How do I enable Application Transport Security (ATS) restrictions

In this case I will provide some general guidance and best practices for your situation, but you will need to take this information and apply it to your environment.

1. Get rid of any Allows Arbitrary loads keys. This means that you have added an override to your app to allow it to connect via non-secure channels over HTTP. You will want all traffic in your app to use TLS with HTTPS.

2. Use NSExceptionMinimumTLSVersion and set it to a version that is TLS 1.2 or greater. This is just good practice in-general and will make sure that all app traffic uses a modern version of TLS. Note that this is enforced by the system anyways but if you want to require something like TLS 1.3, this key is available.

3. Test out the usage of NSPinnedDomains. This key allows your app to pin to a public key hash for a Certificate Authority's root certificate, and if this traffic does not match then the connection will fail. The same can be done for a public key hash of a leaf identity as well. Now... this works great if your app is talking to the same set of servers and your app is updated frequently, in case the public key hash in your app needs to be updated. If your app is talking to a lot of different endpoints then you may want to come up with a different strategy. Having said all of that, I have had some issues configuring this functionality properly based on this article, but have made some progress on topic recently, so for the latest see in this Developer Forums post.

The above references are based on what is possible with App Transport Security. There is also similar functionality available via coding techniques inside of an app, i.e., coding your app to pin to a specific extension in a certificate, etc...

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com