App Transport Security (ATS)

Download ios eBook

Parameters

ParameterDetails
NSAppTransportSecurityConfigure ATS
NSAllowsArbitraryLoadsSet to YES to disable ATS everywhere. In iOS 10 and later, and macOS 10.12 and later, the value of this key is ignored if any of the following keys are present in your app’s Info.plist file: NSAllowsArbitraryLoadsInMedia, NSAllowsArbitraryLoadsInWebContent, NSAllowsLocalNetworking
NSAllowsArbitraryLoadsInMediaSet to YES to disable ATS for media loaded using APIs from the AV Foundation framework. (iOS 10+, macOS 10.12+)
NSAllowsArbitraryLoadsInWebContentSet to YES to disable ATS in your app’s web views (WKWebView, UIWebView, WebView) without affecting your NSURLSession connections. (iOS 10+, macOS 10.12+)
NSAllowsLocalNetworkingSet to YES to disable for connections to unqualified domains and to .local domains. (iOS 10+, macOS 10.12+)
NSExceptionDomainsConfigure exceptions for specific domains
NSIncludesSubdomainsSet to YES to apply the exceptions to all subdomains of the selected domain.
NSRequiresCertificateTransparencySet to YES to require that valid, signed Certificate Transparency (CT) timestamps, from known CT logs, be presented for server (X.509) certificates on a domain. (iOS 10+, macOS 10.12+)
NSExceptionAllowsInsecureHTTPLoadsSet to YES to allow HTTP on the selected domain.
NSExceptionRequiresForwardSecrecyDefaults to YES; Set to NO to disable Forward Secrecy and accept more ciphers.
NSExceptionMinimumTLSVersionDefaults to TLSv1.2; Possible values are: TLSv1.0, TLSv1.1, TLSv1.2
NSThirdPartyExceptionAllowsInsecureHTTPLoadsSimilar to NSExceptionAllowsInsecureHTTPLoads, but for domains that you have no control over
NSThirdPartyExceptionRequiresForwardSecrecySimilar to NSExceptionRequiresForwardSecrecy, but for domains that you have no control over
NSThirdPartyExceptionMinimumTLSVersionSimilar to NSExceptionMinimumTLSVersion, but for domains that you have no control over

Remarks

The App Transport Security is a security feature in iOS and macOS. It prevents apps from establishing unsecured connections. By default, apps can only use secure HTTPS connections.

If an app needs to connect to a server via HTTP, exceptions must be defined in the Info.plist. (see the examples for more information about that)

Note: In 2017, Apple will enforce ATS. That means, that you can no longer upload apps that have ATS-exceptions defined in the Info.plist. If you can provide good arguments, why you have to use HTTP, you can contact Apple and they might allow you to define exceptions. (Source: WWDC 2016 - Session 706)

More information on the App Transport Security configuration can be found in the CocoaKeys Documentation.

Related Examples

Stats

321 Contributors: 6
Friday, July 28, 2017
Licensed under: CC-BY-SA

Not affiliated with Stack Overflow
Rip Tutorial: info@zzzprojects.com

Download eBook