A description of changes made to the default security for HTTP connections.
- iOS 9.0+
- macOS 10.11+
- App Transport Security Settings
On Apple platforms, a networking feature called App Transport Security (ATS) improves privacy and data integrity for all apps and app extensions. ATS requires that all HTTP connections made with the URL Loading System—typically using the
NSURLSession class—use HTTPS. It further imposes extended security checks that supplement the default server trust evaluation prescribed by the Transport Layer Security (TLS) protocol. ATS blocks connections that fail to meet minimum security specifications. For additional details, see Preventing Insecure Network Connections.
You can circumvent or augment these protections by adding the NSAppTransportSecurity key to your app’s Information Property List file and providing an ATS configuration dictionary as the value. For example, you can:
Allow insecure loads for web views while maintaining ATS protections elsewhere in your app using the
Arbitrary Loads In Web Content
Enable additional security features like Certificate Transparency using the NSRequiresCertificateTransparency key.
Reduce or remove security requirements for communication with particular servers using the NSExceptionDomains key.
All keys in the ATS configuration dictionary are optional, with default values that are suitable for most apps. Keys that define global exceptions apply to all network connections made by your app, except connections to domains specified in the NSExceptionDomains sub-dictionary. That sub-dictionary allows you to separately manage settings for individual domains.
ATS operates by default for apps linked against the iOS 9.0 or macOS 10.11 SDKs or later. When you link your app against an older SDK, ATS is disabled no matter which version of operating system your app runs on.
If you specify a value for any of the global exceptions besides
NSAllows, then the ATS behavior depends on the version of the OS on which your app runs:
- iOS 9.0 or macOS 10.11
ATS uses the
NSAllowsvalue that you set, or NO by default, and ignores the other global exceptions.
- iOS 10.0 or later or macOS 10.12 or later
ATS ignores the
NSAllowsvalue that you set and instead obeys the other key or keys.
This behavior enables you to manage differences between OS versions. You provide a coarse exception (
NSAllows) for older versions, and a more targeted exception, like
NSAllows, for when it’s available.