How do I load an HTTP URL with App Transport Security enabled in iOS 9

Question

So  the new beta SDK of iOS released last night has  App Transport Security  which encourages developers to use https instead of http  In principle  this is a great idea  and I already use https in our staging production environments  However  I don t have https set up in my local development environment  when the iOS app is connecting to a web service I m running on my laptop   From a bit of playing around this morning  it appears that the URL loading system will  even if you hand it an http URL  decide to use https instead  Does anyone know how to disable this behaviour -- even just for particular URLs

User · Answer

If you just want to disable App Transport Policy for local dev servers then the following solutions work well. It's useful when you're unable, or it's impractical, to set up HTTPS (e.g. when using the Google App Engine dev server).

As others have said though, ATP should definitely not be turned off for production apps.

1) Use a different plist for Debug

Copy your Plist file and NSAllowsArbitraryLoads. Use this Plist for debugging.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

2) Exclude local servers

Alternatively, you can use a single plist file and exclude specific servers. However, it doesn't look like you can exclude IP 4 addresses so you might need to use the server name instead (found in System Preferences -> Sharing, or configured in your local DNS).

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>server.local</key>
        <dict/>
        <key>NSExceptionAllowsInsecureHTTPLoads</key>
        <true/>
    </dict>
</dict>

User · Answer

Compiling answers given by  adurdin and  User  Add followings to your info plist  amp  change localhost com with your corresponding domain name  you can add multiple domains as well    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSAllowsArbitraryLoads lt  key gt       lt true  gt       lt key gt NSExceptionDomains lt  key gt       lt dict gt           lt key gt localhost com lt  key gt           lt dict gt               lt key gt NSIncludesSubdomains lt  key gt               lt false  gt               lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt               lt false  gt               lt key gt NSExceptionRequiresForwardSecrecy lt  key gt               lt true  gt               lt key gt NSExceptionMinimumTLSVersion lt  key gt               lt string gt TLSv1 2 lt  string gt               lt key gt NSThirdPartyExceptionAllowsInsecureHTTPLoads lt  key gt               lt false  gt               lt key gt NSThirdPartyExceptionRequiresForwardSecrecy lt  key gt               lt true  gt               lt key gt NSThirdPartyExceptionMinimumTLSVersion lt  key gt               lt string gt TLSv1 2 lt  string gt               lt key gt NSRequiresCertificateTransparency lt  key gt               lt false  gt           lt  dict gt       lt  dict gt   lt  dict gt   lt  plist gt    You info plist must looks like this

User · Answer

See Apple   s Info plist reference for full details  thanks  gnasher729    You can add exceptions for specific domains in your Info plist    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSExceptionDomains lt  key gt       lt dict gt           lt key gt testdomain com lt  key gt           lt dict gt               lt key gt NSIncludesSubdomains lt  key gt               lt true  gt               lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt               lt true  gt               lt key gt NSExceptionRequiresForwardSecrecy lt  key gt               lt true  gt               lt key gt NSExceptionMinimumTLSVersion lt  key gt               lt string gt TLSv1 2 lt  string gt               lt key gt NSThirdPartyExceptionAllowsInsecureHTTPLoads lt  key gt               lt false  gt               lt key gt NSThirdPartyExceptionRequiresForwardSecrecy lt  key gt               lt true  gt               lt key gt NSThirdPartyExceptionMinimumTLSVersion lt  key gt               lt string gt TLSv1 2 lt  string gt               lt key gt NSRequiresCertificateTransparency lt  key gt               lt false  gt           lt  dict gt       lt  dict gt   lt  dict gt    All the keys for each excepted domain are optional  The speaker did not elaborate on any of the keys  but I think they   re all reasonably obvious    Source  WWDC 2015 session 703     Privacy and Your App     30 18   You can also ignore all app transport security restrictions with a single key  if your app has a good reason to do so    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSAllowsArbitraryLoads lt  key gt       lt true  gt   lt  dict gt    If your app does not have a good reason  you may risk rejection      Setting NSAllowsArbitraryLoads to true will allow it to work  but Apple was very clear in that they intend to reject apps who use this flag without a specific reason  The main reason to use NSAllowsArbitraryLoads I can think of would be user created content  link sharing  custom web browser  etc   And in this case  Apple still expects you to include exceptions that enforce the ATS for the URLs you are in control of       If you do need access to specific URLs that are not served over TLS 1 2  you need to write specific exceptions for those domains  not use NSAllowsArbitraryLoads set to yes  You can find more info in the NSURLSesssion WWDC session       Please be careful in sharing the NSAllowsArbitraryLoads solution  It is not the recommended fix from Apple        kcharwood  thanks  marco-tolman

User · Answer

Followed this   I have solved it with adding some key in info plist  The steps I followed are    Opened my Projects info plist file Added a Key called NSAppTransportSecurity as a Dictionary  Added a Subkey called NSAllowsArbitraryLoads as Boolean and set its value to YES as like following image     Clean the Project and Now Everything is Running fine as like before   Ref Link

User · Answer

I have solved as plist file     Add a NSAppTransportSecurity   Dictionary   Add Subkey named   NSAllowsArbitraryLoads   as Boolean   YES

User · Answer

As accepted answer has provided required info  and for more info about using and disabling App Transport Security one can find more on this   For Per-Domain Exceptions add these to the Info plist    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt     lt key gt NSExceptionDomains lt  key gt     lt dict gt       lt key gt yourserver com lt  key gt       lt dict gt         lt  --Include to allow subdomains-- gt         lt key gt NSIncludesSubdomains lt  key gt         lt true  gt         lt  --Include to allow HTTP requests-- gt         lt key gt NSTemporaryExceptionAllowsInsecureHTTPLoads lt  key gt         lt true  gt         lt  --Include to specify minimum TLS version-- gt         lt key gt NSTemporaryExceptionMinimumTLSVersion lt  key gt         lt string gt TLSv1 1 lt  string gt       lt  dict gt     lt  dict gt   lt  dict gt    But What If I Don   t Know All the Insecure Domains I Need to Use  Use following key in your Info plist   lt key gt NSAppTransportSecurity lt  key gt   lt dict gt     lt  --Include to allow all connections  DANGER -- gt     lt key gt NSAllowsArbitraryLoads lt  key gt         lt true  gt   lt  dict gt    For more detail you can get from this link

User · Answer

Configurations above didn t work for me  I tried a lot of combinations of keys  this one work fine      lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSExceptionDomains lt  key gt       lt dict gt           lt key gt mydomain com lt  key gt           lt dict gt               lt key gt NSIncludesSubdomains lt  key gt               lt true  gt               lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt               lt true  gt               lt key gt NSExceptionRequiresForwardSecrecy lt  key gt               lt false  gt           lt  dict gt       lt  dict gt   lt  dict gt

User · Answer

Here s what worked for me    lt key gt NSAppTransportSecurity lt  key gt   lt dict gt       lt key gt NSAllowsArbitraryLoads lt  key gt       lt false  gt       lt key gt NSExceptionDomains lt  key gt       lt dict gt           lt key gt  lt  -- your remote server com   localhost -- gt  lt  key gt           lt dict gt               lt key gt NSIncludesSubdomains lt  key gt               lt true  gt               lt key gt NSExceptionAllowsInsecureHTTPLoads lt  key gt               lt true  gt               lt key gt NSExceptionRequiresForwardSecrecy lt  key gt               lt true  gt           lt  dict gt       lt  -- add more domain here -- gt       lt  dict gt   lt  dict gt    I just wanna add this to help others and save some time   if you are using  CFStreamCreatePairWithSocketToHost  make sure your host is the same with what you have in your  plist or if you have separate domain for socket just add it there   CFStreamCreatePairWithSocketToHost NULL     bridge CFStringRef   from  plist     unsigned int port   amp readStream   amp writeStream     Hope this is helpful  Cheers

[ios] How do I load an HTTP URL with App Transport Security enabled in iOS 9?

1) Use a different plist for Debug

2) Exclude local servers

Examples related to ios

Examples related to url

Examples related to nsurl

Examples related to ios9

Examples related to app-transport-security