App Transport Security and local networking


it seems that "App Transport Security" is also enabled by default for communication on the local network (http transfers between devices on the same wifi network).

In many cases such wifi devices (e.g. wifi based sd cards, mobile wifi harddisks) do not support https; so http needs to be used.

What is the recommended way to handle these cases as the domain based exception cant be applied here?
Is there any way to disable App Transport Security for private networks?



Right now we don't have a great story for this (apparently you can use an IP as an ATS exception domain, but that will only help if you're always talking to the same IP address). For the moment you should just disable ATS via the NSAllowsArbitraryLoads key.

Also, I'd appreciate you filing a bug that describes your requirements so that we can contemplate how best to address this in the future. And please post your bug number, just for the record.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + ""

It also disables HTTP requests on localhost, which is usually where I'm running a server (e.g. the same Mac I'm running Xcode on). I added an exception in Info.plist for localhost, but I'd really like to see a default exception for that instead of adding this exception to every project.

I've filed an enhancement request: 21519087

I have a similar problem, communicating with other programms or devices in the LAN (even localhost) via XML-RPC.

Enhancement request: 21579094

I posted my suggestions regarding App Transport Security and local networking as Enhancement request: 21669759

Excerpt from the radar:

In local networking scenarios (like communicating with DLNA servers, appliances like Philips Hue Lights, Wi-FI SD cards, wireless hard disks) it's often not possible to implement HTTPS/TLS based communication as required by App Transport Security. The target devices do not support HTTPS/TLS and in many cases never will.

At the moment communicating with these devices, requires disabling App Transport Security for the entire application (NSAllowsArbitraryLoads = true) as domain based exceptions can't be applied here.

It should be possible to disable App Transport Security for local networking without compromising the security of the whole app.

Suggestion: Introduce a key NSAllowsArbitraryLoadsLocalNetworkOnly. When this key is set to true, it allows unencrypted http communication between devices on the same local network (IPv4,, and IPv6 fd00::/8, and for development purposes).

If anyone has better ideas how to handle these cases, I am looking forward to hear them.



What keys/dictionaries did you use to disable ATS for localhost only? I've tried various combinations of the exceptions listed in the tech notes and haven't had any success.

I'll file a radar requesting that localhost be excempted by default from ATS... or at least allow a specific key to deal with it specifically.

bwalker wrote:

I've filed an enhancement request: 21519087

Tolibi wrote:

Enhancement request: 21579094

thanatos0801 wrote:

I'll file a radar requesting that localhost be excempted by default from ATS... or at least allow a specific key to deal with it specifically.

hhtouch wrote:

I posted my suggestions regarding App Transport Security and local networking as Enhancement request: 21669759

Thanks everyone.

@thanatos0801, what was your bug number?

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""

(apparently you can use an IP as an ATS exception domain ...).

It seems that IP addresses aren't working as expected. Specifically, I set up my property list as shown:


then issued requests to and http://localhost:12345/. The latter works but the former gets blocked by ATS. I've filed a bug about this.

So, using

seems to be fine for folks doing loopback stuff but folks trying to connect to nearby IP addresses (like will need to stick with
for the moment.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""

My bug number is


Great! After fiddling around a little more with my own code and using the keys you listed, I was able to get the localhost exception to work. I still think it would be a good idea to excempt localhost by default, and allow people who really want to be super-careful to turn that off in the exceptions list (per my bug), but this will get us enough functionality to work with for now.


I have the the problem with local and remote hosts.

NSAllowsArbitraryLoads doesn't work for me.

I am using XCode 7 Beta 3

is a 'fix everything' option; it basically disables ATS entirely. If it's not working for you, it's likely that you've not configured it correctly.

Be aware that the App Transport Security Technote has a bug in how it describes

. Table 1-1 implies that
should be nested within
. This is incorrect.
is a top-level key within
. So you're
dictionary should like this:

I tested this myself just yesterday (Xcode 7.0b3, iOS 9.0b3) and it works as I've described.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""

Is there anything new in iOS 9 Beta 4 regarding App Transport Security and local networking?

NSAllowsArbitraryLoads is not disabling the App Transport Security and is not working for me. I've tested in iOS 9 Beta 3 and Beta 4. Can some one please help me to resolve this?

My post on thread dated 15 Jul covers this: I specifically tested

on 9.0b3 and it worked as expected (although, as described in the post, not as documented). Please read it through.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""

I've filed an issue as well: 22127901

Is there any indication of when this might be addressed?

I've filed an issue as well: 22127901

Thank you.

Is there any indication of when this might be addressed?

Which issue specifically? There's a bunch of related issues covered by this thread, all of which have workarounds, although some are less satisfactory than others.

However, as far as future changes to the OS are concerned, that's not something I can speculate on; DTS Engineers aren't issued with a crystal ball, alas.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""

Sorry, specifically I meant the top level issue of local requests being blocked by default w/ ATS. The common theme seems to be that yes, you can add a plist exception for it, but it would be cleaner to allow localhost by default and have the exception be to block it. I was just asking in case you'd be able to share any known changes coming in the next beta/release.

I meant the top level issue of local requests being blocked by default w/ ATS.

Hence my request for clarification. I'd argue that the top level issue here, the one raised by the hhtouch when they opened the thread, relates to accessing nearby networks not to accessing localhost.

Regardless, on the localhost front, it seems that bwalker filed a perfectly reasonable enhancement request for that (21519087) and there's a perfectly reasonable workaround (adding a ATS exception), so it's really just a question of waiting to see what iOS Engineering makes of the issue.

I was just asking in case you'd be able to share any known changes coming in the next beta/release.

You'll find that Apple folks really don't like discussing the future, even the relatively near future like the iOS 9 beta release cycle.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""

Not working here anymore...was working last Thursday the 13th, stopped on Friday.

Anyone else notice that this doesn't work anymore...

  1. <key>NSAppTransportSecurity</key>
  2. <dict>
  3. <key>NSAllowsArbitraryLoads</key>
  4. <true/>
  5. </dict>

Not working here anymore […]

I retested this on iOS 9.0b5 and it’s working as expected. Specifically:

  1. I wrote a tiny test program that fetches
  2. I ran it without a

    dictionary; the load failed (there’s a transcript of the error at the end of this email).
  3. I ran it with the

    dictionary shown in my Jul 15 post; it worked.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""
2015-08-18 08:29:26.310 QTestbed[7515:5780925] task start
2015-08-18 08:29:26.983 QTestbed[7515:5781012] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
2015-08-18 08:29:26.985 QTestbed[7515:5780925] task error NSURLErrorDomain / -1200

NSAllowsArbitraryLoads is not disabling the App Transport Security for the Watch, I'm using Watch OS 2 Beta 5, XCode 7 beta 6.

Any ideas if this is gonna work for the Watch at some point?

NSAllowsArbitraryLoads is not disabling the App Transport Security for the Watch …

I think you need to start a new thread for this new topic. It took me a while to find your post in this long and complex thread, even though I knew it was there.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""

Thanks for your response.

This is the new thread I created.

+1 for

Suggestion: Introduce a key NSAllowsArbitraryLoadsLocalNetworkOnly. When this key is set to true, it allows unencrypted http communication between devices on the same local network (IPv4,, and IPv6 fd00::/8, and for development purposes).

+1 for

Suggestion: Introduce a key NSAllowsArbitraryLoadsLocalNetworkOnly. When this key is set to true, it allows unencrypted http communication between devices on the same local network (IPv4,, and IPv6 fd00::/8, and for development purposes).

App Transport Security and local networking