Reputation: 1768
App Transport Security iOS 1st January 2017
I am using the Allow Arbitrary Loads flag in my Apps. Apple announced that ATS will be required of all apps as of January 2017. Does this mean that my current Apps, which are uploaded on the AppStore, are not going to work or that I will not be able to release a new Binary with the non-HTTPS configuration?
Upvotes: 2
Views: 997
Answers (2)
Reputation: 1806
According to latest news, Apple has extended the above deadline. Here is an excerpt from Apple's site
Supporting App Transport Security December 21, 2016
App Transport Security (ATS), introduced in iOS 9 and OS X v10.11, improves user security and privacy by requiring apps to use secure network connections over HTTPS. At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year. To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed.
Upvotes: 0
Reputation: 114846
Apps that are already in the store will continue to operate as they do today; ATS exceptions will continue to be recognised by iOS.
If you submit a new version of your app then you will need to provide justification to Apple in your review notes in order to be approved.
There are a number of cases where disabling ATS is the only option, such as:
- Your app accesses URLs that are supplied by the user, and you cannot require the use of TLS
- Your app accesses some form of device (e.g. embedded systems) that do not or cannot support TLS or where issuing (potentially thousands) of certificates to these devices is not practical.
The situation is discussed in this thread including some comments by an Apple employee. Essentially,
... App Review will require “reasonable justification” for most ATS exceptions. The goal here is to flush out those folks who, when ATS was first released, simply turned it off globally and moved on. That will no longer be allowed.
If your app currently has ATS exceptions, you should look at the following:
- Is it necessary to disable ATS globally or only for specific domains?
- If you have disabled ATS globally, can you re-enable it for specific domains (e.g. known web service API endpoints)?
- If you are using
WKWebView, can you switch toNSAllowsArbitraryLoadsInWebContent(For this to be sufficient your app must be iOS 10 only)?
For example, I have an app that allows the user to nominate a web page to be displayed in a WKWebView. I have specified NSAllowsArbitraryLoadsInWebContent but also NSAllowsArbitraryLoads since I want my app to work on iOS 9. Finally, I have configured NSExceptionDomains exceptions to re-enable ATS for web services that my app uses where I know TLS is supported.
In my app review notes I explain the need for NSAllowsAbitraryLoads due to user content and iOS9 support.
Upvotes: 3
Related Questions
- App Transport Security Xcode 7 beta 6
- iOS9 App Transport Security
- Where is implemented the Apple App Transport Security
- App Transport Security blocks HTTPS
- Does iOS "app transport security enforcement“ mean I need to switch APIs to https?
- App Transport Security verbose
- Mandatory App Transport Security January 2017 impact of existing apps
- Will I be forced to update my iOS app in HTTPS in 2017?
- iOS 9: App Transport Security
- iOS App Transport Security