As the title notes, Apple announced that ATS will be REQUIRED of all apps as of January 2017.
This also means the exceptions that currently exist will no longer exist. Which means for most of
us who use our own domains to host our websites but don't pay extra for https that those domains
will no longer be accessable in iOS.
Is there a work around for this that will be usable in January? If not, what the heck is Apple thinking?
NSAllowsLocalNetworking: YESHi Quinn
I am still puzzled regarding 3d party servers. As Kinol stated:
For third-party servers that the App connects to, any ATS exemption can be used, including domain-specific blacklisted exemptions, as Apple has stated that not having control of the server was a reasonable justification.
Doing so will require identifying the list of third-party servers the App connects to, in order to be able to add the proper domain-specific ATS exemptions to the App.
In iOS 10: Are we developers expected to reachout to all our 3d party SDK providers to verify that they support secure connections and if they are not are we expected to provide their domain list (for use in the exceptions)? is there any other practice you can suggest?
Thanks
Maya
I am still puzzled regarding 3d party servers.
From Apple’s perspective, you are responsible for the code running inside your app. Ignoring ATS for the moment, if you use a third-party library that does something dumb (uses a private API, fills the user’s disk with junk, or whatever), it’s obvious that App Review will hold you responsible for that behaviour.
ATS is no different from this. If ‘your’ code is accessing a server, you need to ensure it uses ATS-compliant HTTPS, or you need to add an appropriate ATS exception (and, once this policy is enforced by App Review, justify that to App Review).
As to what sort of “reasonable justification” that App Review will accept for third-party SDKs accessing third-party servers, I can’t speak to that.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"News from 2016/12/21 https://developer.apple.com/news/?id=12212016b
"IMPORTANT The presence of
NSAllowsArbitraryLoadsInWebContentNSAllowsArbitraryLoadsThanks for this info, that was causing me a lot of confusion.
Hi there,
I have a news app which loads arbitrary rss feeds, some are http and some are https.
App gets the feeds list from the backend, so I may add new rss http feed without updating my app. Is it “reasonable justification” to use NSAllowsArbitraryLoads?
Is it “reasonable justification” to use
?NSAllowsArbitraryLoads
This is a question about App Review policy, and only App Review can give you definitive answers about that.
In your shoes I’d consider avoiding the whole issue by having my back end proxy the RSS feeds in question; that way your client app would only ever need to talk to your back end.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Greetings All
I’m taking the extraordinary measure of locking this thread (for reasons I’ll outline below). If you have an ATS question, please do the following:
Read my App Transport Security pinned post, just in case your question has been answered there.
If not, put your question in a new thread in the Core OS > Networking area (click the Start a discussion link, which you’ll find on the right towards the top).
I’m locking this thread for two reasons:
Given recent development, the thread title is now misleading.
It’s clear that this thread has become a catch all for ATS questions in general, which has resulted in it growing to an unwieldy size. It would be better if each of those questions was in its own separate thread, allowing us to drive the question to a conclusion while keeping the thread length manageable.
Thanks for understanding!
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"