Skip to content

App Transport Security for iOS

Last year with iOS 9, Apple announced a new security requirement for your iOS and OS X apps: App Transport Security.

From Apple’s docs:

Starting in iOS 9.0 and OS X v10.11, a new security feature called App Transport Security (ATS) is available to apps and is enabled by default. It improves the privacy and data integrity of connections between an app and web services by enforcing additional security requirements for HTTP-based networking requests. Specifically, with ATS enabled, HTTP connections must use HTTPS (RFC 2818). Attempts to connect using insecure HTTP fail. Furthermore, HTTPS requests must use best practices for secure communications.

Starting with Xojo 2016 Release 2, this change matters to you because Xojo is now using the updated Apple libraries that have this requirement. Simply stated, it means that if your iOS apps use HTTPSocket or iOSHTMLViewer, then your URLs have to be secure (https). If they are not, you will get an error returned with HTTPSocket and no page displayed in the HTMLViewer.

If you are relying on other services or URLs that do not yet support https, then what do you do? Apple has provided a workaround: you have to specify an exemption in your plist file. In the plist you identify specific URLs for which you want to allow unsecured connections. To do this, create a text file called Info.plist, add this content to it and drag the file to the Navigator to add it to your project:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>NSAppTransportSecurity</key>
  <dict>
    <key>NSExceptionDomains</key>
    <dict>
      <key>firstsite.com</key>
      <dict>
        <key>NSIncludesSubdomains</key>
        <true/>
        <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
        <true/>
      </dict>
      <key>secondsite.com</key>
      <dict>
        <key>NSIncludesSubdomains</key>
        <true/>
        <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
        <true/>
      </dict>
    </dict>
  </dict>
</dict>
</plist>

Replace the domain names (or add more) based on your needs. You can also allow all unsecured connections, but Apple may reject App Store submissions that use this without valid reasons:

<key>NSAppTransportSecurity</key>
<dict>
  <!-- Include to allow all connections; avoid if possible -->
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

For additional information, refer to the Using a plistXojo.Net.HTTPSocket and iOSHTMLViewer pages in the docs.

Update (August 10, 2016): Apparently there is a bug in iOS that prevents the use of IP addresses in this plist. So to enable http on your local computer for testing use “localhost” rather than “127.0.0.1” and be sure to use “http://localhost” in your URLs instead of “http://127.0.0.1”.