App Transport Security is an Apple feature introduced in iOS 9 ( and OS X v10.11) that intends to protect the user’s privacy, and increase the security of the communications established between the iOS device and third party servers.
Its most immediate affect, however, has been to greet iOS developers around the world with the following error message when they try to do something as common nowadays as making a REST Api call to a server that happens to use HTTP (instead of the recommended HTTPS):
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app’s Info.plist file.
So if we make a REST Api call and instead of the expected result we get the aforementioned error, there are two things we can do to solve the problem and get our app working.
We can, as the error message advises, add an exception (we will see how to do that in a minute), or we can , as Apple suggests – to protect our users´ data security and privacy – limit ourselves to using only secure network connections.
Adding exceptions to App Transport Security
First we must go to our Info.plist window: click in the project root tree, select the project in Targets, and select the Info tab:
Now we must set the property “Allow arbitrary Loads” under “App Transport Security Settings” to “YES”.
If you do not see the “App Transport Security Settings” row in your List, just right-click on any of the rows and select “Add Row”; then, next to the new row, use the up and down buttons to select the property you want to add to the list (in this case “App Transport Security Settings”).
Now our HTTP connections will no longer be blocked.
More on App Transport Security
As we said earlier, the goal of this policy is to protect the user’s data and keep the user´s information private.
So to avoid the “App Transport Security has blocked a cleartext HTTPP (http://) resource load …” error we need to fulfill these conditions:
- Use HTTPS
- TSL v1.2
- Secure cyphers like AES-128, or better.
Although the ATS policy is enabled by default, and all connections that do not follow the aforementioned conditions will be blocked, exceptions, like the one we enabled before, were provided to allow applications to continue to function till it was possible to migrate them to secure connections.
Initially Apple had announced that in January 2017, this feature would be mandatory for all apps distributed through the Apple store.
Still there are many times when the developer can really do nothing to comply with the ATS. Such is the case with those applications that consume software from third party servers which provide only an API though HTTP. Even if those providers agreed to move to HTTPS support, they would need time to implement the changes.
Aware of that, Apple had announced that exceptions could be solicited, and would be examined, and accepted (or declined) on an individual basis.
As I write this Apple has extended once more time the deadline (see here) so, for the time being, applications can continue to use plain HTTP connections enabling the exceptions provided for such cases. Still the developer should be aware of the advantages, for his user base, of using HTTPS, and use secure connections when possible.
That’s all. If you liked this post, you can subscribe to my blog (click at the follow button at the bottom), and you will be notified when new post are written.