App Transport Security REQUIRED January 2017

This thread has been locked by a moderator.

As the title notes, Apple announced that ATS will be REQUIRED of all apps as of January 2017.

This also means the exceptions that currently exist will no longer exist. Which means for most of

us who use our own domains to host our websites but don't pay extra for https that those domains

will no longer be accessable in iOS.


Is there a work around for this that will be usable in January? If not, what the heck is Apple thinking?

Up vote post of RLKingSoftware
113k views

Replies

Can we get Apple to answer this question please?

Thank you Quinn for your answers. We are supporting and creating many applications, some are legacy applications with a low maintenance rate (this means that we rarely update them in the store).

Is Apple planning to review apps that are already in the store? Must we modify and update them asap to support the security requirements or can we leave them as is for now?

Again, I have to stress that I don’t work for App Review and thus can’t speak definitively on their behalf. However, with regards this:

Is Apple planning to review apps that are already in the store?

App Review has specifically announced that they plan to go back and look at existing apps on the store. See the App Store Improvements developer news post for details.

Having said that, this ATS requirement is very new (hey, it’s not being enforced even as I type), so I imagine you have some lead time on this front.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

In case that the app only supports iOS 9 and below, built using Xcode 7.x, is adding NSAllowsArbitraryLoads will suffice - the app wont get rejected? Or adding options like NSAllowsArbitraryLoadsInWebContent is still needed? Thanks!

In case that the app only supports iOS 9 and below …

I would have thought not supporting the latest release of iOS was grounds for rejection in and of itself (-:

Seriously though, only App Review can give you definitive answers about edge cases like this.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

NSAllowsLocalNetworking: YES

Hi Quinn


I am still puzzled regarding 3d party servers. As Kinol stated:

For third-party servers that the App connects to, any ATS exemption can be used, including domain-specific blacklisted exemptions, as Apple has stated that not having control of the server was a reasonable justification.

Doing so will require identifying the list of third-party servers the App connects to, in order to be able to add the proper domain-specific ATS exemptions to the App.


In iOS 10: Are we developers expected to reachout to all our 3d party SDK providers to verify that they support secure connections and if they are not are we expected to provide their domain list (for use in the exceptions)? is there any other practice you can suggest?


Thanks

Maya

I am still puzzled regarding 3d party servers.

From Apple’s perspective, you are responsible for the code running inside your app. Ignoring ATS for the moment, if you use a third-party library that does something dumb (uses a private API, fills the user’s disk with junk, or whatever), it’s obvious that App Review will hold you responsible for that behaviour.

ATS is no different from this. If ‘your’ code is accessing a server, you need to ensure it uses ATS-compliant HTTPS, or you need to add an appropriate ATS exception (and, once this policy is enforced by App Review, justify that to App Review).

As to what sort of “reasonable justification” that App Review will accept for third-party SDKs accessing third-party servers, I can’t speak to that.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

News from 2016/12/21 https://developer.apple.com/news/?id=12212016b

"IMPORTANT The presence of

NSAllowsArbitraryLoadsInWebContent
causes iOS 10 to ignore
NSAllowsArbitraryLoads
. This results in best practice security on iOS 10 while maintaining compatibility with iOS 9."


Thanks for this info, that was causing me a lot of confusion.

Hi there,

I have a news app which loads arbitrary rss feeds, some are http and some are https.

App gets the feeds list from the backend, so I may add new rss http feed without updating my app. Is it “reasonable justification” to use NSAllowsArbitraryLoads?

Is it “reasonable justification” to use

NSAllowsArbitraryLoads
?

This is a question about App Review policy, and only App Review can give you definitive answers about that.

In your shoes I’d consider avoiding the whole issue by having my back end proxy the RSS feeds in question; that way your client app would only ever need to talk to your back end.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Greetings All

I’m taking the extraordinary measure of locking this thread (for reasons I’ll outline below). If you have an ATS question, please do the following:

  1. Read my App Transport Security pinned post, just in case your question has been answered there.

  2. If not, put your question in a new thread in the Core OS > Networking area (click the Start a discussion link, which you’ll find on the right towards the top).

I’m locking this thread for two reasons:

  • Given recent development, the thread title is now misleading.

  • It’s clear that this thread has become a catch all for ATS questions in general, which has resulted in it growing to an unwieldy size. It would be better if each of those questions was in its own separate thread, allowing us to drive the question to a conclusion while keeping the thread length manageable.

Thanks for understanding!

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"