iOS Tutorial ATS - App Transport Security

Discussion in 'iOS Tutorials' started by Erel, Dec 18, 2016.

  1. Erel

    Erel Administrator Staff Member Licensed User

    ATS is a security feature that prevents applications to make non-ssl http connections. This means that when ATS is enabled applications can only access https urls.

    Starting from 1/1/2017, ATS must be enabled on new or updated applications. Apple has postponed this requirement.
    New projects enable ATS by default:
    #ATSEnabled: True
    If you are only calling https urls or not making any calls then you don't need to do anything else.
    Note that ATS is not enforced when making calls to ip addresses. Only when making calls to host names.

    If you are making unsecured calls to specific domains then you can add an exclusion to those domains
    #PlistExtra: <key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><false/>
    #PlistExtra: <key>NSExceptionDomains</key><dict>
    'list the excluded domains ( and
    #PlistExtra: <key></key><dict><key>NSIncludesSubdomains</key><true/><key>NSExceptionAllowsInsecureHTTPLoads</key><true/></dict>
    #PlistExtra: <key></key><dict><key>NSIncludesSubdomains</key><true/><key>NSExceptionAllowsInsecureHTTPLoads</key><true/></dict>
    'end of excluded domains
    #PlistExtra: </dict>
    #PlistExtra: </dict>
    If you want to show non-secure pages in WebView and allow the user to navigate to other domains as well:
    #PlistExtra: <key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/>
    #PlistExtra: <key>NSAllowsArbitraryLoadsInWebContent</key><true/>
    #PlistExtra: </dict>
    Note that NSAllowsArbitraryLoads is true this time. NSAllowsArbitraryLoadsInWebContent is only applied on iOS 10+. When it is applied it cancels NSAllowsArbitraryLoads.
    Apps with this key require a justification:

    Another option which is relevant if you are targeting iOS 9+ is to use SafariController from the iUI9 library.

    SafariController is a powerful embedded browser:
    SafariController can access all pages. No need to add any exclusion.
    Last edited: Jun 5, 2017
    yiankos1, MikeH, valentino s and 5 others like this.
  2. Pendrush

    Pendrush Well-Known Member Licensed User

    Can we use NSAllowsArbitraryLoadsForMedia?
  3. Erel

    Erel Administrator Staff Member Licensed User

    Pendrush likes this.
  4. joilts

    joilts Member Licensed User

    Is it possible to use self-signed Certificates in this situation?
  5. Erel

    Erel Administrator Staff Member Licensed User

    Yes. But you will need to install the certificate on each device (like with the B4I certificate).

    You can use the excluded domains feature instead.

    Note that there are now free SSL certificates that you can us:
    joilts likes this.
  6. Erel

    Erel Administrator Staff Member Licensed User

  7. fabton1963

    fabton1963 Member Licensed User

    I'm using letsencrypt certificate in my server but, if I set ATSEnabled true,I cannot open remote page using webview
  8. Erel

    Erel Administrator Staff Member Licensed User

    I guess that the certificate is not recognized by your device. Do you see any error message?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice