https://developer.apple.com/videos/wwdc/2015/?id=711 @5:55
I can't seem to be able to add this to my info.plist. There is no value it. I'm running XCode Version 7.0 beta (7A121l), and testing on iOS9.
Because I can't specifically declare what URL's I want as seen in the video, I keep getting "App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file" errors.
However, I don't seem to be able to configure it. Any ideas?
This question is related to
ios
objective-c
xcode
ios9
To explain a bit more about ParaSara's answer: App Transport security will become mandatory and trying to turn it off may get your app rejected.
As a developer, you can turn App Transport security off if your networking code doesn't work with it, and you want to continue other development before fixing any problems. Say in a team of five, four can continue working on other things while one fixes all the problems. You can also turn App Transport security off as a debugging tool if you have networking problems and you want to check if they are caused by App Transport security. As soon as you know you should turn it on again immediately.
The solution that you must use in the future is not to use http at all, unless you use a third party server that doesn't support https. If your own server doesn't support https, Apple will have a problem with that. Even with third party servers, I wouldn't bet that Apple accepts it.
Same with the various checks for server security. At some point Apple will only accept justifiable exceptions.
But mostly, consider this: You are endangering the privacy of your customers. That's a big no-no in my book. Don't do that. Fix your code, don't ask for permission to run unsafe code.
Open your info.plist file of your project with any editor of your preference, then add this code at the end of the file before the last
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Xcode 9.2, Swift 4, this works for me.
<key>App Transport Security Settings</key>
<dict>
<key>Allow Arbitrary Loads</key>
<true/>
</dict>
Xcode 8.2, iOS 10
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
In mac shell command line , use the following command:
plutil -insert NSAppTransportSecurity -xml "<array><string> hidden </string></array>" [location of your xcode project]/Info.plist
The command will add all the necessary values into your plist file.
Update Answer (after wwdc 2016):
IOS apps will require secure HTTPS connections by the end of 2016
App Transport Security, or ATS, is a feature that Apple introduced in iOS 9. When ATS is enabled, it forces an app to connect to web services over an HTTPS connection rather than non secure HTTP.
However, developers can still switch ATS off and allow their apps to send data over an HTTP connection as mentioned in above answers. At the end of 2016, Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store. link
One bad news for developers using NSAppTransportSecurity.
UPDATE:
[Apple will require HTTPS connections for iOS apps by the end of 2016]
XCODE 8, Swift 3: You need to add a row: **
"App transport Security Setting"
** in the info.plist inside information Property list.
That wasn't working for me, but this did the trick:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>com</key>
<dict>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>net</key>
<dict>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>org</key>
<dict>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
This will allow to connect to .com .net .org
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>uservoice.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
</dict>
</dict>
</dict>
Source: Stackoverflow.com