App Transport Security REQUIRED January 2017

This thread has been locked by a moderator.

As the title notes, Apple announced that ATS will be REQUIRED of all apps as of January 2017.

This also means the exceptions that currently exist will no longer exist. Which means for most of

us who use our own domains to host our websites but don't pay extra for https that those domains

will no longer be accessable in iOS.


Is there a work around for this that will be usable in January? If not, what the heck is Apple thinking?

Up vote post of RLKingSoftware
113k views

Replies

Hello if my app has a button that makes this call and opens my website in safari will this not be allowed starting january 1st ? since my website isnt https I wasnt sure thanks for your help


[[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"http://www.samplewebsite.com"]];


-ismael

Hi Quinn, I appreciate the time you've taken to answer all these question, but I still have one that remains. My app contains a video player that loads sources over HTTP. Come Jan 1, 2017, will iOS 10 devices prevent those videos from playing? Is there an automated prevention of loading resources over HTTP?


Thanks for the help.

Hi,

I have read whole thread i just want to ask that the developers who have enterprise applications will also need to use all HTTPS connections in their Enterprise apllications or only the apps that are on App store need to implement HTTPS ?


In my Enterprise Applications currently i have key "Allow Arbitrary Loads" set to YES in.plist file which mean it allows all HTTP connections from my applications.

So, do i need to remove this key from enterprise Applications ? Again i am repeating myself i am asking only for enterprise applications and not for App Store Applications.

Did you ever get an answer to your question?

App Review’s upcoming App Transport Security (ATS) requirement is about ATS, and ATS only applies to NSURLSession, the now-deprecated NSURLConnection, and APIs layered on top of those.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

So, do i need to remove [

NSAllowsArbitraryLoads
] from enterprise Applications ?

The announced change relates to App Review.

However, my recommendation is that you work hard to minimise your ATS exceptions, regardless of whether your app goes through App Review. Remember ATS’s requirements are not arbitrary: rather, they are set to give your users a reasonable level of security when talking over the network.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

It's there any docs from apple about this?

It's there any docs from apple about this?

My App Transport Security pinned post has references to both the ATS technical documentation and to the published information about the upcoming App Review policy change.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

thanks a lot.

Hi,


I have a question, same kind as the one asked by abuzar, on NSAllowsArbitraryLoads = YES


Context:

- My app integrates an advertising SDK

- The advertising SDK does mosts of its connexions on https, but some to third-party servers are http and we can't know the server this in advance


After reading https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/, I have to refer to point

Third-party servers that the App connects to, for example via connections initiated by SDKs.


Third-Party Servers

For third-party servers that the App connects to, any ATS exemption can be used, including domain-specific blacklisted exemptions, as Apple has stated that not having control of the server was a reasonable justification.

Doing so will require identifying the list of third-party servers the App connects to, in order to be able to add the proper domain-specific ATS exemptions to the App.



My question concerns the underlined point: from what I understand, will have to identify each non-ssl third-party server. I'm in a situation of using an advertising SDK that can't know in advance all servers my app will have to request (throught this SDK).

And also this SDK provider might dynamically tell their SDK to connect to a new third-party server that provide ads (or even as they say, a third-party server can point to a non-ssl address to another hird-party server).


So in this case, if I use NSAllowsArbitraryLoads = YES , and justifify it by the use of this advertising SDK that connects to third-parties, will the validation process be validated and not being rejected for not identifying third-party server? (because this is technically impossible)


Thank you

My question concerns the underlined point …

This is an App Review policy question and the only folks who can give you a definitive answers about App Review policy is App Review. AFAIK they’ve not published any guidance as to what exactly they consider to be “reasonable justification”. For links to the guidance that they have published, see my App Transport Security pinned post.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo and thank you for you answer.


So if i understand you well :

Starting January if I want to release an app with NSAllowsArbitraryLoads = YES, I will have to explain where requireed that I need this parameter because of an advertising SDK (the “reasonable justification”) .

But because there is no guidance from App Review team but to provide a “reasonable justification”, depending on who may review my app this justification may be rejected because of a different interpretation of it?

The point is there are no pre-reviews, and your questions now may require different responses later, once policy is firmed up.


** 12.21 note the deadline has been extended with details on any new deadline to follow.

What would Ad banner serving implications of this be in WebView? Unless I specify `NSAllowsArbitraryLoadsInWebContent` to YES, it will fail in 2 cases


1. Destination site is on http

2. Destination site is on https, but can't support TLS v1.2.


Seems like we just always have to justify this during app store submission. Thoughts?

Can we get an Apple response to this question please?