iOS ATS configuration for handling internal redirects to HTTP connection

As announced in WWDC 2016, Apple will enforce HTTPS connection for all apps from December end 2016. Although I have added all the HTTP domains to which my app communicates as exceptions in the ATS settings but not sure how to handle one particular case where in if I refer to a HTTP connection added as ATS exception in info.plist which internally redirects to another HTTP connection which is not part of the ATS exceptions in info.plist. Please suggest.

Replies

Can't you just add the domain of the redirect to the ATS exception list?

You can add domain to ATS exception list for new app releases but question what happens to the users of existing app release that don't upgrade. Real scenario when website is moved to another domain with redirects from old domain.

ATS does not have any specific smarts with regards redirects. From an ATS perspective, each connection is independent and is evaluated on its own merits.

murtaza.saify wrote:

As announced in WWDC 2016, Apple will enforce HTTPS connection for all apps from December end 2016.

Just FYI, this deadline has changed. See my App Transport Security pinned post for the latest news.

jki wrote:

… what happens to the users of existing app release that don't upgrade. Real scenario when website is moved to another domain with redirects from old domain.

The best way forward here is to make the new server ATS compliant, which means you don’t need a new ATS exception.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Eskimo,


But how should I handle this particular scenerio in which a HTTP Connection (known to app and domain added to ATS exception) redirects internaly to another HTTP connection (unknown to app and not part of ATS exceptions).

Please suggest.

But how should I handle this particular scenerio in which a HTTP Connection (known to app and domain added to ATS exception) redirects internaly to another HTTP connection (unknown to app and not part of ATS exceptions).

ATS does not have any specific smarts with regards redirects. The best way forward here is to have each of the servers in question meet ATS’s security requirements. That’s best for you (there’s nothing to do in your app) and best for your users (they get good security).

If you can’t do that then your only option is to add ATS exceptions for all the servers in question. If you can’t build a list of those serves you’ll need a wide ranging ATS exception (and, once App Review starts enforcing their announced policy, you’ll have to justify that to App Review).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Eskimo,


By wide ranging you mean do I need to just include AllowArbitaryLoad key and set it to YES, will my above problem be reasonable justification to Apple for ignoring ATS in my app ?

… will my above problem be reasonable justification to Apple for ignoring ATS in my app ?

I don’t work for App Review and can’t give definitive answers about how they will interpret their policies. The information that they have published is linked to my my App Transport Security pinned post.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"