making the roaming future

Application Transport Security override

mr -

iOS 9 will default to a new connection security mechanism called App Transport Security that essentially forces apps to transfer data from their backend services using secure HTTP connection practices, like TLS 1.2 for instance.

If your app uses known endpoints, it’s enough to make sure they follow best security practices. An RSS reader, like mine, however, connects to user-defined sources, so it doesn’t have that level of control. Luckily we can disable ATS enforcement for such purposes by adding the following entry to app’s Info.plist:

<key>NSAppTransportSecurity</key>
<dict>
	<key>NSAllowsArbitraryLoads</key>
	<true/>
</dict>

If, however, in addition to arbitrary URLs your app must handle, you also use an established backend you’d like ATS to help you with, you can add an exception for your domain, like this:

<key>NSAppTransportSecurity</key>
<dict>
	<key>NSAllowsArbitraryLoads</key>
	<true/>
	<key>NSExceptionDomains</key>
	<dict>
		<key>example.com</key>
		<dict>
			<key>NSAllowsArbitraryLoads</key>
			<false/>
		</dict>
	</dict>
</dict>

Keep in mind, though: if your app does use solely the backends you control, you should not use this override just so everything works again in new versions built against iOS 9 SDK! It may be used for debugging purposes or at most until all issues are fixed that prevent following best security practices.

tags: ats tls