App Transport Security basics

App Transport Security (ATS)  is a network security feature on Apple platforms and is enabled by default. It ensures that applications implement industry standard security without known weaknesses and ensures data integrity and privacy. The purpose of App Transport Security is to improve sense of security in end users by ensuring that no accidental network vulnerabilities exists.

App Transport Security Configurations

If you take a look at the info.plist file of your app linked against the ios 9.0 or macOS 10.11 SDKs or later, you will see that App Transport Security (ATS) is enabled by default.It is indicated by Boolean value of No for the NSAllowsArbitraryLoads key.With ATS enabled all network connection must happen using HTTPS any attempt to connect using HTTP fails. . If we try to connect to such services we get “Transport security has blocked a cleartext HTTP” error.

By now the function and use of App Transport Security must be clear. Security and data privacy is all very good but there are some scenarios where we might want some exception to be granted. For example

  • What if we need to communicate with a third party service using HTTP?
  • What if our test environment is not using HTTPS?

There could be many more such scenarios. Thankfully NSAppTransportSecurity comes with set of optional keys which allow us to pick and choose security level as per our need.The complete key structure of NSAppTransportSecurity is given below

NSAppTransportSecurity : Dictionary {
    NSAllowsArbitraryLoads : Boolean
    NSAllowsArbitraryLoadsForMedia : Boolean
    NSAllowsArbitraryLoadsInWebContent : Boolean
    NSAllowsLocalNetworking : Boolean
    NSExceptionDomains : Dictionary {
    <domain-name-string> : Dictionary {
        NSIncludesSubdomains : Boolean
        NSExceptionAllowsInsecureHTTPLoads : Boolean
        NSExceptionMinimumTLSVersion : String
        NSExceptionRequiresForwardSecrecy : Boolean // Default value is YES
        NSRequiresCertificateTransparency : Boolean
        }
    }
}
  1. NSAllowsArbitraryLoads (Allow Arbitrary Loads) Setting this key to YES disables ATS for entire app and should not be used in production. Attempts of publishing an app with NSAllowsArbitraryLoadsSet to yes will trigger app store review and will require justification. In iOS 10 and macOS 10.12 the value of NSAllowsArbitraryLoadsis considered to be No and developer provided value is ignored if any of the following keys have Boolean value of NO
    • NSAllowsArbitraryLoadsForMedia
    • NSAllowsArbitraryLoadsInWebContent
    • NSAllowsLocalNetworking 

    The value of NSAllowsArbitraryLoads should never be set to YES in production though it can be is App review clears it after hearing your justifications.

  2. NSAllowsArbitraryLoadsForMedia This key when set to YES disables ATS for all media content loaded using APIs from the AV Foundation framework. Setting this key to yes will trigger app store review and requires justification.This key is used when the media being loaded is already encrypted and does not contain any personal information. default value is No.
  3. NSAllowsArbitraryLoadsInWebContent This key when set to YES allows embedded web views to load http urls. Applicable only to
    • WKWebView
    • UIWebView (iOS only)
    • WebView (macOS only)

    Setting this key triggers app store review and require justification

  4. NSAllowsLocalNetworking This key when set to YES dissables ATS for all unqualified and .local domains.If this key is set to yes NSAllowsArbitraryLoads value is ignored and is taken as NO. Default value is NO
  5. NSExceptionDomainsis a dictionary which allows ATS exceptions for specific domains.Each value of this dictionary is it self as dictionary and Key is domain name it self.The structure looks some thing like this
    NSExceptionDomains : Dictionary {
        <www.example.com> : Dictionary {
            NSIncludesSubdomains : Boolean
            NSExceptionAllowsInsecureHTTPLoads : Boolean
            NSExceptionMinimumTLSVersion : String
            NSExceptionRequiresForwardSecrecy : Boolean // Default value is YES
            NSRequiresCertificateTransparency : Boolean
            }
        }

    Following rules must be followed while configuring exception domains

    • domain name should be all lowercase
    • No ip address should be used
    • No port number should be used
    • exact match should be provided so take care of trailing “.”. www.example.com. is different from www.example.com and vice versa.
A pat on the back !!