ATS ( App Transport Security) is a good network security policy proposed by Apple in WWDC 15. According to ATS, no security network visiting (aka any web url starting with http://) is settled in iOS 9 by default. Although users can set the “NSAppTransportSecurity” value inside Info.plist to allow Apps connect with no security networks (See my previous post https://blogs.perficient.com/delivery/blog/2015/11/12/three-ways-to-let-ats-work-with-your-http-server-and-ios-apps/)
While in iOS 10, Apple put more restrictions on ATS. According to Apple’s currently announcement, all the applications submit to App Store is not allowed to use “NSAppTransportSecurity” to ignore ATS starting from Jan 1st, 2017. So it is better to make sure all the network visiting should use https in the App. Here is some useful advice to make sure you Apps can submit to App Store successfully:
- Make sure your App can visit https context, especially those with strong encrypt algorithms (TLS v1.2 and above, AES-128, SHA-2, ECDHC etc.
- If you still need to use “NSAppTransportSecurity” to disable ATS, please make some additional explanations before submitting to App Store, especially if your App is kind of a browser related App.
- Use NSExceptionDomains” instead of “NSAllowsArbitraryLoads” hence only allowed some specific none secure http visit inside your App.
- There is a new key called “NSAllowsArbitraryLoadsInWebContent” in iOS 10, set the value to “YES” so that your App can play online videos even if they are not https related. But please be aware this feature can only be supported by iOS 10 and above.
In conclusion, ATS has been changed in iOS 10. To successfully submit your App into Apple’s App Store, below is the table you may need to look at first.
|
ATS settings affect frameworks in iOS 9 and iOS 10 |
||||
|
ATS settings |
Affected Framework |
Works in iOS 9 HTTP |
Works in iOS 10 HTTP |
Notes |
|
NSAllowsArbitraryLoads: NO |
UIWebView |
NO |
NO |
|
|
WKWebView |
NO |
NO |
This is a default setting |
|
|
URLSession |
NO |
NO |
This will disable ATS |
|
|
NSAllowsArbitraryLoads: YES |
UIWebView |
YES |
YES |
Need to provide additional explanations before submit to App Store |
|
WKWebView |
YES |
YES |
||
|
URLSession |
YES |
YES |
||
|
NSAllowsArbitraryLoads: NO & NSAllowsArbitraryLoadsInWebContent: YES |
UIWebView |
NO |
NO |
Only disable ATS for web contents |
|
WKWebView |
NO |
YES |
A recommend settings for most Apps |
|
|
URLSession |
NO |
NO |
This is a most security setting method |
|
|
NSAllowsArbitraryLoads: NO & NSAllowsArbitraryLoadsInWebContent: NO |
UIWebView |
NO |
NO |
|
|
WKWebView |
NO |
NO |
||
|
URLSession |
NO |
NO |
||
|
NSAllowsArbitraryLoads: YES & NSAllowsArbitraryLoadsInWebContent: NO |
UIWebView |
YES |
NO |
For iOS 10, when NSAllowsArbitraryLoadsInWebContent is existed, the NSAllowsArbitraryLoads will be ignored.
For iOS 9, only NSAllowsArbitraryLoads will be used. |
|
WKWebView |
YES |
NO |
||
|
URLSession |
YES |
NO |
||
|
NSAllowsArbitraryLoads: YES & NSAllowsArbitraryLoadsInWebContent: YES |
UIWebView |
YES |
NO |
|
|
WKWebView |
YES |
YES |
||
|
URLSession |
YES |
NO |
||
