Development

ATS in iOS 10

ATS ( App Transport Security) is a good network security policy proposed by Apple in WWDC 15. According to ATS, no security network visiting (aka any web url starting with http://) is settled in iOS 9 by default. Although users can set the “NSAppTransportSecurity” value inside Info.plist to allow Apps connect with no security networks (See my previous post https://blogs.perficient.com/delivery/blog/2015/11/12/three-ways-to-let-ats-work-with-your-http-server-and-ios-apps/)

While in iOS 10, Apple put more restrictions on ATS. According to Apple’s currently announcement, all the applications submit to App Store is not allowed to use “NSAppTransportSecurity” to ignore ATS starting from Jan 1st, 2017. So it is better to make sure all the network visiting should use https in the App. Here is some useful advice to make sure you Apps can submit to App Store successfully:

  1. Make sure your App can visit https context, especially those with strong encrypt algorithms (TLS v1.2 and above, AES-128, SHA-2, ECDHC etc.
  2. If you still need to use “NSAppTransportSecurity” to disable ATS, please make some additional explanations before submitting to App Store, especially if your App is kind of a browser related App.
  3. Use NSExceptionDomains” instead of “NSAllowsArbitraryLoads” hence only allowed some specific none secure http visit inside your App.
  4. There is a new key called “NSAllowsArbitraryLoadsInWebContent” in iOS 10, set the value to “YES” so that your App can play online videos even if they are not https related. But please be aware this feature can only be supported by iOS 10 and above.

In conclusion, ATS has been changed in iOS 10. To successfully submit your App into Apple’s App Store, below is the table you may need to look at first.

 

ATS settings affect frameworks in iOS 9 and iOS 10

ATS settings

Affected Framework

Works in iOS 9 HTTP

Works in iOS 10 HTTP

Notes

NSAllowsArbitraryLoads: NO

UIWebView

NO

NO

WKWebView

NO

NO

This is a default setting

URLSession

NO

NO

This will disable ATS

NSAllowsArbitraryLoads: YES

UIWebView

YES

YES

Need to provide additional explanations before submit to App Store

WKWebView

YES

YES

URLSession

YES

YES

NSAllowsArbitraryLoads: NO & NSAllowsArbitraryLoadsInWebContent: YES

UIWebView

NO

NO

Only disable ATS for web contents

WKWebView

NO

YES

A recommend settings for most Apps

URLSession

NO

NO

This is a most security setting method

NSAllowsArbitraryLoads: NO & NSAllowsArbitraryLoadsInWebContent: NO

UIWebView

NO

NO

WKWebView

NO

NO

URLSession

NO

NO

NSAllowsArbitraryLoads: YES & NSAllowsArbitraryLoadsInWebContent: NO

UIWebView

YES

NO

For iOS 10, when NSAllowsArbitraryLoadsInWebContent is existed, the NSAllowsArbitraryLoads will be ignored.

 

For iOS 9, only NSAllowsArbitraryLoads will be used.

WKWebView

YES

NO

URLSession

YES

NO

NSAllowsArbitraryLoads: YES & NSAllowsArbitraryLoadsInWebContent: YES

UIWebView

YES

NO

WKWebView

YES

YES

URLSession

YES

NO

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up
Categories
Follow Us
TwitterLinkedinFacebookYoutubeInstagram