iOS Tutorial ATS - App Transport Security

ATS is a security feature that prevents applications to make non-ssl http connections. This means that when ATS is enabled applications can only access https urls.

Starting from 1/1/2017, ATS must be enabled on new or updated applications. Apple has postponed this requirement.
New projects enable ATS by default:
B4X:
#ATSEnabled: True

If you are only calling https urls or not making any calls then you don't need to do anything else.
Note that ATS is not enforced when making calls to ip addresses. Only when making calls to host names.

If you are making unsecured calls to specific domains then you can add an exclusion to those domains
B4X:
#PlistExtra: <key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><false/>
#PlistExtra: <key>NSExceptionDomains</key><dict>
'list the excluded domains (example.com and b4x.com)
#PlistExtra: <key>example.com</key><dict><key>NSIncludesSubdomains</key><true/><key>NSExceptionAllowsInsecureHTTPLoads</key><true/></dict>
#PlistExtra: <key>b4x.com</key><dict><key>NSIncludesSubdomains</key><true/><key>NSExceptionAllowsInsecureHTTPLoads</key><true/></dict>
'end of excluded domains
#PlistExtra: </dict>
#PlistExtra: </dict>

If you want to show non-secure pages in WebView and allow the user to navigate to other domains as well:
B4X:
#PlistExtra: <key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/>
#PlistExtra: <key>NSAllowsArbitraryLoadsInWebContent</key><true/>
#PlistExtra: </dict>

Note that NSAllowsArbitraryLoads is true this time. NSAllowsArbitraryLoadsInWebContent is only applied on iOS 10+. When it is applied it cancels NSAllowsArbitraryLoads.
Apps with this key require a justification: https://developer.apple.com/library...Keys.html#//apple_ref/doc/uid/TP40009251-SW59

Another option which is relevant if you are targeting iOS 9+ is to use SafariController from the iUI9 library.

SafariController is a powerful embedded browser: https://www.b4x.com/android/forum/threads/iui9-safari-controller.70552/#content
SafariController can access all pages. No need to add any exclusion.
 
Last edited:

fabton1963

Member
Licensed User
Longtime User
I'm using letsencrypt certificate in my server but, if I set ATSEnabled true,I cannot open remote page using webview
 
Top