63 Replies
      Latest reply: Dec 28, 2016 4:33 PM by craigaps RSS
      hhtouch Level 1 Level 1 (10 points)

        Hi,

         

        it seems that "App Transport Security" is also enabled by default for communication on the local network (http transfers between devices on the same wifi network).

        In many cases such wifi devices (e.g. wifi based sd cards, mobile wifi harddisks) do not support https; so http needs to be used.

        What is the recommended way to handle these cases as the domain based exception cant be applied here?
        Is there any way to disable App Transport Security for private networks?

         

        Cheers,

         

        Hendrik

        • Re: App Transport Security and local networking
          eskimo Apple Staff Apple Staff (6,490 points)

          Right now we don't have a great story for this (apparently you can use an IP as an ATS exception domain, but that will only help if you're always talking to the same IP address).  For the moment you should just disable ATS via the NSAllowsArbitraryLoads key.

          Also, I'd appreciate you filing a bug that describes your requirements so that we can contemplate how best to address this in the future.  And please post your bug number, just for the record.

          Share and Enjoy

          Quinn "The Eskimo!"
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1@apple.com"

            • Re: App Transport Security and local networking
              bwalker Level 1 Level 1 (0 points)

              It also disables HTTP requests on localhost, which is usually where I'm running a server (e.g. the same Mac I'm running Xcode on). I added an exception in Info.plist for localhost, but I'd really like to see a default exception for that instead of adding this exception to every project.

               

              I've filed an enhancement request: 21519087

              • Re: App Transport Security and local networking
                hhtouch Level 1 Level 1 (10 points)

                I posted my suggestions regarding App Transport Security and local networking as Enhancement request: 21669759

                 

                Excerpt from the radar:

                 

                In local networking scenarios (like communicating with DLNA servers, appliances like Philips Hue Lights, Wi-FI SD cards, wireless hard disks) it's often not possible to implement HTTPS/TLS based communication as required by App Transport Security. The target devices do not support HTTPS/TLS and in many cases never will.

                At the moment communicating with these devices, requires disabling App Transport Security for the entire application (NSAllowsArbitraryLoads = true) as domain based exceptions can't be applied here.

                It should be possible to disable App Transport Security for local networking without compromising the security of the whole app.

                 

                Suggestion: Introduce a key NSAllowsArbitraryLoadsLocalNetworkOnly. When this key is set to true, it allows unencrypted http communication between devices on the same local network (IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and IPv6 fd00::/8, and 127.0.0.1 for development purposes).

                 

                If anyone has better ideas how to handle these cases, I am looking forward to hear them.

                 

                Cheers,

                 

                Hendrik

                • Re: App Transport Security and local networking
                  eskimo Apple Staff Apple Staff (6,490 points)

                  (apparently you can use an IP as an ATS exception domain ...).

                  It seems that IP addresses aren't working as expected.  Specifically, I set up my property list as shown:

                  <key>NSAppTransportSecurity</key>
                  <dict>
                      <key>NSExceptionDomains</key>
                      <dict>
                          <key>127.0.0.1</key>
                          <dict>
                              <key>NSExceptionAllowsInsecureHTTPLoads</key>
                              <true/>
                          </dict>
                          <key>localhost</key>
                          <dict>
                              <key>NSExceptionAllowsInsecureHTTPLoads</key>
                              <true/>
                          </dict>
                      </dict>
                  </dict>
                  

                  then issued requests to http://127.0.0.1:12345/ and http://localhost:12345/.  The latter works but the former gets blocked by ATS.  I've filed a bug about this.

                  So, using localhost seems to be fine for folks doing loopback stuff but folks trying to connect to nearby IP addresses (like 192.168.0.0/16 will need to stick with NSAllowsArbitraryLoads for the moment.

                  Share and Enjoy

                  Quinn "The Eskimo!"
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: App Transport Security and local networking
                      thanatos0801 Level 1 Level 1 (0 points)

                      Great!  After fiddling around a little more with my own code and using the keys you listed, I was able to get the localhost exception to work.  I still think it would be a good idea to excempt localhost by default, and allow people who really want to be super-careful to turn that off in the exceptions list (per my bug), but this will get us enough functionality to work with for now.

                       

                      Thanks!

                  • Re: App Transport Security and local networking
                    eskimo Apple Staff Apple Staff (6,490 points)

                    bwalker wrote:

                    I've filed an enhancement request: 21519087

                    Tolibi wrote:

                    Enhancement request: 21579094

                    thanatos0801 wrote:

                    I'll file a radar requesting that localhost be excempted by default from ATS... or at least allow a specific key to deal with it specifically.

                    hhtouch wrote:

                    I posted my suggestions regarding App Transport Security and local networking as Enhancement request: 21669759

                    Thanks everyone.

                    @thanatos0801, what was your bug number?

                    Share and Enjoy

                    Quinn "The Eskimo!"
                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                    let myEmail = "eskimo" + "1" + "@apple.com"

                      • Re: App Transport Security and local networking
                        thanatos0801 Level 1 Level 1 (0 points)

                        My bug number is

                        21746124

                          • Re: App Transport Security and local networking
                            RonJr Level 1 Level 1 (0 points)

                            I have the the problem with local and remote hosts.

                            NSAllowsArbitraryLoads doesn't work for me.

                             

                            I am using XCode 7 Beta 3

                              • Re: App Transport Security and local networking
                                eskimo Apple Staff Apple Staff (6,490 points)

                                NSAllowsArbitraryLoads is a 'fix everything' option; it basically disables ATS entirely.  If it's not working for you, it's likely that you've not configured it correctly.

                                Be aware that the App Transport Security Technote has a bug in how it describes NSAllowsArbitraryLoads.  Table 1-1 implies that NSAllowsArbitraryLoads should be nested within NSExceptionDomains.  This is incorrect.  NSAllowsArbitraryLoads is a top-level key within NSAppTransportSecurity.  So you're NSAppTransportSecurity dictionary should like this:

                                <key>NSAppTransportSecurity</key>
                                <dict>
                                    <key>NSAllowsArbitraryLoads</key>
                                    <true/>
                                </dict>
                                

                                I tested this myself just yesterday (Xcode 7.0b3, iOS 9.0b3) and it works as I've described.

                                Share and Enjoy

                                Quinn "The Eskimo!"
                                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: App Transport Security and local networking
                              hhtouch Level 1 Level 1 (10 points)

                              Is there anything new in iOS 9 Beta 4 regarding App Transport Security and local networking?

                                • Re: App Transport Security and local networking
                                  Level 1 Level 1 (0 points)

                                  NSAllowsArbitraryLoads is not disabling the App Transport Security and is not working for me. I've tested in iOS 9 Beta 3 and Beta 4. Can some one please help me to resolve this?

                                    • Re: App Transport Security and local networking
                                      eskimo Apple Staff Apple Staff (6,490 points)

                                      My post on thread dated 15 Jul covers this: I specifically tested NSAllowsArbitraryLoads on 9.0b3 and it worked as expected (although, as described in the post, not as documented).  Please read it through.

                                      Share and Enjoy

                                      Quinn "The Eskimo!"
                                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                      let myEmail = "eskimo" + "1" + "@apple.com"

                                  • Re: App Transport Security and local networking
                                    melindat Level 1 Level 1 (0 points)

                                    I've filed an issue as well: 22127901

                                     

                                    Is there any indication of when this might be addressed?

                                      • Re: App Transport Security and local networking
                                        eskimo Apple Staff Apple Staff (6,490 points)

                                        I've filed an issue as well: 22127901

                                        Thank you.

                                        Is there any indication of when this might be addressed?

                                        Which issue specifically?  There's a bunch of related issues covered by this thread, all of which have workarounds, although some are less satisfactory than others.

                                        However, as far as future changes to the OS are concerned, that's not something I can speculate on; DTS Engineers aren't issued with a crystal ball, alas.

                                        Share and Enjoy

                                        Quinn "The Eskimo!"
                                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                        let myEmail = "eskimo" + "1" + "@apple.com"

                                          • Re: App Transport Security and local networking
                                            melindat Level 1 Level 1 (0 points)

                                            Sorry, specifically I meant the top level issue of local requests being blocked by default w/ ATS. The common theme seems to be that yes, you can add a plist exception for it, but it would be cleaner to allow localhost by default and have the exception be to block it. I was just asking in case you'd be able to share any known changes coming in the next beta/release.

                                              • Re: App Transport Security and local networking
                                                eskimo Apple Staff Apple Staff (6,490 points)

                                                I meant the top level issue of local requests being blocked by default w/ ATS.

                                                Hence my request for clarification.  I'd argue that the top level issue here, the one raised by the hhtouch when they opened the thread, relates to accessing nearby networks not to accessing localhost.

                                                Regardless, on the localhost front, it seems that bwalker filed a perfectly reasonable enhancement request for that (21519087) and there's a perfectly reasonable workaround (adding a ATS exception), so it's really just a question of waiting to see what iOS Engineering makes of the issue.

                                                I was just asking in case you'd be able to share any known changes coming in the next beta/release.

                                                You'll find that Apple folks really don't like discussing the future, even the relatively near future like the iOS 9 beta release cycle.

                                                Share and Enjoy

                                                Quinn "The Eskimo!"
                                                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                let myEmail = "eskimo" + "1" + "@apple.com"

                                                  • Re: App Transport Security and local networking
                                                    bwalker Level 1 Level 1 (0 points)

                                                    To update on this issue, Apple engineering closed my enhancement request as Behaves Correctly. After pressing them on the issue, (I'm not sure I'm allowed to publish bug report responses here in a public forum so I'll paraphrase) the response that they gave in support of denying localhost by default was an example of a linked advertising framework which secretly communicates with localhost and sends data to a remote server. If localhost is denied by default, then the developer can see this is happening.

                                                     

                                                    Frankly, it seems overzealous; developers should already be running good firewall software which would alert them to the same thing. But it appears that ship has sailed and we're stuck with putting localhost exemptions in every project.

                                                     

                                                    The OP's issue seems more pressing and the only workaround of "nuke ATS from orbit" is not a workaround at all. Communicating with local devices, or testing apps on devices with local servers, is kind of fubar'd at the moment when IP addresses aren't accepted as valid exemptions.

                                          • Re: App Transport Security and local networking
                                            loretoparisi Level 1 Level 1 (10 points)

                                            +1 for

                                             

                                            Suggestion: Introduce a key NSAllowsArbitraryLoadsLocalNetworkOnly. When this key is set to true, it allows unencrypted http communication between devices on the same local network (IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and IPv6 fd00::/8, and 127.0.0.1 for development purposes).

                                            • Re: App Transport Security and local networking
                                              GordoVentilador Level 1 Level 1 (0 points)

                                              +1 for

                                               

                                              Suggestion: Introduce a key NSAllowsArbitraryLoadsLocalNetworkOnly. When this key is set to true, it allows unencrypted http communication between devices on the same local network (IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and IPv6 fd00::/8, and 127.0.0.1 for development purposes).

                                              • Re: App Transport Security and local networking
                                                FlanneryBAS Level 1 Level 1 (0 points)

                                                +1

                                                 

                                                Suggestion: Introduce a key NSAllowsArbitraryLoadsLocalNetworkOnly. When this key is set to true, it allows unencrypted http communication between devices on the same local network (IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and IPv6 fd00::/8, and 127.0.0.1 for development purposes).

                                                 

                                                This is a HUGE issue for our company. We need to upload firmware on our devices through http requests over the local network, and requiring these devices to have https servers running is onerous (if not impossible). We would like to implement ATS on our apps for non-local traffic, but are unable to.

                                                  • Re: App Transport Security and local networking
                                                    patsch Level 1 Level 1 (0 points)

                                                    One workaround is to edit the /etc/hosts file on your Mac and add a line like this at the end of the file (you need to do this as superuser/root):


                                                    127.0.0.1       apple.ninja

                                                     

                                                    This makes "localhost" accessible via a fully qualified hostname (apple.ninja) and you can use the standard ATS feature to allow HTTP traffic to that "domain":

                                                     

                                                    <key>NSAppTransportSecurity</key>
                                                            <dict>
                                                                    <key>NSExceptionDomains</key>
                                                                    <dict>
                                                                            <key>apple.ninja</key>
                                                                            <dict>
                                                                                    <key>NSIncludesSubdomains</key>
                                                                                    <true/>
                                                                                    <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                                                                                    <true/>
                                                                            </dict>
                                                                    </dict>
                                                            </dict>
                                                    
                                                  • Re: App Transport Security and local networking
                                                    eskimo Apple Staff Apple Staff (6,490 points)

                                                    While researching this as part of an official DTS incident I came across a reasonably nice workaround that I thought I’d share: namely, if the target device supports Bonjour you can add an ATS exception for “local” and everything within “local” will just work.

                                                    As part of its operation Bonjour service discovery requires that every device has a .local name.  Specifically, when you resolve a service you get back:

                                                    • the device’s .local name (A) — In NSNetService, this is the hostName property

                                                    • the IP addresses associated with that name (B) — In NSNetService, this is the addresses property.

                                                    • the port number on which to connect (C) — In NSNetService, this is the port property.

                                                    For example, if I browse for HTTP services on my local network:

                                                    $ dns-sd -B _http._tcp. local.
                                                    Browsing for _http._tcp..local.
                                                    DATE: ---Thu 15 Oct 2015---
                                                    11:01:51.968  ...STARTING...
                                                    Timestamp     A/R    Flags  if Domain   Service Type    Instance Name
                                                    11:01:51.969  Add        3   4 local.   _http._tcp.     Darth Inker
                                                    ^C
                                                    

                                                    I get back a list of services including Darth Inker.  If I resolve that:

                                                    $ dns-sd -L "Darth Inker" _http._tcp. local.
                                                    Lookup Darth Inker._http._tcp..local.
                                                    DATE: ---Thu 15 Oct 2015---
                                                    11:02:42.973  ...STARTING...
                                                    11:02:43.289  Darth\032Inker._http._tcp.local. …at… darth-inker.local.:80 …
                                                    ^C
                                                    

                                                    I get the .local name (darth-inker.local., point A) and the port number (80, point C).  Finally, I can resolve the .local name into IPv4 and IPv6 addresses (point B).

                                                    $ dns-sd -q darth-inker.local. A
                                                    DATE: ---Thu 15 Oct 2015---
                                                    11:03:38.570  ...STARTING...
                                                    Timestamp     A/R Flags if Name                 Type  Class   Rdata
                                                    11:03:38.571  Add     2  4 darth-inker.local.   Addr   IN     192.168.1.40
                                                    ^C
                                                    $ dns-sd -q darth-inker.local. AAAA
                                                    DATE: ---Thu 15 Oct 2015---
                                                    11:03:41.963  ...STARTING...
                                                    Timestamp     A/R Flags if Name                 Type  Class   Rdata
                                                    11:03:41.963  Add     2  4 darth-inker.local.   AAAA   IN     FE80:0000:00…
                                                    ^C
                                                    

                                                    The point here is that I don’t need to use these IP addresses in order to connect to the service.  I can simply put the .local name into a URL and pass that URL to NSURL{Session,Connection}.

                                                    This is relevant for ATS because, if you always connect via the .local name, you can add an ATS exception for everything in the “local” domain (see below) and ATS will get out of the way.

                                                    <key>NSAppTransportSecurity</key>
                                                    <dict>
                                                        <key>NSExceptionDomains</key>
                                                        <dict>
                                                            <key>local</key>
                                                            <dict>
                                                                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                                                                <true/>
                                                                <key>NSIncludesSubdomains</key>
                                                                <true/>
                                                            </dict>
                                                        </dict>
                                                    </dict>
                                                    

                                                    Obviously this only works if the target device supports Bonjour but, hey, in my opinion, devices without Bonjour support are broken anyway (-;

                                                    Share and Enjoy

                                                    Quinn "The Eskimo!"
                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                                      • Re: App Transport Security and local networking
                                                        QJeffR Level 1 Level 1 (0 points)

                                                        Another relatively simple workaround is xip.io, which may be more useful for many applications. A DNS call to (for example) 10.0.1.8.xip.io will resolve to 10.0.1.8, allowing use of the domain instead of the IP address for the NSExceptionDomains key.

                                                         

                                                        By the way, NSAllowsArbitraryLoads did not work for me either. However, the xip.io workaround is sufficient for me (and superior to localhost).

                                                          • Re: App Transport Security and local networking
                                                            eskimo Apple Staff Apple Staff (6,490 points)

                                                            Another relatively simple workaround is xip.io …

                                                            Cool.  I hadn’t seen that before.  Thanks for sharing.

                                                            Share and Enjoy

                                                            Quinn "The Eskimo!"
                                                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                            let myEmail = "eskimo" + "1" + "@apple.com"

                                                              • Re: App Transport Security and local networking
                                                                Allairgoo Level 1 Level 1 (0 points)

                                                                devices without Bonjour support are broken anyway (-;

                                                                 

                                                                Same here...

                                                                 

                                                                I have an APP that does HTTP connexion ( openweathermap) , HTTPS connexion on the internet (personnal data for the users)  and that does  HTTP connexion to a local network device ( IOT device discovered via Bonjour and after that we use IP connexion in HTTP to have faster response time). Since IOS 9 it's not possible to have this device working with IOS via IP.

                                                                 

                                                                Everybody should remember that private IP (192.168.*.*, 10.*.*.*)  can't have HTTPS connexion with valid certificates. And that many devices are not "bonjour" compatible. We need something like NSAllowsArbitraryLoadsLocalNetworkOnly

                                                            • Re: App Transport Security and local networking
                                                              hhtouch Level 1 Level 1 (10 points)

                                                              Hi,

                                                               

                                                              I started this thread almost a year ago, because of the issues of App Transport Security in combination with local/private networks. The workaround eskimo posted for bonjour based hostnames (.local) is nice, but not a solution for every case. In my opinion something like NSAllowsArbitraryLoadsLocalNetworkOnly is still needed.

                                                               

                                                              I just looked throught the iOS 10 Beta API docs and unfortunately I can't see any addtions that go into that direction. The only new addition seems to be NSAllowsArbitraryLoadsInWebContent, which is only relevant for Web-Content (WKWebKit).

                                                              Apple today at WWDC also announced, that ATS is mandatory by the end of 2016 for all AppStore submissions.

                                                              I am aware that iOS 10 is in Beta and there might be still additions, but the current state of things makes me quite worried.

                                                               

                                                              The general concept of ATS and protecting users is great, but for applications doing data transfer on the private/local network its use is just not practical in many cases (there are plenty of examples in this thread).

                                                               

                                                              @eskimo: You know the internal processes at Apple better than any of us here. There were numerous bug reports filled for this issue in 2015 and also (I assume) several DTS incidents. What can we do that the issue gets the required attention and the actual framework developers take a look at it?

                                                               

                                                              Cheers,

                                                               

                                                              Hendrik

                                                                • Re: App Transport Security and local networking
                                                                  dbenini Level 1 Level 1 (0 points)

                                                                  I second this request.

                                                                  We manage the app of a connected appliances company, but unfortunately we don't get to design the hardware specs and protocols, so neither bonjour nor HTTPS for us

                                                                  xip.io might work, but we cannot rely on the 37signals magnanimity forever, I believe.

                                                                  Without something like NSAllowsArbitraryLoadsLocalNetworkOnly our iOs app will be completely useless in 2017; I believe we're not alone in this, as this thread clearly shows.

                                                                  • Re: App Transport Security and local networking
                                                                    KalMudov Level 1 Level 1 (0 points)

                                                                    We are in the same situation having an app which is in fact a proxy between web media and local network. A lot of web servers does not impement HTTPS and communications over local network too. It seems our app will be absolutely useless without NSAllowsArbitraryLoads. There must a procedure/approval for apps like our similar to setting for example Background modes for apps. I am sure a lot of apps are in our situation.

                                                                    • Re: App Transport Security and local networking
                                                                      Dvyz Level 1 Level 1 (10 points)

                                                                      Support NSAllowsArbitraryLoadsLocalNetworkOnly

                                                                      I too came back and looked for this support after the iOS 10 annoucement.

                                                                      • Re: App Transport Security and local networking
                                                                        eskimo Apple Staff Apple Staff (6,490 points)

                                                                        I just looked throught the iOS 10 Beta API docs and unfortunately I can't see any addtions that go into that direction.

                                                                        Indeed.  Sad Quinn is sad )-:

                                                                        What can we do that the issue gets the required attention and the actual framework developers take a look at it?

                                                                        This is a sufficiently well-known issue that I used it as an example of “reasonable justification” in my recent ATS update.  I, and the ATS team, certainly got a lot of feedback about this issue during the labs at WWDC (-:  It’s possible that the situation with ATS and local networking might change prior to the new ATS requirement being enforced but, if it does not, you will have to ship with NSAllowsArbitraryLoads.

                                                                        Keep in mind that, even if we did add something like NSAllowsArbitraryLoadsLocalNetworkOnly today, you’d still need NSAllowsArbitraryLoads as long as you support iOS 9.

                                                                        Share and Enjoy

                                                                        Quinn “The Eskimo!”
                                                                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                        let myEmail = "eskimo" + "1" + "@apple.com"

                                                                          • Re: App Transport Security and local networking
                                                                            hhtouch Level 1 Level 1 (10 points)

                                                                            Thanks for the response, Quinn.

                                                                            It's good to hear, that there is still hope. Something like NSAllowsArbitraryLoadsLocalNetworkOnly would still help and make dealing with App-Review easier.

                                                                            Thanks so much for keeping us updated.

                                                                             

                                                                            Cheers,

                                                                             

                                                                            Hendrik

                                                                            • Re: App Transport Security and local networking
                                                                              ah811 Level 1 Level 1 (0 points)

                                                                              Hi,

                                                                               

                                                                              Really appreciate all the responses and information you've provided. I'd just like to follow up and find out if there's been any new information since the last update.

                                                                               

                                                                              We have an application that communicates to several devices on the local network. Updating these devices to support HTTPS (and in some case, this may not be possible at all) will be a significant endeavor for us. Has there been a path forward or solution for people and companies who are in this particular situation?

                                                                               

                                                                              Thanks!

                                                                              -ah

                                                                                • Re: App Transport Security and local networking
                                                                                  Tolibi Level 1 Level 1 (0 points)
                                                                                    • Re: App Transport Security and local networking
                                                                                      eskimo Apple Staff Apple Staff (6,490 points)

                                                                                      it seems we will get the "NSAllowsLocalNetworking" key

                                                                                      Indeed.  Yay!

                                                                                      Just for the record, while there were lots of bugs filed about this (thanks everyone!), the specific change was made as (r. 27111836).

                                                                                      I tried this out for myself (both in the simulator and on iOS 10.0b4 hardware) and it seems to work well.  The only gotcha I found is that it doesn’t allow absolute domain names (r. 27655708).  For example, NSAllowsLocalNetworking enables access to http://guy-smiley.local but not to http://guy-smiley.local. (note the trailing dot).  This might trip you up if, for example, you build the URL from NSNetService’s hostName property, which always returns an absolute domain name.

                                                                                      Share and Enjoy

                                                                                      Quinn “The Eskimo!”
                                                                                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                      let myEmail = "eskimo" + "1" + "@apple.com"

                                                                                        • Re: App Transport Security and local networking
                                                                                          bertrand_c Level 1 Level 1 (0 points)

                                                                                          Very goood news. I tried iOS 10 beta both on the simulator and on an iPad and observed the same behavior with ".local." host names.

                                                                                           

                                                                                          It seems that if you actually only use IP addresses, no exception is needed any more. My app was able to perform clear HTTP requests to 127.0.0.1 or 192.168.100.2 (a local network wifi address) without any ATS section in the app .plist file. So it seems that I could simply remove any ATS exception from the app and submit it as is in 2017.

                                                                                           

                                                                                          This raised a question though: If I submit my app without ATS exception, which should work on an iOS 10 device, how will it behave if the app is installed on iOS 9?

                                                                                            • Re: App Transport Security and local networking
                                                                                              eskimo Apple Staff Apple Staff (6,490 points)

                                                                                              If I submit my app without ATS exception, which should work on an iOS 10 device, how will it behave if the app is installed on iOS 9?

                                                                                              Clearly iOS 9 does not support NSAllowsLocalNetworking.  If you want to support iOS 9 and 10, you’ll need to also set NSAllowsArbitraryLoads.  Make sure you explain this to App Review as part of your “reasonable justification”.

                                                                                              Share and Enjoy

                                                                                              Quinn “The Eskimo!”
                                                                                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                              let myEmail = "eskimo" + "1" + "@apple.com"

                                                                                                • Re: App Transport Security and local networking
                                                                                                  bertrand_c Level 1 Level 1 (0 points)

                                                                                                  Doesn't this defeat the purpose of the new iOS 10 exceptions: In order to maintain iOS 9 compatibility (A likely scenario for most apps submitted next year) the developer will have to request a broader exception even if not needed. If granted it effectively allows an app to use clear http anywhere.

                                                                                                    • Re: App Transport Security and local networking
                                                                                                      eskimo Apple Staff Apple Staff (6,490 points)

                                                                                                      Doesn't this defeat the purpose of the new iOS 10 exceptions …

                                                                                                      What alternative do you propose?

                                                                                                      Share and Enjoy

                                                                                                      Quinn “The Eskimo!”
                                                                                                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                                      let myEmail = "eskimo" + "1" + "@apple.com"

                                                                                                        • Re: App Transport Security and local networking
                                                                                                          bertrand_c Level 1 Level 1 (0 points)

                                                                                                          The new exception being tied to iOS 10 only I don't see any solution on the developer side. Would it be theorically possible for an app built with Xcode 8 compatible with iOS 10 and 9 to be processed by Apple before distribution so that the new exceptions (LocalNetworking) translate into the broader NSAllowsArbitraryLoads when installed on iOS 9? This way, at least the app developer does not have to request NSAllowsArbitraryLoads and justify it.

                                                                                                          Once again, highly hypothetical.

                                                                                                            • Re: App Transport Security and local networking
                                                                                                              eskimo Apple Staff Apple Staff (6,490 points)

                                                                                                              Would it be theorically possible for an app built with Xcode 8 compatible with iOS 10 and 9 to be processed by Apple before distribution so that the new exceptions (LocalNetworking) translate into the broader NSAllowsArbitraryLoads when installed on iOS 9?

                                                                                                              That’s an interesting idea.  Feel free to write up an enhancement request along those lines.


                                                                                                              JSYK, the latest ATS docs (the NSAppTransportSecurity section of Information Property List Key Reference in the pre-release reference library) specifically addresses the backwards compatibility issue.

                                                                                                              Share and Enjoy

                                                                                                              Quinn “The Eskimo!”
                                                                                                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                                              let myEmail = "eskimo" + "1" + "@apple.com"

                                                                                                      • Re: App Transport Security and local networking
                                                                                                        Neato Level 1 Level 1 (0 points)

                                                                                                        This is not working for a local address that uses https `https://192.168.0.1`. In that case I still have to set `NSAllowsArbitraryLoads` to `YES`.

                                                                                                      • Re: App Transport Security and local networking
                                                                                                        knoxy Level 1 Level 1 (0 points)

                                                                                                        Can you please elaborate on the comment re absolute domain name for local tld?  If we refer to a domain  http://guy-smiley.local will the phone perform a DNS lookup across the network to the DNS server? 

                                                                                                         

                                                                                                        I'd like to be able to use our DNS to respond to .local names (with an RFC1918 address - only accessible within our network),  however normally an unqualified name would be turned into an FQDN (with a trailing dot) before the request is sent across the network to the DNS server,  so how does it work with unqualified name on iOS?

                                                                                                          • Re: App Transport Security and local networking
                                                                                                            eskimo Apple Staff Apple Staff (6,490 points)

                                                                                                            … however normally an unqualified name would be turned into an FQDN (with a trailing dot) before the request is sent across the network to the DNS server …

                                                                                                            Right, but ATS is not involved at the DNS level.  ATS looks at the DNS name from the URL you pass to the request (NSURLRequest) that you start.

                                                                                                            ps I hope you’re not using local. for site allocated DNS names.  That domain is reserved for mDNS per RFC 6762.

                                                                                                            Share and Enjoy

                                                                                                            Quinn “The Eskimo!”
                                                                                                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                                            let myEmail = "eskimo" + "1" + "@apple.com"

                                                                                              • Re: App Transport Security and local networking
                                                                                                smartcom Level 1 Level 1 (0 points)

                                                                                                Hello

                                                                                                There is still no clear indication on how to handle both iOS 9 and 10 for a local network

                                                                                                For iOS 10, it's easy, we just need to use flag NsAllowsLocalNetworking.

                                                                                                OK, but this Flag is ignored on iOS 9. And our app need to be compatible with both iOS 9 and 10 after 1st january 2017.

                                                                                                Then on iOS 9 we have 3 solutions:

                                                                                                1. Set Flag NSAllowsArbitraryLoads. It purely disables ATS but this require App Store justification

                                                                                                2. For a specified domain, use flag NSExceptionAllowsInsecureHTTPLoads. But this requires App Store justification

                                                                                                3. For a specified domain, use flag NSThirdPartyExceptionAllowsInsecureHTTPLoads. From what i've read "unofficially" this would not require App Store justification. But this flag has been removed from official Apple documentation, then I guess we are no more allowed to use it.

                                                                                                 

                                                                                                It's urgent developers get from Apple a clear statement on how ATS must be configured for local network for both iOS 9 and 10 in order to pass App Store review.

                                                                                                 

                                                                                                Thanks

                                                                                                  • Re: App Transport Security and local networking
                                                                                                    eskimo Apple Staff Apple Staff (6,490 points)

                                                                                                    I don’t work for App Review and can’t make “a clear statement” on their behalf but the advice in the ATS docs seems pretty clear to me.  Specifically, Table 2 says:

                                                                                                    NSAllowsLocalNetworkingIf you set this key’s value to YES, then App Transport Security ignores the value of the NSAllowsArbitraryLoads key in iOS 10 and later … This behavior supports adoption of App Transport Security protections while allowing embedded browsers to continue working in iOS 9 and earlier … (To obtain this behavior, set the value of this key to YES and set the value of the NSAllowsArbitraryLoads key to YES as well.)

                                                                                                    As always, if you find the docs unclear, please file a bug against them.

                                                                                                    Share and Enjoy

                                                                                                    Quinn “The Eskimo!”
                                                                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                                                                                      • Re: App Transport Security and local networking
                                                                                                        thibault2 Level 1 Level 1 (0 points)

                                                                                                        I have the same requirements.

                                                                                                        My application need to connect to local devices using IP: they support https but not latest protocol (the device is limited to TLS v1.1)

                                                                                                        I have added NSAllowsLocalNetworking but it still fails in SSL verification.

                                                                                                         

                                                                                                        How to solve this issue ?

                                                                                                          • Re: App Transport Security and local networking
                                                                                                            eskimo Apple Staff Apple Staff (6,490 points)

                                                                                                            NSAllowsLocalNetworking only affects ATS; NSURLSession still does RFC 2818-style HTTPS server trust evaluation, and you’ll need to deal with that as well.  Technote 2232 HTTPS Server Trust Evaluation describes how.

                                                                                                            ps You might want to have a read of my TLS for App Developers post.

                                                                                                            Share and Enjoy

                                                                                                            Quinn “The Eskimo!”
                                                                                                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                                            let myEmail = "eskimo" + "1" + "@apple.com"

                                                                                                              • Re: App Transport Security and local networking
                                                                                                                Scenario Level 1 Level 1 (0 points)

                                                                                                                I'm crippled by this issue too and just read about NSAllowsLocalNetworking. So I added the following keys to my Apple Watch Extension's Info.plist, but it still fails:

                                                                                                                 

                                                                                                                  <key>NSAppTransportSecurity</key>
                                                                                                                  <dict>
                                                                                                                      <key>NSAllowsLocalNetworking</key>
                                                                                                                      <true/>
                                                                                                                  </dict>
                                                                                                                

                                                                                                                 

                                                                                                                All I'm trying to do is play a test video from my NAS (on my local network), but the following line of code shows "unable to read data" in the debugger while it merely tries to create a URL:

                                                                                                                 

                                                                                                                  let url = URL(string: "http://scenario-imac.local/~MyUserName/Volumes/iTunes/iTunes%20Media/TV%20Shows/Star%20Trek/Season%201/18%20Arena.m4v")!
                                                                                                                

                                                                                                                 

                                                                                                                If I po it, the url looks good. But then setting WKInterfaceMovie' url and pressing play fails to produce either video or an error.


                                                                                                                URLs of that form work fine from my iOS and tvOS apps, but not from watchOS. Shouldn't watchOS 3.1 be respecting this key?

                                                                                                                • Re: App Transport Security and local networking
                                                                                                                  craigaps Level 1 Level 1 (0 points)

                                                                                                                  Hi

                                                                                                                  I have an iOS 10 (only) app.  The app needs to be able to support the use of self-signed certifcates for IP addresses i.e https://192.168.2.1 in a "test" mode.  The IP addresses and certifcates are spawned virtual servers and they don't have access to a DNS or a certificate authority, importantly they are for testing only.

                                                                                                                   

                                                                                                                  In the app info.plist I have the following entry:

                                                                                                                  <key>NSAppTransportSecurity</key>
                                                                                                                    <dict>
                                                                                                                          <key>NSAllowsArbitraryLoads</key>
                                                                                                                    <true/>
                                                                                                                    </dict>
                                                                                                                  

                                                                                                                   

                                                                                                                  If the app is in "test" mode, this is the code that gets executed:

                                                                                                                  class AllowSelfSignedCertificate: NSObject, URLSessionDelegate
                                                                                                                  {
                                                                                                                    private func urlSession(session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: (NSURLSession.AuthChallengeDisposition, URLCredential?) -> Void)
                                                                                                                    {
                                                                                                                      completionHandler(.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!))
                                                                                                                    }
                                                                                                                  }
                                                                                                                  
                                                                                                                  if mode == OperationMode.test
                                                                                                                  {
                                                                                                                    let session = URLSession(configuration: URLSessionConfiguration.ephemeral, delegate: AllowSelfSignedCertificate(), delegateQueue: nil)
                                                                                                                  }
                                                                                                                  

                                                                                                                   

                                                                                                                  When I run the app in "test" mode I get the following error:
                                                                                                                     The certificate for this server is invalid. You might be connecting to a server that is pretending to be "192.168.2.1" which could put your confidential information
                                                                                                                      at risk

                                                                                                                   

                                                                                                                  When I connect the app to the same network as the test server and include NSAllowsLocalNetworking, I get the same error.  Following is the output of nsurl:

                                                                                                                  nscurl --ats-diagnostics https:/
                                                                                                                  Starting ATS Diagnostics
                                                                                                                  Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https:/
                                                                                                                  A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
                                                                                                                  Use '--verbose' to view the ATS dictionaries used and to display the error received in URLSession:task:didCompleteWithError:.
                                                                                                                  ================================================================================
                                                                                                                  Default ATS Secure Connection
                                                                                                                  ---
                                                                                                                  ATS Default Connection
                                                                                                                  2016-12-28 14:52:50.763 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ================================================================================
                                                                                                                  Allowing Arbitrary Loads
                                                                                                                  ---
                                                                                                                  Allow All Loads
                                                                                                                  2016-12-28 14:52:50.794 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ================================================================================
                                                                                                                  Configuring TLS exceptions for 192.168.2.1
                                                                                                                  ---
                                                                                                                  TLSv1.2
                                                                                                                  2016-12-28 14:52:50.830 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ---
                                                                                                                  TLSv1.1
                                                                                                                  2016-12-28 14:52:50.868 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ---
                                                                                                                  TLSv1.0
                                                                                                                  2016-12-28 14:52:50.934 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ================================================================================
                                                                                                                  Configuring PFS exceptions for 192.168.2.1
                                                                                                                  ---
                                                                                                                  Disabling Perfect Forward Secrecy
                                                                                                                  2016-12-28 14:52:50.948 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ================================================================================
                                                                                                                  Configuring PFS exceptions and allowing insecure HTTP for 192.168.2.1
                                                                                                                  ---
                                                                                                                  Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
                                                                                                                  2016-12-28 14:52:50.959 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ================================================================================
                                                                                                                  Configuring TLS exceptions with PFS disabled for 192.168.2.1
                                                                                                                  ---
                                                                                                                  TLSv1.2 with PFS disabled
                                                                                                                  2016-12-28 14:52:50.971 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ---
                                                                                                                  TLSv1.1 with PFS disabled
                                                                                                                  2016-12-28 14:52:50.980 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ---
                                                                                                                  TLSv1.0 with PFS disabled
                                                                                                                  2016-12-28 14:52:50.990 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ================================================================================
                                                                                                                  Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for 192.168.2.1
                                                                                                                  ---
                                                                                                                  TLSv1.2 with PFS disabled and insecure HTTP allowed
                                                                                                                  2016-12-28 14:52:51.022 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ---
                                                                                                                  TLSv1.1 with PFS disabled and insecure HTTP allowed
                                                                                                                  2016-12-28 14:52:51.041 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  ---
                                                                                                                  TLSv1.0 with PFS disabled and insecure HTTP allowed
                                                                                                                  2016-12-28 14:52:51.052 nscurl[36062:6500411] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
                                                                                                                  Result : FAIL
                                                                                                                  ---
                                                                                                                  

                                                                                                                   

                                                                                                                  When I run openssl -s_client, this is the output (certificate information omitted)

                                                                                                                  openssl s_client -connect 192.168.2.1:443
                                                                                                                  CONNECTED(00000003)
                                                                                                                  verify error:num=18:self signed certificate
                                                                                                                  verify return:1
                                                                                                                  ---
                                                                                                                  No client certificate CA names sent
                                                                                                                  ---
                                                                                                                  SSL handshake has read 979 bytes and written 456 bytes
                                                                                                                  ---
                                                                                                                  New, TLSv1/SSLv3, Cipher is AES128-SHA
                                                                                                                  Server public key is 2048 bit
                                                                                                                  Secure Renegotiation IS supported
                                                                                                                  Compression: NONE
                                                                                                                  Expansion: NONE
                                                                                                                  SSL-Session:
                                                                                                                      Protocol  : TLSv1
                                                                                                                      Cipher    : AES128-SHA
                                                                                                                      Session-ID: BC8C61C53D3BBBC9CEAEA468BCC54FA4C494C43192274A48E4195A80FDB36EDC
                                                                                                                      Session-ID-ctx:
                                                                                                                      Master-Key: 511F32CC76D8D7C457003B1042D9E678E159DC653D1F8AE844E6EA9A280727D0BA41E6329FFECFE628C1B8CC41EF71A0
                                                                                                                      Key-Arg   : None
                                                                                                                      Start Time: 1482901084
                                                                                                                      Timeout   : 300 (sec)
                                                                                                                      Verify return code: 18 (self signed certificate)
                                                                                                                  ---
                                                                                                                  read:errno=0
                                                                                                                  

                                                                                                                   

                                                                                                                  What ATS configuration should I adopt in the app to enable http://<ip_address> in a test operation mode?

                                                                                                                   

                                                                                                                  Thanks for your help