App Transport Security (ATS) is a network security feature on Apple platforms and is enabled by default. It ensures that applications implement industry standard security without known weaknesses and ensures data integrity and privacy. The purpose of App Transport Security is to improve sense of security in end users by ensuring that no accidental network vulnerabilities exists.
App Transport Security Configurations
If you take a look at the info.plist
file of your app linked against the ios 9.0 or macOS 10.11 SDKs or later, you will see that App Transport Security (ATS) is enabled by default.It is indicated by Boolean value of No
for the NSAllowsArbitraryLoads
key.With ATS enabled all network connection must happen using HTTPS any attempt to connect using HTTP fails. . If we try to connect to such services we get “Transport security has blocked a cleartext HTTP” error.
By now the function and use of App Transport Security must be clear. Security and data privacy is all very good but there are some scenarios where we might want some exception to be granted. For example
- What if we need to communicate with a third party service using HTTP?
- What if our test environment is not using HTTPS?
There could be many more such scenarios. Thankfully NSAppTransportSecurity
comes with set of optional keys which allow us to pick and choose security level as per our need.The complete key structure of NSAppTransportSecurity
is given below
NSAppTransportSecurity : Dictionary { NSAllowsArbitraryLoads : Boolean NSAllowsArbitraryLoadsForMedia : Boolean NSAllowsArbitraryLoadsInWebContent : Boolean NSAllowsLocalNetworking : Boolean NSExceptionDomains : Dictionary { <domain-name-string> : Dictionary { NSIncludesSubdomains : Boolean NSExceptionAllowsInsecureHTTPLoads : Boolean NSExceptionMinimumTLSVersion : String NSExceptionRequiresForwardSecrecy : Boolean // Default value is YES NSRequiresCertificateTransparency : Boolean } } }
NSAllowsArbitraryLoads
(Allow Arbitrary Loads) Setting this key to YES disables ATS for entire app and should not be used in production. Attempts of publishing an app withNSAllowsArbitraryLoads
Set to yes will trigger app store review and will require justification. In iOS 10 and macOS 10.12 the value ofNSAllowsArbitraryLoads
is considered to be No and developer provided value is ignored if any of the following keys have Boolean value of NONSAllowsArbitraryLoadsForMedia
NSAllowsArbitraryLoadsInWebContent
NSAllowsLocalNetworking
The value of
NSAllowsArbitraryLoads
should never be set to YES in production though it can be is App review clears it after hearing your justifications.NSAllowsArbitraryLoadsForMedia
This key when set to YES disables ATS for all media content loaded using APIs from the AV Foundation framework. Setting this key to yes will trigger app store review and requires justification.This key is used when the media being loaded is already encrypted and does not contain any personal information. default value is No.NSAllowsArbitraryLoadsInWebContent
This key when set to YES allows embedded web views to load http urls. Applicable only to- WKWebView
- UIWebView (iOS only)
- WebView (macOS only)
Setting this key triggers app store review and require justification
NSAllowsLocalNetworking
This key when set to YES dissables ATS for all unqualified and .local domains.If this key is set to yes NSAllowsArbitraryLoads value is ignored and is taken as NO. Default value is NONSExceptionDomains
is a dictionary which allows ATS exceptions for specific domains.Each value of this dictionary is it self as dictionary and Key is domain name it self.The structure looks some thing like thisNSExceptionDomains : Dictionary { <www.example.com> : Dictionary { NSIncludesSubdomains : Boolean NSExceptionAllowsInsecureHTTPLoads : Boolean NSExceptionMinimumTLSVersion : String NSExceptionRequiresForwardSecrecy : Boolean // Default value is YES NSRequiresCertificateTransparency : Boolean } }
Following rules must be followed while configuring exception domains
- domain name should be all lowercase
- No ip address should be used
- No port number should be used
- exact match should be provided so take care of trailing “.”. www.example.com. is different from www.example.com and vice versa.