Skip to content

App Transport Security on macOS

With Xojo 2018 Release 4, we updated the macOS SDK to 10.14. This means that App Transport Security is now something you need to be aware of for your Mac apps.

From Apple’s docs:

Starting in iOS 9.0 and OS X v10.11, a new security feature called App Transport Security (ATS) is available to apps and is enabled by default. It improves the privacy and data integrity of connections between an app and web services by enforcing additional security requirements for HTTP-based networking requests. Specifically, with ATS enabled, HTTP connections must use HTTPS (RFC 2818). Attempts to connect using insecure HTTP fail. Furthermore, HTTPS requests must use best practices for secure communications.

I first talked about App Transport Security when it started affecting iOS. Starting with Xojo 2018 Release 4, this change matters to your Mac apps because Xojo is now using the updated Mac libraries that have this requirement. Simply stated, it means that if your Mac apps use URLConnection, Xojo.Net.HTTPSocket, HTTPSocket (now deprecated), HTTPSecureSocket or HTMLViewer, then your URLs have to be secure and use https. If they are not secure, you will either get an error returned or no page displayed.

If you are relying on other services or URLs that do not yet support https, then what do you do? Apple has provided a workaround: you have to specify an exemption in your plist file. In the plist you identify specific URLs for which you want to allow unsecured connections. To do this, create a text file called Info.plist, add this content to it and drag the file to the Navigator to add it to your project:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>NSAppTransportSecurity</key>
  <dict>
    <key>NSExceptionDomains</key>
    <dict>
      <key>firstsite.com</key>
      <dict>
        <key>NSIncludesSubdomains</key>
        <true/>
        <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
        <true/>
      </dict>
      <key>secondsite.com</key>
      <dict>
        <key>NSIncludesSubdomains</key>
        <true/>
        <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
        <true/>
      </dict>
    </dict>
  </dict>
</dict>
</plist>

Replace the domain names (or add more) based on your needs. You can also allow all unsecured connections, but Apple may reject App Store submissions that use this without valid reasons:

<key>NSAppTransportSecurity</key>
<dict>
  <!-- Include to allow all connections; avoid if possible -->
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

Keep in mind that Apple may reject your App Store submission if you allow arbitrary URLs without a good reason.

For additional information, refer to the Using a plistURLConnectionXojo.Net.HTTPSocket and HTMLViewer pages in the Docs.

Need easy server hosting with 1-click SSL support so you can avoid App Transport Security? Be sure to check out Xojo Cloud!