App Transport Security REQUIRED January 2017

As the title notes ,Apple announced that ATS will be REQUIRED of all apps as of January 2017.

Currently ,access via HTTPS has been implemented on all our internal service interfaces.

We have several questions below:

1. Could "image url" embedded in our app be accessed via HTTP?

2. Could "FLV streaming url" embedded in our app be accessed via HTTP?

3. Could we continue to use "NSExceptionDomains" to open HTTP access for specific domain name?

4. Since our app need to support iOS 9 and now implemented WKWebKit, we wonder if "NSAllowsArbitraryLoads = YES" could be set seperately under iOS 9?

Look forward to your soonest reply.

Best.

To start, let’s be clear that there are two parts to any ATS question:

• how to make things work technically

• App Review policy

As I mentioned above, I’m not able to help with App Review policy side of things, but my ATS pinned post has references to the published information on that front.

With that out of the way, let’s look at your questions:

1. Could "image url" embedded in our app be accessed via HTTP?

2. Could "FLV streaming url" embedded in our app be accessed via HTTP?

There’s not enough info to answer these questions. Specifically:

• There’s no info about what API you’re using to access these resources, and the APIs really matter when it comes to ATS. For example:

  • If the resource is loaded by a web view, ATS has specific features to support that

  • If the resource is being loaded by BSD Sockets, ATS does not apply at all

• It’s also not clear whether you’re asking about the technical or App Review side of this.

3. Could we continue to use "NSExceptionDomains" to open HTTP access for specific domain name?

I believe you’re talking about the App Review side of things here, which I’ve covered above.

4. Since our app need to support iOS 9 and now implemented WKWebKit, we wonder if "NSAllowsArbitraryLoads = YES" could be set seperately under iOS 9?

The standard approach here is to add two keys to your ATS dictionary:

• NSAllowsArbitraryLoadsInWebContent

• NSAllowsArbitraryLoads

This works as follows:

• iOS 10 honours

  NSAllowsArbitraryLoadsInWebContent

• iOS 9 ignores

  NSAllowsArbitraryLoadsInWebContent

  , but honours

  NSAllowsArbitraryLoads

• older versions of iOS do not include ATS

IMPORTANT The presence of

NSAllowsArbitraryLoadsInWebContent

NSAllowsArbitraryLoads

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I've read this whole thread…and I don't know what my answer should be. My situation is simple: We allow users to subscribe to calendars. Calendar subscriptions are rarely on SSL - and they are not "web content". So do we pretty much remove this feature? We can't ask for specific overrides because its user-entered input.

We allow users to subscribe to calendars. Calendar subscriptions are rarely on SSL - and they are not "web content" … We can't ask for specific overrides because its user-entered input.

You should use

NSAllowsArbitraryLoads

NSAllowsArbitraryLoads

NSAllowsArbitraryLoadsInWebContent

Using

NSAllowsArbitraryLoads

One thing you can do to improve the security of your app is to add

NSExceptionDomains

NSExceptionDomains

foocal.example.com

Similarly, if your app talks to servers you control (for analytics, say), you should make sure that they are ATS compliant and add them to

NSExceptionDomains

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you Quinn for the explanation so far. However I don't understand one thing: In the App Transport Security post, the Chapter "App Store Review for ATS" reads: "Your use of certain App Transport Security (ATS) keys triggers additional App Store review for your app, and requires you to provide justification."

Does it apply for the already available apps in the App Store. So my apps in the App Store would trigger an additional review by the Review Team?

Thank you in advance.

Kind regards,

Dennis

Hello if my app has a button that makes this call and opens my website in safari will this not be allowed starting january 1st ? since my website isnt https I wasnt sure thanks for your help

[[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"http://www.samplewebsite.com"]];

-ismael

Hi Quinn, I appreciate the time you've taken to answer all these question, but I still have one that remains. My app contains a video player that loads sources over HTTP. Come Jan 1, 2017, will iOS 10 devices prevent those videos from playing? Is there an automated prevention of loading resources over HTTP?

Thanks for the help.

Hi,

I have read whole thread i just want to ask that the developers who have enterprise applications will also need to use all HTTPS connections in their Enterprise apllications or only the apps that are on App store need to implement HTTPS ?

In my Enterprise Applications currently i have key "Allow Arbitrary Loads" set to YES in.plist file which mean it allows all HTTP connections from my applications.

So, do i need to remove this key from enterprise Applications ? Again i am repeating myself i am asking only for enterprise applications and not for App Store Applications.

Did you ever get an answer to your question?

App Review’s upcoming App Transport Security (ATS) requirement is about ATS, and ATS only applies to NSURLSession, the now-deprecated NSURLConnection, and APIs layered on top of those.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

So, do i need to remove [

NSAllowsArbitraryLoads

] from enterprise Applications ?

The announced change relates to App Review.

However, my recommendation is that you work hard to minimise your ATS exceptions, regardless of whether your app goes through App Review. Remember ATS’s requirements are not arbitrary: rather, they are set to give your users a reasonable level of security when talking over the network.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

It's there any docs from apple about this?

It's there any docs from apple about this?

My App Transport Security pinned post has references to both the ATS technical documentation and to the published information about the upcoming App Review policy change.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

thanks a lot.

Hi,

I have a question, same kind as the one asked by abuzar, on NSAllowsArbitraryLoads = YES

Context:

- My app integrates an advertising SDK

- The advertising SDK does mosts of its connexions on https, but some to third-party servers are http and we can't know the server this in advance

After reading https://nabla-c0d3.github.io/blog/2016/08/14/ats-enforced-2017/, I have to refer to point

Third-party servers that the App connects to, for example via connections initiated by SDKs.

Third-Party Servers

For third-party servers that the App connects to, any ATS exemption can be used, including domain-specific blacklisted exemptions, as Apple has stated that not having control of the server was a reasonable justification.

Doing so will require identifying the list of third-party servers the App connects to, in order to be able to add the proper domain-specific ATS exemptions to the App.

My question concerns the underlined point: from what I understand, will have to identify each non-ssl third-party server. I'm in a situation of using an advertising SDK that can't know in advance all servers my app will have to request (throught this SDK).

And also this SDK provider might dynamically tell their SDK to connect to a new third-party server that provide ads (or even as they say, a third-party server can point to a non-ssl address to another hird-party server).

So in this case, if I use NSAllowsArbitraryLoads = YES , and justifify it by the use of this advertising SDK that connects to third-parties, will the validation process be validated and not being rejected for not identifying third-party server? (because this is technically impossible)

Thank you

My question concerns the underlined point …

This is an App Review policy question and the only folks who can give you a definitive answers about App Review policy is App Review. AFAIK they’ve not published any guidance as to what exactly they consider to be “reasonable justification”. For links to the guidance that they have published, see my App Transport Security pinned post.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo and thank you for you answer.

So if i understand you well :

Starting January if I want to release an app with NSAllowsArbitraryLoads = YES, I will have to explain where requireed that I need this parameter because of an advertising SDK (the “reasonable justification”) .

But because there is no guidance from App Review team but to provide a “reasonable justification”, depending on who may review my app this justification may be rejected because of a different interpretation of it?

The point is there are no pre-reviews, and your questions now may require different responses later, once policy is firmed up.

** 12.21 note the deadline has been extended with details on any new deadline to follow.

What would Ad banner serving implications of this be in WebView? Unless I specify `NSAllowsArbitraryLoadsInWebContent` to YES, it will fail in 2 cases

1. Destination site is on http

2. Destination site is on https, but can't support TLS v1.2.

Seems like we just always have to justify this during app store submission. Thoughts?

Can we get an Apple response to this question please?

Can we get Apple to answer this question please?

Thank you Quinn for your answers. We are supporting and creating many applications, some are legacy applications with a low maintenance rate (this means that we rarely update them in the store).

Is Apple planning to review apps that are already in the store? Must we modify and update them asap to support the security requirements or can we leave them as is for now?

Again, I have to stress that I don’t work for App Review and thus can’t speak definitively on their behalf. However, with regards this:

Is Apple planning to review apps that are already in the store?

App Review has specifically announced that they plan to go back and look at existing apps on the store. See the App Store Improvements developer news post for details.

Having said that, this ATS requirement is very new (hey, it’s not being enforced even as I type), so I imagine you have some lead time on this front.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

In case that the app only supports iOS 9 and below, built using Xcode 7.x, is adding NSAllowsArbitraryLoads will suffice - the app wont get rejected? Or adding options like NSAllowsArbitraryLoadsInWebContent is still needed? Thanks!

In case that the app only supports iOS 9 and below …

I would have thought not supporting the latest release of iOS was grounds for rejection in and of itself (-:

Seriously though, only App Review can give you definitive answers about edge cases like this.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"