ATS on watchOS is fundamentally broken for generic client apps. Why is Apple killing innovation?

Question

Created 3w

Replies 2

Boosts 0

Participants 2

I spent the entire day debugging a network issue on my Apple Watch app, only to realize the problem isn't my code—it's Apple's inflexible design.

The Context: I am building a generic MCP (Model Context Protocol) client for watchOS. The nature of this app is to allow users to input their own server URLs (e.g., a self-hosted endpoint, or public services like GitHub's MCP server) to interact with LLMs and tools.

The Problem: When using standard URLSession to connect to widely trusted, public HTTPS endpoints (specifically GitHub's official MCP server at https://mcp.github.com), the connection is forcefully terminated by the OS with NSURLErrorDomain Code=-1200 (TLS handshake failed).

The Analysis: This is caused by App Transport Security (ATS). ATS is enforcing a draconian set of security standards (specific ciphers, forward secrecy requirements, etc.) that many perfectly valid, secure, and globally accepted servers do not strictly meet 100%.

The Absurdity:

We cannot whitelist domains: Since this is a generic client, I cannot add NSExceptionDomains to Info.plist because I don't know what URL the user will input.
We cannot disable ATS: Adding NSAllowsArbitraryLoads is a guaranteed rejection during App Store review for a general-purpose app without a "compelling reason" acceptable to Apple.
The result: My app is effectively bricked. It cannot connect to GitHub. It cannot connect to 90% of the user's self-hosted servers.

The Question: Is the Apple Watch just a toy? How does Apple expect us to build flexible, professional tools when the OS acts like a nanny that blocks connections to GitHub?

We need a way to bypass strict ATS checks for user-initiated connections in generic network tools, similar to how curl -k or other developer tools work. The current "all-or-nothing" policy is suffocating.

Answered by DTS Engineer in 866385022

Is there something Apple Watch specific about this issue? My experience is that ATS applies to all Apple platforms.

Anyway, coming back to your main issue, you wrote:

The nature of this app is to allow users to input their own server URLs

If your app allows the user to enter their own URLs and it’s reasonable to expect that the user might enter a URL that’s not ATS compliant, then you should deploy NSAllowsArbitraryLoads. Your use case is literally what that property was designed for. I often refer to it as Safari mode, because a web browser has exactly the same issue.

Reading your post it’s not clear whether you’ve tried this already and App Review rejected it. If you haven’t tried it, I recommend that you do so, following the guidance in Provide Justification for Exceptions. If you have tried it and App Review rejected it, I recommend that you appeal that rejection.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

EricTerminal OP

3w

Accepted Answer

CORRECTION: A crucial piece of information in my original post is incorrect, and I want to correct the record immediately. The endpoint https://mcp.github.com was used as an example, but it has been confirmed that this is not a public or active MCP server. My apologies for using an outdated example and for any confusion this may have caused

UPDATE: Despite this specific example being wrong, the core issue remains unchanged. The fundamental problem with Apple's App Transport Security (ATS) still prevents generic client apps on watchOS from connecting to a wide range of user-defined, self-hosted, or community-provided servers that do not perfectly align with Apple's strict, non-negotiable TLS standards. My central argument and frustration with this inflexible policy still stand.

0

Answer 2

DTS Engineer OP

Apple

3w

Recommended