Having carefully worked through Apple's Technical Note I proudly labelled my app to allow insecure access to our own site (which doesn't encrypt) while leaving App Transport Security at its default setting for other sites. This would allow secure access to Worldpay's site, through which we do all our "outside App Store" payments.
This worked perfectly, up to the moment I tried it. It connected to our own site without trouble (so my info.plist setting was correct) and then failed to get through to Worldpay. It turns out that none of Worldpay's cipher suites offer forward secrecy. I have sent a report to Worldpay and I am sure that they will do something about it soon.
But this raises a question which I'd like other developers' perspective on. When one makes a payment through Worldpay (or another payment processor), that is not the only site involved. You will probably have noticed that from time to time your own bank inserts its own page, from its own server, into the purchasing process, for extra security. There are hundreds if not thousands of such banks. Even if Worldpay get their act together, some of the banks won't.
So we, as developers, have a choice. We can protect our users in the name of security, and randomly block some of them from ever paying us at all. When one of them complains, we can ask them for the URL of the bank's "additional information page" (which they won't know and have no way of knowing), add it to the exception list in Info.plist, and resubmit the app.
Or we can turn off App Transport Security altogether.
I know which I'd choose. But am I missing something obvious somewhere? Is turning off security the only way to do e-commerce?