How to Disable App Transport Security

Brian GilhamEssays

If you eagerly fired up iOS 9 and watchOS 2 yesterday you may have noticed something strange, at least if your app relies on NSURLSession.

06/11/15: Steven Peterson has posted an update, showing how to explicitly define per-domain exceptions to ATS. The method described below should only be used as a last resort.

In iOS 9, Apple is introducing App Transport Security. ATS enforces best practices during network calls, including the use of HTTPS.

From the docs:

ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one. If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible.

If, however, your app relies on a non-HTTPS API outside of your control, this is problematic.

While the documentation also mentions:

App Transport Security (ATS) lets an app add a declaration to its Info.plist file that specifies the domains with which it needs secure communication.

It currently fails to describe the Info.plist keys needed to specify exceptions to ATS.

After a lot of searching last night, Steven Peterson found one solution: disabling ATS entirely. Simply include the following in your Info.plist file:

Obviously this is not ideal.

He also turned up two other keys: NSExceptionDomains and NSIncludesSubdomains. However, neither one of us has been able to figure out how to successfully use them.

With any luck the documentation will be updated in short order and we can update our apps to use ATS properly. Until then, Steven’s solution does just the trick.