:

NSAllowsArbitraryLoads
: "Use of this key triggers App Store review and requires justification."

and also "In iOS 10 and later, and macOS 10.12 and later, the value of this key is ignored if any of the following keys are present in your app’s

Info.plist
file
"


Now does this mean, as I want to load a HTTP link in a web view for iOS 9 that I can specifiy

NSAllowsArbitraryLoads=YES
and also
NSAllowsArbitraryLoadsInWebContent=YES
and I won't need to provide justification for the App Store review process because of the second comment above from the docs?

Or should I specifiy an domain level exception and set

NSExceptionAllowsInsecureHTTPLoads=YES
for that domain?


Cheers,


Rich

At the technical level, it’s hard to say which is the best option:

  • With option #1 (

    NSAllowsArbitraryLoadsInWebContent
    and
    NSAllowsArbitraryLoads
    ) iOS 9 will be less secure (because of the
    NSAllowsArbitraryLoads
    ) but iOS 10 will be more secure (ATS is enabled for everything except the web view).
  • With option #2 (

    NSAllowsArbitraryLoadsInWebContent
    and an
    NSExceptionDomains
    entry for your specific domain with
    NSExceptionAllowsInsecureHTTPLoads
    ), iOS 9 will be more secure (because there’s no
    NSAllowsArbitraryLoads
    ) but iOS 10 will be less secure (because the
    NSExceptionDomains
    applies to code outside of the web view).

I reckon you could reasonably justify either to App Review, but I can’t say for sure because I’m not allowed to speak on their behalf.

If I were in your shoes I’d probably go for the first option because:

  • it offers the best security going forward; the percentage of users on iOS 10 is already significant and it’s growing rapidly

  • lots of other developers will be doing this, so it’s going to be easier to justify to App Review

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn,


We developed an iOS framework that communicates with a backend. The network layer is written in plain C and talks HTTP/1.1 over posix sockets for portability. With the announcement of ATS enforcement at the end of 2016 we are getting a bit nervous if this will eventually have an effect on us.


So my question is, will Apple enforce encryption of HTTP communication over posix sockets in the near future?


Thank you

So my question is, will Apple enforce encryption of HTTP communication over posix sockets in the near future?

I’m unable to predict the future, both due to policy reasons (my management hates it when I speculate) and… well… physics (-: Right now ATS is only enforced by our high-level APIs (NSURLSession, NSURLConnection, and anything layered on top of those), and there’s been no announcements about that changing.

Keep in mind, however, that ATS’s enhanced security requirements are not arbitrary; they are defined to give your users a good level of security on an increasingly hostile Internet. As such, your app should aim to comply with these requirements even if ATS is not actively enforcing them.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you Quinn, that is exactly the answer I was hoping for 🙂


Kind regards,

Matthias

The https affordability concern isn't even as much of an issue as the performance hit https websites general take. mod_spdy has been depracated and I haven't yet seen a good solution to make https at least as fast as http on Apache servers. The performance hit is noticeable. Is Apple requiring even framed pages in an app must be https? We've got a few apps were links pull up a browser within the app to display sites that don't require https.

Is Apple requiring even framed pages in an app must be https?

I don’t know what you mean by this.

I suspect you’re asking about pages loaded in a web view, in which case you should check out

NSAllowsArbitraryLoadsInWebContent
. You can find links to the docs for this in my App Transport Security pinned post.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I got a message said that "At the end of 2016, Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store" from this link.

https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/

If I submit or update an app after January 1, 2017, the app must support HTTPS?

I’m going to assume you’ve read my App Transport Security pinned post; if not please do so now.

If I submit or update an app after January 1, 2017, the app must support HTTPS?

This is a question about App Review policy; I can’t give you definitive answers on that front because I don’t work for App Review. However, the pinned posted I’ve referenced above has links to the published information about this policy change.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

As the title notes ,Apple announced that ATS will be REQUIRED of all apps as of January 2017.

Currently ,access via HTTPS has been implemented on all our internal service interfaces.


We have several questions below:

1. Could "image url" embedded in our app be accessed via HTTP?

2. Could "FLV streaming url" embedded in our app be accessed via HTTP?

3. Could we continue to use "NSExceptionDomains" to open HTTP access for specific domain name?

4. Since our app need to support iOS 9 and now implemented WKWebKit, we wonder if "NSAllowsArbitraryLoads = YES" could be set seperately under iOS 9?


Look forward to your soonest reply.


Best.

To start, let’s be clear that there are two parts to any ATS question:

  • how to make things work technically

  • App Review policy

As I mentioned above, I’m not able to help with App Review policy side of things, but my ATS pinned post has references to the published information on that front.

With that out of the way, let’s look at your questions:

1. Could "image url" embedded in our app be accessed via HTTP?

2. Could "FLV streaming url" embedded in our app be accessed via HTTP?

There’s not enough info to answer these questions. Specifically:

  • There’s no info about what API you’re using to access these resources, and the APIs really matter when it comes to ATS. For example:

    • If the resource is loaded by a web view, ATS has specific features to support that

    • If the resource is being loaded by BSD Sockets, ATS does not apply at all

  • It’s also not clear whether you’re asking about the technical or App Review side of this.

3. Could we continue to use "NSExceptionDomains" to open HTTP access for specific domain name?

I believe you’re talking about the App Review side of things here, which I’ve covered above.

4. Since our app need to support iOS 9 and now implemented WKWebKit, we wonder if "NSAllowsArbitraryLoads = YES" could be set seperately under iOS 9?

The standard approach here is to add two keys to your ATS dictionary:

  • NSAllowsArbitraryLoadsInWebContent
  • NSAllowsArbitraryLoads

This works as follows:

  • iOS 10 honours

    NSAllowsArbitraryLoadsInWebContent
  • iOS 9 ignores

    NSAllowsArbitraryLoadsInWebContent
    , but honours
    NSAllowsArbitraryLoads
  • older versions of iOS do not include ATS

IMPORTANT The presence of

NSAllowsArbitraryLoadsInWebContent
causes iOS 10 to ignore
NSAllowsArbitraryLoads
. This results in best practice security on iOS 10 while maintaining compatibility with iOS 9.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I've read this whole thread…and I don't know what my answer should be. My situation is simple: We allow users to subscribe to calendars. Calendar subscriptions are rarely on SSL - and they are not "web content". So do we pretty much remove this feature? We can't ask for specific overrides because its user-entered input.

We allow users to subscribe to calendars. Calendar subscriptions are rarely on SSL - and they are not "web content" … We can't ask for specific overrides because its user-entered input.

You should use

NSAllowsArbitraryLoads
. We continue to support this key for good reason: some apps need to be able to make insecure connections to arbitrary URLs input by the user. Previously
NSAllowsArbitraryLoads
was primarily used by web browsers, calendar apps, mail clients, and so on. It’s now no longer necessary for web browsers (due to
NSAllowsArbitraryLoadsInWebContent
) but it’s still relevant in the other cases.

Using

NSAllowsArbitraryLoads
will flag extra scrutiny during App Review but that does not mean you’ll automatically be rejected. Rather, you’ll have to provide reasonable justification for your use.

One thing you can do to improve the security of your app is to add

NSExceptionDomains
entries for the sites that should be secure. Let’s say your app talks to FooCal™, and the FooCal™ servers support ATS-compliant HTTPS. In that case you should add an
NSExceptionDomains
for
foocal.example.com
to your ATS exception dictionary so that ATS guarantees your security for those servers.

Similarly, if your app talks to servers you control (for analytics, say), you should make sure that they are ATS compliant and add them to

NSExceptionDomains
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you Quinn for the explanation so far. However I don't understand one thing: In the App Transport Security post, the Chapter "App Store Review for ATS" reads: "Your use of certain App Transport Security (ATS) keys triggers additional App Store review for your app, and requires you to provide justification."

Does it apply for the already available apps in the App Store. So my apps in the App Store would trigger an additional review by the Review Team?


Thank you in advance.


Kind regards,

Dennis