Essential iOS

App Transport Security ATS

suggest change

Parameters

Parameter | Details | ——— | —–– |NSAppTransportSecurity | Configure ATS |NSAllowsArbitraryLoads | Set to YES to disable ATS everywhere. In iOS 10 and later, and macOS 10.12 and later, the value of this key is ignored if any of the following keys are present in your app’s Info.plist file: NSAllowsArbitraryLoadsInMedia, NSAllowsArbitraryLoadsInWebContent, NSAllowsLocalNetworking |NSAllowsArbitraryLoadsInMedia | Set to YES to disable ATS for media loaded using APIs from the AV Foundation framework. (iOS 10+, macOS 10.12+) |NSAllowsArbitraryLoadsInWebContent | Set to YES to disable ATS in your app’s web views (WKWebView, UIWebView, WebView) without affecting your NSURLSession connections. (iOS 10+, macOS 10.12+) |NSAllowsLocalNetworking | Set to YES to disable for connections to unqualified domains and to .local domains. (iOS 10+, macOS 10.12+) |NSExceptionDomains | Configure exceptions for specific domains |NSIncludesSubdomains | Set to YES to apply the exceptions to all subdomains of the selected domain. |NSRequiresCertificateTransparency | Set to YES to require that valid, signed Certificate Transparency (CT) timestamps, from known CT logs, be presented for server (X.509) certificates on a domain. (iOS 10+, macOS 10.12+) |NSExceptionAllowsInsecureHTTPLoads | Set to YES to allow HTTP on the selected domain. |NSExceptionRequiresForwardSecrecy | Defaults to YES; Set to NO to disable Forward Secrecy and accept more ciphers. |NSExceptionMinimumTLSVersion | Defaults to TLSv1.2; Possible values are: TLSv1.0, TLSv1.1, TLSv1.2 |NSThirdPartyExceptionAllowsInsecureHTTPLoads | Similar to NSExceptionAllowsInsecureHTTPLoads, but for domains that you have no control over|NSThirdPartyExceptionRequiresForwardSecrecy | Similar to NSExceptionRequiresForwardSecrecy, but for domains that you have no control over|NSThirdPartyExceptionMinimumTLSVersion | Similar to NSExceptionMinimumTLSVersion, but for domains that you have no control over|

Remarks

The App Transport Security is a security feature in iOS and macOS. It prevents apps from establishing unsecured connections. By default, apps can only use secure HTTPS connections.

If an app needs to connect to a server via HTTP, exceptions must be defined in the Info.plist. (see the examples for more information about that)

Note: In 2017, Apple will enforce ATS. That means, that you can no longer upload apps that have ATS-exceptions defined in the Info.plist. If you can provide good arguments, why you have to use HTTP, you can contact Apple and they might allow you to define exceptions. (Source: WWDC 2016 - Session 706)

More information on the App Transport Security configuration can be found in the CocoaKeys Documentation.

Found a mistake? Have a question or improvement idea? Let me know.

Feedback about page:

Feedback:
Optional: your email if you want me to get back to you:

Table Of Contents