Does ATS differ between TestFlight and Release builds?

Hi everyone,

I hope I can provide enough context to receive helpful insight!

I found that the release build of my iOS app (iOS 15) seems to be able to connect to my local dev server (running on localhost) without any changes to Info.release.plist. This is fairly surprising, although I found this link that describes how App Transport Security (ATS) differs between iOS 9/macOS 10.11 and iOS 10+/macOS 10.12+. Namely, "no longer need[ing] an exception for" .local domains, IP addresses, and unqualified domains.

The above explains why Release builds can connect to local IP addresses, but doesn't explain the following questions:

  1. If connections to local IP addresses are allowed by ATS, why can't our Testflight build connect to a local IP address?
  2. What is different between the release build and Testflight build with regards to the above? They are being pulled from App Store and TestFlight respectively, and are configured by the same Info.release.plist from my observation.

Forum thread 69591 appears to be related, but does not address these questions. Any insight and/or resources would be greatly appreciated! Cheers

The HTTPS server trust evaluation done by the OS, and App Transport Security (ATS) is just one component of this, does not vary based on how you built, signed, or distributed your code. If you’re seeing different behaviour based on those factors, it’s because your code is behaving differently. This is pretty common: Many folks have different code paths in their app that disables or modifies HTTPS server trust evaluation based on the build configuration.

IMO it’s best to avoid this problem by setting your development server up with a certificate that’s trusted by iOS. QA1948 HTTPS and Test Servers explain one way of doing that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Does ATS differ between TestFlight and Release builds?
 
 
Q