App Transport Security(ATS) in iOS App
App Transport Security or ATS in short form has been announced with the iOS 9 version.
App Transport Security is a feature that works on the network layer to protect data transmission between client and server communication.
ATS requires that all HTTP connections made with the URL Loading System — typically using the URLSession class — use HTTPS.
It further imposes extended security checks that supplement the default server trust evaluation prescribed by the Transport Layer Security (TLS) protocol.
ATS blocks connections that fail to meet minimum security specifications. For additional details, see Preventing Insecure Network Connections. — Apple
If connections don’t meet security specifications, ATS blocks them with configured settings.
Although it’s highly recommended to enable ATS you can disable it for specific domains.
Let’s take a look at the App Transport Security Setting keys.
By adding the following snippet to the target’s Info. list means that the application doesn’t allow network requests that don’t comply with the strict rules defined by App Transport Security(ATS).
Also, you can disable App Transport Security pretty easy as you can see below.
Don’t forget that Apple is not recommended to enable it.
However, you can exclude some domains or subdomains which are you defined in the App Transport Security settings if you disable that.
Pretty much easy to add an exception domain that’s excluded its subdomains.
As you see in the above snippet, we enabled App Transport Security with one exception domain that domain name is example.com.
NSIncludesSubdomains key specifies the subdomains.
The NSExceptionAllowsInsecureHTTPLoads key allows HTTP requests which are requested under the main domain.
You can read more about App Transport Security Settings that are well-documented here: https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity
Mobile apps usage is getting raised. Also, security issues have been significant detail. Every developer experiences security concerns during the development of a financial app or transferring sensitive data. On that row, we have to follow all rules recommended by Apple.
Next step, I will be explaining the SSL Pinning subject over the App Transport Security Settings.
Let’s connect on Twitter.
