The scope of App Transport Security

Hi,


I studied the basic knowledge of ATS, and i noticed that the scope of ATS is mentioned in the topic "Using ATS in Apple Frameworks" and "Availability of ATS for Remote and Local Connections" of post, but i still have some questions regarding the scope of ATS, can you help anwser below questions?

  1. The topic "Using ATS in Apple Frameworks" mentioned "ATS is enforced by the
    NSURLSession
    or
    NSURLConnection c
    lass and all APIs that use it,", but it does not mention the network connection for UIWebView, WKWebView, and AV Foundation framework. My question is, the network connection for UIWebView, WKWebView, and AV Foundation framework also based on NSURLSession or NSURLConnection? If the answer is No, can you help provide more detailed information for the scope of ATS in Apple Frameworks?
  2. The topic "Availability of ATS for Remote and Local Connections" mentioned "The system does not provide ATS protection to connections made to 'Internet protocol (IP) addresses'", but i found when ATS is fully enabled for the Application running on iOS 9 device, the connction(e.g. Using UIWebView to load http://10.170.78.111) blocked by ATS, this rule does not apply to iOS 9 device. My question is, does this rule only apply to iOS 10?
  3. The topic "Availability of ATS for Remote and Local Connections" mentioned "The system does not provide ATS protection to connections made to 'Unqualified host names'". My question is, does this rule apply to iOS 9? And can you help provide standard for "Unqualified host names"?


BR,

Bruce

Replies

1. [are] UIWebView, WKWebView, and AV Foundation framework also based on NSURLSession or NSURLConnection?

Yes. The exact API they use varies based on the specific framework and the OS version, but ATS applies to the web views and AV Foundation and has done since iOS 9.

2. … My question is, does this rule only apply to iOS 10?

Yes.

3. … does this rule apply to iOS 9?

No. This is another thing, like IP addresses, where ATS was relaxed in iOS 10.

Keep in mind that accessing unqualified host names (and

.local
host names) requires
NSAllowsLocalNetworking
.

And can you help provide standard for "Unqualified host names"?

An unqualified host name is one with no dots. For more background to this, see fully qualified domain name

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for your reply.