58 Replies
      Latest reply: Jan 3, 2017 3:50 AM by eskimo RSS
      RLKingSoftware Level 3 Level 3 (485 points)

        As the title notes, Apple announced that ATS will be REQUIRED of all apps as of January 2017.

        This also means the exceptions that currently exist will no longer exist. Which means for most of

        us who use our own domains to host our websites but don't pay extra for https that those domains

        will no longer be accessable in iOS.

         

        Is there a work around for this that will be usable in January? If not, what the heck is Apple thinking?

        • Re: App Transport Security REQUIRED January 2017
          Werecrayon Level 1 Level 1 (0 points)

          I am all for secure communications, but there are some times when it is simply not possible.   I have an app that communicates with an physical satellite modem.  That satelite modem is local to the wifi network and only exposes an HTTP connection.   There is no way to connect to it securely.    Is this app simply no longer possible?

          • Re: App Transport Security REQUIRED January 2017
            jpoblocki Level 1 Level 1 (0 points)

            I agree. I understand that security is important, but there are far too many services that still use HTTP. I have an app that pulls images from NOAA over an HTTP connection. I don't see them switching to HTTPS anytime soon. Without an exception my app would be useless.

            • Re: App Transport Security REQUIRED January 2017
              KalMudov Level 1 Level 1 (0 points)

              We are in the same situation having an app which is in fact a proxy between web media and local network. A lot of web servers does not impement HTTPS and communications over local network too. It seems our app will be absolutely useless without NSAllowsArbitraryLoads. There must be a procedure/approval for apps like our similar to setting for example Background modes for apps. I am sure a lot of apps are in our situation.

                • Re: App Transport Security REQUIRED January 2017
                  Appa Level 1 Level 1 (0 points)

                  Sturgmeister on the xamarin forums mentioned that Apple (during the keynote) said that they would allow developers to apply for exemptions. I'm hoping that he is correct as in my particular use case, I call a REST API on an embedded board and it would literally be impossible to use SSL on without forcing all of our customers to upgrade at a cost of $5000+ per site.

                • Re: App Transport Security REQUIRED January 2017
                  eskimo Apple Staff Apple Staff (6,995 points)

                  First up, there have been no changes to the technical behaviour of ATS (other than the addition of NSAllowsArbitraryLoadsInWebContent and NSRequiresCertificateTransparency).  From a technical perspective, ATS exceptions in the newly seeded OS releases work the same way as they do in the current OS release.

                  What has changed is that App Review will require “reasonable justification” for most ATS exceptions.  The goal here is to flush out those folks who, when ATS was first released, simply turned it off globally and moved on.  That will no longer be allowed.

                  The impact of this will depend on the circumstances of your app.  I don’t work for App Review, so I can’t give definitive answers as to what constitutes a “reasonable justification” in their minds.  However, I can recommend that you do the following:

                  • watch the WWDC session where we announced this change (WWDC 2016 Session 706 What’s New in Security) so that you can get a feel for the rationale behind it

                  • carefully audit your app’s use of HTTP and HTTPS

                  • construct a minimal ATS exception dictionary

                  • if you have ATS exceptions, keep notes about your analysis so that you can refer back to them when you need to submit your justification to App Review

                  Finally, if there are places where ATS has limitations that cause you to specify wider exceptions than one might reasonably expect, file an enhancement request against ATS for more appropriate exceptions.  Make sure to note the bug number to use in your justification.  And I’d appreciate you posting your bug number here, just for the record.

                  [I’ve removed the following example because we introduced NSAllowsLocalNetworking in iOS 10.0b4, partly based on the feedback we got from developers like you.  Thanks everyone!  OTOH, the general advice from the previous paragraph still stands.]

                  For example, right now ATS has very poor support for dealing with accessories on the local Wi-Fi.  An app that needs to deal with such an accessory may well need to set NSAllowsArbitraryLoads.  In that case, it would be wise to file a bug that describes your app’s requirements and requests better support from ATS, and use that bug number as part of your justification.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: App Transport Security REQUIRED January 2017
                      Orologics Level 1 Level 1 (0 points)

                      Thanks, Quinn. Your response is very close to what I expected would happen. Anticipating that, I spent all last week with Allow Arbitrary Loads turned off. I had to create a huge list of exception domains in order to enable not only the third party open data APIs I reference, but their corresponding websites for configuration or information. Because NSAllowsArbitraryLoadsInWebContent is not available in iOS 9, I had to inspect and whitelist embedded links, e.g., code.jquery.com. If I didn't, some website controls would either look wrong or not work. That's even ignoring the FB and Twitter links I found.

                       

                      There just doesn't seem to be a good way to release an app that can work compatibly in both iOS 9 and 10 if it depends on HTTP-only third party APIs and HTTP-only third party websites.  I filed an enhancement request under 26976436.

                      • Re: App Transport Security REQUIRED January 2017
                        Orologics Level 1 Level 1 (0 points)

                        I also submitted 26979531 as a bug report to allow LAN devices that are discovered by SSDP to be accessed using their discovered IP addresses, via  HTTP/GET, while still retaining the security to block WAN access.

                        • Re: App Transport Security REQUIRED January 2017
                          knoxy Level 1 Level 1 (0 points)

                          Thanks Quinn for all the great information.  What's the process for determining now whether our 'reasonable justifcation' is in fact reasonable in the App Review teams mind, post-Jan 2017?  If we submit an App with a single domain NSExceptionAllowsInsecureHTTPLoads exception for review today,  together with our reasonable justification, can we ask for it to be reviewed as if it's post-Jan 2017?

                          • Re: App Transport Security REQUIRED January 2017
                            jageen.shukla Level 1 Level 1 (0 points)

                            Hi, Thanks for the solution "NSAllowsArbitraryLoadsInWebContent".

                             

                            I am working on applicaiton which are going to load pages into WebView this will help me only for iOS10.

                             

                            Will you please help me what i should do for iOS9 and iOS8?

                            • Re: App Transport Security REQUIRED January 2017
                              RichH_BC Level 1 Level 1 (0 points)

                              Thanks for this super bit of info!

                               

                              Just a quick query around the documentation of the ATS keys.

                               

                              It says:

                              NSAllowsArbitraryLoads: "Use of this key triggers App Store review and requires justification."

                              and also "In iOS 10 and later, and macOS 10.12 and later, the value of this key is ignored if any of the following keys are present in your app’s Info.plist file"

                               

                              Now does this mean, as I want to load a HTTP link in a web view for iOS 9 that I can specifiy NSAllowsArbitraryLoads=YES and also NSAllowsArbitraryLoadsInWebContent=YES and I won't need to provide justification for the App Store review process because of the second comment above from the docs?

                              Or should I specifiy an domain level exception and set NSExceptionAllowsInsecureHTTPLoads=YES for that domain?

                               

                              Cheers,

                               

                              Rich

                                • Re: App Transport Security REQUIRED January 2017
                                  eskimo Apple Staff Apple Staff (6,995 points)

                                  At the technical level, it’s hard to say which is the best option:

                                  • With option #1 (NSAllowsArbitraryLoadsInWebContent and NSAllowsArbitraryLoads) iOS 9 will be less secure (because of the NSAllowsArbitraryLoads) but iOS 10 will be more secure (ATS is enabled for everything except the web view).

                                  • With option #2 (NSAllowsArbitraryLoadsInWebContent and an NSExceptionDomains entry for your specific domain with NSExceptionAllowsInsecureHTTPLoads), iOS 9 will be more secure (because there’s no NSAllowsArbitraryLoads) but iOS 10 will be less secure (because the NSExceptionDomains applies to code outside of the web view).

                                  I reckon you could reasonably justify either to App Review, but I can’t say for sure because I’m not allowed to speak on their behalf.

                                  If I were in your shoes I’d probably go for the first option because:

                                  • it offers the best security going forward; the percentage of users on iOS 10 is already significant and it’s growing rapidly

                                  • lots of other developers will be doing this, so it’s going to be easier to justify to App Review

                                  Share and Enjoy

                                  Quinn “The Eskimo!”
                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                  let myEmail = "eskimo" + "1" + "@apple.com"

                                • Re: App Transport Security REQUIRED January 2017
                                  matthiasfromdresden Level 1 Level 1 (0 points)

                                  Hi Quinn,

                                   

                                  We developed an iOS framework that communicates with a backend. The network layer is written in plain C and talks HTTP/1.1 over posix sockets for portability. With the announcement of ATS enforcement at the end of 2016 we are getting a bit nervous if this will eventually have an effect on us.

                                   

                                  So my question is, will Apple enforce encryption of HTTP communication over posix sockets in the near future?

                                   

                                  Thank you

                                    • Re: App Transport Security REQUIRED January 2017
                                      eskimo Apple Staff Apple Staff (6,995 points)

                                      So my question is, will Apple enforce encryption of HTTP communication over posix sockets in the near future?

                                      I’m unable to predict the future, both due to policy reasons (my management hates it when I speculate) and… well… physics (-:  Right now ATS is only enforced by our high-level APIs (NSURLSession, NSURLConnection, and anything layered on top of those), and there’s been no announcements about that changing.

                                      Keep in mind, however, that ATS’s enhanced security requirements are not arbitrary; they are defined to give your users a good level of security on an increasingly hostile Internet.  As such, your app should aim to comply with these requirements even if ATS is not actively enforcing them.

                                      Share and Enjoy

                                      Quinn “The Eskimo!”
                                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                      let myEmail = "eskimo" + "1" + "@apple.com"

                                  • Re: App Transport Security REQUIRED January 2017
                                    nvdev Level 1 Level 1 (0 points)

                                    What happens to apps that are still in the app store by the end of the year that aren't using HTTPS?

                                    • Re: App Transport Security REQUIRED January 2017
                                      mobiledatabooks Level 1 Level 1 (0 points)

                                      You can use https://letsencrypt.org

                                       

                                      It is free, stable and used by millions of web sites already.


                                      Requires update every three months which can be automated.


                                      I am testing it for 6 months already. Has been in beta till last month.

                                      Now is out of beta.


                                      You can register as many domains as you need for free.

                                      • Re: App Transport Security REQUIRED January 2017
                                        itworks618 Level 1 Level 1 (0 points)

                                        Filed enhance request 27850892 to relax the Perfect Forward Secrey requirement.

                                         

                                        Quoted from the document on the default ATS requirements:

                                        1. The server certificate must meet at least one of the following trust requirements:
                                        2. The negotiated Transport Layer Security version must be TLS 1.2
                                        3. The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:
                                        4. The leaf server certificate must be signed with one of the following types of key

                                         

                                        #3 seems to be Perfect Forward Secrey from nscurl utility output. I am wondering how widespread is perfect forwad secrey being enabled in web sites.

                                         

                                        This particularly poses an issue for enterprise customers that the same App might be configured by end users to talk to different servers. For example, customerA's employees download the App from App Store and use it to connect to customerA's servers, and customerB's employees ask the same App to connect to different servers; and worse, the developers who build the App have no idea on those servers' SSL configurations/strengths.

                                        • Re: App Transport Security REQUIRED January 2017
                                          MickCropper Level 1 Level 1 (0 points)

                                          Clearly this isn't going to work in every scenario, but take a look at this as this will cover most of the scenarios where this will impact, https://www.contradodigital.com/2016/09/01/claim-your-free-ssl-certificates-for-https/ - Lots more technical resources listed at the bottom of the page too for those with the capability to implement theirself.

                                          • Re: App Transport Security REQUIRED January 2017
                                            Asia Innovations Level 1 Level 1 (0 points)

                                            As the title notes ,Apple announced that ATS will be REQUIRED of all apps as of January 2017.


                                            Currently ,access via HTTPS has been implemented on all our internal service interfaces.

                                             

                                            We have several questions below:


                                            1. Could "image url" embedded in our app be accessed via HTTP?

                                            2. Could "FLV streaming url" embedded in our app be accessed via HTTP?

                                            3. Could we continue to use "NSExceptionDomains" to open HTTP access for specific domain name?

                                            4. Since our app need to support iOS 9 and now implemented WKWebKit, we wonder if "NSAllowsArbitraryLoads = YES" could be set seperately under iOS 9?

                                             

                                            Look forward to your soonest reply.

                                             

                                            Best.

                                              • Re: App Transport Security REQUIRED January 2017
                                                eskimo Apple Staff Apple Staff (6,995 points)

                                                To start, let’s be clear that there are two parts to any ATS question:

                                                • how to make things work technically

                                                • App Review policy

                                                As I mentioned above, I’m not able to help with App Review policy side of things, but my ATS pinned post has references to the published information on that front.

                                                With that out of the way, let’s look at your questions:

                                                1. Could "image url" embedded in our app be accessed via HTTP?

                                                2. Could "FLV streaming url" embedded in our app be accessed via HTTP?

                                                There’s not enough info to answer these questions.  Specifically:

                                                • There’s no info about what API you’re using to access these resources, and the APIs really matter when it comes to ATS.  For example:

                                                  • If the resource is loaded by a web view, ATS has specific features to support that

                                                  • If the resource is being loaded by BSD Sockets, ATS does not apply at all

                                                • It’s also not clear whether you’re asking about the technical or App Review side of this.

                                                3. Could we continue to use "NSExceptionDomains" to open HTTP access for specific domain name?

                                                I believe you’re talking about the App Review side of things here, which I’ve covered above.

                                                4. Since our app need to support iOS 9 and now implemented WKWebKit, we wonder if "NSAllowsArbitraryLoads = YES" could be set seperately under iOS 9?

                                                The standard approach here is to add two keys to your ATS dictionary:

                                                • NSAllowsArbitraryLoadsInWebContent

                                                • NSAllowsArbitraryLoads

                                                This works as follows:

                                                • iOS 10 honours NSAllowsArbitraryLoadsInWebContent

                                                • iOS 9 ignores NSAllowsArbitraryLoadsInWebContent, but honours NSAllowsArbitraryLoads

                                                • older versions of iOS do not include ATS

                                                IMPORTANT The presence of NSAllowsArbitraryLoadsInWebContent causes iOS 10 to ignore NSAllowsArbitraryLoads.  This results in best practice security on iOS 10 while maintaining compatibility with iOS 9.

                                                Share and Enjoy

                                                Quinn “The Eskimo!”
                                                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                let myEmail = "eskimo" + "1" + "@apple.com"

                                                  • Re: App Transport Security REQUIRED January 2017
                                                    alex_kac Level 1 Level 1 (15 points)

                                                    I've read this whole thread…and I don't know what my answer should be. My situation is simple: We allow users to subscribe to calendars. Calendar subscriptions are rarely on SSL - and they are not "web content". So do we pretty much remove this feature? We can't ask for specific overrides because its user-entered input.

                                                      • Re: App Transport Security REQUIRED January 2017
                                                        eskimo Apple Staff Apple Staff (6,995 points)

                                                        We allow users to subscribe to calendars. Calendar subscriptions are rarely on SSL - and they are not "web content" … We can't ask for specific overrides because its user-entered input.

                                                        You should use NSAllowsArbitraryLoads.  We continue to support this key for good reason: some apps need to be able to make insecure connections to arbitrary URLs input by the user.  Previously NSAllowsArbitraryLoads was primarily used by web browsers, calendar apps, mail clients, and so on.  It’s now no longer necessary for web browsers (due to NSAllowsArbitraryLoadsInWebContent) but it’s still relevant in the other cases.

                                                        Using NSAllowsArbitraryLoads will flag extra scrutiny during App Review but that does not mean you’ll automatically be rejected.  Rather, you’ll have to provide reasonable justification for your use.

                                                        One thing you can do to improve the security of your app is to add NSExceptionDomains entries for the sites that should be secure.  Let’s say your app talks to FooCal™, and the FooCal™ servers support ATS-compliant HTTPS.  In that case you should add an NSExceptionDomains for foocal.example.com to your ATS exception dictionary so that ATS guarantees your security for those servers.

                                                        Similarly, if your app talks to servers you control (for analytics, say), you should make sure that they are ATS compliant and add them to NSExceptionDomains.

                                                        Share and Enjoy

                                                        Quinn “The Eskimo!”
                                                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                        let myEmail = "eskimo" + "1" + "@apple.com"

                                                          • Re: App Transport Security REQUIRED January 2017
                                                            IzzyGM Level 1 Level 1 (0 points)

                                                            Hello if my app has a button that makes this call and opens my website in safari will this not be allowed starting january 1st ? since my website isnt https I wasnt sure thanks for your help

                                                             

                                                            [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"http://www.samplewebsite.com"]];

                                                             

                                                            -ismael

                                                              • Re: App Transport Security REQUIRED January 2017
                                                                eskimo Apple Staff Apple Staff (6,995 points)

                                                                App Review’s upcoming App Transport Security (ATS) requirement is about ATS, and ATS only applies to NSURLSession, the now-deprecated NSURLConnection, and APIs layered on top of those.

                                                                Share and Enjoy

                                                                Quinn “The Eskimo!”
                                                                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                let myEmail = "eskimo" + "1" + "@apple.com"

                                                              • Re: App Transport Security REQUIRED January 2017
                                                                abuzar Level 1 Level 1 (0 points)

                                                                Hi,

                                                                I have read whole thread i just want to ask that the developers who have enterprise applications will also need to use all HTTPS connections in their Enterprise apllications or only the apps that are on App store need to implement HTTPS ?

                                                                 

                                                                In my Enterprise Applications currently i have key "Allow Arbitrary Loads" set to YES in.plist file which mean it allows all HTTP connections from my applications.

                                                                So, do i need to remove this key from enterprise Applications ? Again i am repeating myself i am asking only for enterprise applications and not for App Store Applications.

                                                                  • Re: App Transport Security REQUIRED January 2017
                                                                    eskimo Apple Staff Apple Staff (6,995 points)

                                                                    So, do i need to remove [NSAllowsArbitraryLoads] from enterprise Applications ?

                                                                    The announced change relates to App Review.

                                                                    However, my recommendation is that you work hard to minimise your ATS exceptions, regardless of whether your app goes through App Review.  Remember ATS’s requirements are not arbitrary: rather, they are set to give your users a reasonable level of security when talking over the network.

                                                                    Share and Enjoy

                                                                    Quinn “The Eskimo!”
                                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                                              • Re: App Transport Security REQUIRED January 2017
                                                                sspitzerpopsugar Level 1 Level 1 (0 points)

                                                                "IMPORTANT The presence of NSAllowsArbitraryLoadsInWebContent causes iOS 10 to ignore NSAllowsArbitraryLoads.  This results in best practice security on iOS 10 while maintaining compatibility with iOS 9."

                                                                 

                                                                Thanks for this info, that was causing me a lot of confusion.

                                                            • Re: App Transport Security REQUIRED January 2017
                                                              KearLiao Level 1 Level 1 (0 points)

                                                              It's there any docs from apple about this?

                                                              • Re: App Transport Security REQUIRED January 2017
                                                                Kinol Level 1 Level 1 (0 points)

                                                                Hi,

                                                                 

                                                                I have a question, same kind as the one asked by abuzar, on NSAllowsArbitraryLoads = YES

                                                                 

                                                                Context:

                                                                - My app integrates an advertising SDK

                                                                - The advertising SDK does mosts of its connexions on https, but some to third-party servers are http and we can't know the server this in advance

                                                                 

                                                                After reading https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/ , I have to refer to point

                                                                • Third-party servers that the App connects to, for example via connections initiated by SDKs.

                                                                 

                                                                Third-Party Servers

                                                                For third-party servers that the App connects to, any ATS exemption can be used, including domain-specific blacklisted exemptions, as Apple has stated that not having control of the server was a reasonable justification.

                                                                Doing so will require identifying the list of third-party servers the App connects to, in order to be able to add the proper domain-specific ATS exemptions to the App.

                                                                 

                                                                 

                                                                My question concerns the underlined point: from what I understand, will have to identify each non-ssl third-party server. I'm in a situation of using an advertising SDK that can't know in advance all servers my app will have to request (throught this SDK).

                                                                And also this SDK provider might dynamically tell their SDK to connect to a new third-party server that provide ads (or even as they say, a third-party server can point to a non-ssl address to another hird-party server).

                                                                 

                                                                So in this case, if I use NSAllowsArbitraryLoads = YES , and justifify it by the use of this advertising SDK that connects to third-parties, will the validation process be validated and not being rejected for not identifying third-party server? (because this is technically impossible)

                                                                 

                                                                Thank you

                                                                  • Re: App Transport Security REQUIRED January 2017
                                                                    eskimo Apple Staff Apple Staff (6,995 points)

                                                                    My question concerns the underlined point …

                                                                    This is an App Review policy question and the only folks who can give you a definitive answers about App Review policy is App Review.  AFAIK they’ve not published any guidance as to what exactly they consider to be “reasonable justification”.  For links to the guidance that they have published, see my App Transport Security pinned post.

                                                                    Share and Enjoy

                                                                    Quinn “The Eskimo!”
                                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                                                      • Re: App Transport Security REQUIRED January 2017
                                                                        Kinol Level 1 Level 1 (0 points)

                                                                        Hi eskimo and thank you for you answer.

                                                                         

                                                                        So if i understand you well :

                                                                        Starting January if I want to release an app with NSAllowsArbitraryLoads = YES, I will have to explain where requireed that I need this parameter because of an advertising SDK (the “reasonable justification”) .

                                                                        But because there is no guidance from App Review team but to provide a “reasonable justification”, depending on who may review my app this justification may be rejected because of a different interpretation of it?

                                                                        • Re: App Transport Security REQUIRED January 2017
                                                                          maya.z Level 1 Level 1 (10 points)

                                                                          Hi Quinn

                                                                           

                                                                          I am still puzzled regarding 3d party servers. As Kinol stated:

                                                                          For third-party servers that the App connects to, any ATS exemption can be used, including domain-specific blacklisted exemptions, as Apple has stated that not having control of the server was a reasonable justification.

                                                                          Doing so will require identifying the list of third-party servers the App connects to, in order to be able to add the proper domain-specific ATS exemptions to the App.

                                                                           

                                                                          In iOS 10: Are we developers expected to reachout to all our 3d party SDK providers to verify that they support secure connections and if they are not are we expected to provide their domain list (for use in the exceptions)? is there any other practice you can suggest?

                                                                           

                                                                          Thanks

                                                                          Maya

                                                                            • Re: App Transport Security REQUIRED January 2017
                                                                              eskimo Apple Staff Apple Staff (6,995 points)

                                                                              I am still puzzled regarding 3d party servers.

                                                                              From Apple’s perspective, you are responsible for the code running inside your app.  Ignoring ATS for the moment, if you use a third-party library that does something dumb (uses a private API, fills the user’s disk with junk, or whatever), it’s obvious that App Review will hold you responsible for that behaviour.

                                                                              ATS is no different from this.  If ‘your’ code is accessing a server, you need to ensure it uses ATS-compliant HTTPS, or you need to add an appropriate ATS exception (and, once this policy is enforced by App Review, justify that to App Review).

                                                                              As to what sort of “reasonable justification” that App Review will accept for third-party SDKs accessing third-party servers, I can’t speak to that.

                                                                              Share and Enjoy

                                                                              Quinn “The Eskimo!”
                                                                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                              let myEmail = "eskimo" + "1" + "@apple.com"

                                                                        • Re: App Transport Security REQUIRED January 2017
                                                                          gdakram Level 1 Level 1 (0 points)

                                                                          What would Ad banner serving implications of this be in WebView? Unless I specify `NSAllowsArbitraryLoadsInWebContent` to YES, it will fail in 2 cases

                                                                           

                                                                          1. Destination site is on http

                                                                          2. Destination site is on https, but can't support TLS v1.2.

                                                                           

                                                                          Seems like we just always have to justify this during app store submission. Thoughts?

                                                                          • Re: App Transport Security REQUIRED January 2017
                                                                            maya.z Level 1 Level 1 (10 points)

                                                                            Thank you Quinn for your answers. We are supporting and creating many applications, some are legacy applications with a low maintenance rate (this means that we rarely update them in the store).

                                                                            Is Apple planning to review apps that are already in the store? Must we modify and update them asap to support the security requirements or can we leave them as is for now?

                                                                              • Re: App Transport Security REQUIRED January 2017
                                                                                eskimo Apple Staff Apple Staff (6,995 points)

                                                                                Again, I have to stress that I don’t work for App Review and thus can’t speak definitively on their behalf.  However, with regards this:

                                                                                Is Apple planning to review apps that are already in the store?

                                                                                App Review has specifically announced that they plan to go back and look at existing apps on the store.  See the App Store Improvements developer news post for details.

                                                                                Having said that, this ATS requirement is very new (hey, it’s not being enforced even as I type), so I imagine you have some lead time on this front.

                                                                                Share and Enjoy

                                                                                Quinn “The Eskimo!”
                                                                                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                let myEmail = "eskimo" + "1" + "@apple.com"

                                                                              • Re: App Transport Security REQUIRED January 2017
                                                                                acanare Level 1 Level 1 (0 points)

                                                                                In case that the app only supports iOS 9 and below, built using Xcode 7.x, is adding NSAllowsArbitraryLoads will suffice - the app wont get rejected? Or adding options like NSAllowsArbitraryLoadsInWebContent is still needed? Thanks!

                                                                                  • Re: App Transport Security REQUIRED January 2017
                                                                                    eskimo Apple Staff Apple Staff (6,995 points)

                                                                                    In case that the app only supports iOS 9 and below …

                                                                                    I would have thought not supporting the latest release of iOS was grounds for rejection in and of itself (-:

                                                                                    Seriously though, only App Review can give you definitive answers about edge cases like this.

                                                                                    Share and Enjoy

                                                                                    Quinn “The Eskimo!”
                                                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                                                                  • Re: App Transport Security REQUIRED January 2017
                                                                                    canelia Level 1 Level 1 (0 points)

                                                                                    NSAllowsLocalNetworking: YES

                                                                                    • Re: App Transport Security REQUIRED January 2017
                                                                                      chemm Level 1 Level 1 (0 points)
                                                                                      • Re: App Transport Security REQUIRED January 2017
                                                                                        Minas90 Level 1 Level 1 (0 points)

                                                                                        Hi there,

                                                                                        I have a news app which loads arbitrary rss feeds, some are http and some are https.

                                                                                        App gets the feeds list from the backend, so I may add new rss http feed without updating my app. Is it “reasonable justification” to use NSAllowsArbitraryLoads?

                                                                                          • Re: App Transport Security REQUIRED January 2017
                                                                                            eskimo Apple Staff Apple Staff (6,995 points)

                                                                                            Is it “reasonable justification” to use NSAllowsArbitraryLoads?

                                                                                            This is a question about App Review policy, and only App Review can give you definitive answers about that.

                                                                                            In your shoes I’d consider avoiding the whole issue by having my back end proxy the RSS feeds in question; that way your client app would only ever need to talk to your back end.

                                                                                            Share and Enjoy

                                                                                            Quinn “The Eskimo!”
                                                                                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                            let myEmail = "eskimo" + "1" + "@apple.com"

                                                                                          • Re: App Transport Security REQUIRED January 2017
                                                                                            eskimo Apple Staff Apple Staff (6,995 points)

                                                                                            Greetings All

                                                                                            I’m taking the extraordinary measure of locking this thread (for reasons I’ll outline below).  If you have an ATS question, please do the following:

                                                                                            1. Read my App Transport Security pinned post, just in case your question has been answered there.

                                                                                            2. If not, put your question in a new thread in the Core OS > Networking area (click the Start a discussion link, which you’ll find on the right towards the top).


                                                                                            I’m locking this thread for two reasons:

                                                                                            • Given recent development, the thread title is now misleading.

                                                                                            • It’s clear that this thread has become a catch all for ATS questions in general, which has resulted in it growing to an unwieldy size.  It would be better if each of those questions was in its own separate thread, allowing us to drive the question to a conclusion while keeping the thread length manageable.

                                                                                            Thanks for understanding!

                                                                                            Share and Enjoy

                                                                                            Quinn “The Eskimo!”
                                                                                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                            let myEmail = "eskimo" + "1" + "@apple.com"