I found this https://forums.developer.apple.com/message/15705#15705
It says in the Apple docs:
Having thus started with default ATS protections for the named domains, you can optionally decrease or increase their protections individually. You can decrease a named domain’s protections to:
Allow insecure HTTP connections—without diminishing ATS protections for the HTTPS connections to a domain—by employing the NSExceptionAllowsInsecureHTTPLoadskey with a value of YES; doing this triggers App Store review, as described in App Store Review for ATS
App Store Review for ATS
Your use of certain App Transport Security (ATS) keys triggers additional App Store review for your app, and requires you to provide justification.Some examples of justifications eligible for consideration are:
- Must connect to a server managed by another entity that does not support secure connections
- Must support connecting to devices that cannot be upgraded to use secure connections, and that must be accessed via public host names
- Must provide embedded web content from a variety of sources, but cannot use a class supported by the NSAllowsArbitraryLoadsInWebContent
key - App loads media content that is encrypted and that contains no personalized information
When submitting your app to the App Store, provide sufficient information for the App Store to determine why your app cannot make secure connections by default.
So it looks like it is mandatory unless you can prove "reasonable justification" I am just wondering how some apps that I discovered where released in the last week are still using http for requests, I can't see any "reasonable justification" as to why they would be allowed. They are leaking users private information.