How to Add Nsapptransportsecurity to My Info.Plist File

How can I add NSAppTransportSecurity to my info.plist file?

try With this --- worked for me in Xcode-beta 4 7.0

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>yourdomain.com</key>
        <dict>
            <!--Include to allow subdomains-->
            <key>NSIncludesSubdomains</key>
            <true/>
            <!--Include to allow HTTP requests-->
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <!--Include to specify minimum TLS version-->
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>

Also one more option, if you want to disable ATS you can use this :

<key>NSAppTransportSecurity</key>  
 <dict>  
      <key>NSAllowsArbitraryLoads</key><true/>  
 </dict>

But this is not recommended at all. The server should have the SSL certificates and so that there is no privacy leaks.

NSAppTransportSecurity option not listed in Xcode plist editor

Xcode 7.1 lists the option in the dropdown (App Transport Security Settings). In earlier versions you need to type the raw key NSAppTransportSecurity and set the type to dictionary.

Why does one have to add `NSAppTransportSecurity` and add the `NSAllowsArbitraryLoads` key to `YES`?

App Transport Security was introduced with iOS9 as an additional security feature when connecting your app to the web.

From Apple's documentation:

App Transport Security is a feature that improves the security of
connections between an app and web services. The feature consists of
default connection requirements that conform to best practices for
secure connections. Apps can override this default behavior and turn
off transport security.

One of the requirements is that all connections have to use HTTPS. This is why all connections that only use HTTP will fail on iOS9.

If you are using a service that is not available via HTTPS, you can still use it by overriding the App Transport Security. That's what the NSAppTransportSecurity dictionary in your Info.plist file is for. There you can define which App Transport Security requirement you wish to override.

For example NSAllowsArbitraryLoads disables all security requirements for any domains. You can define exceptions in the NSExceptionDomains dictionary, but if you don't do that all domains will be allowed to connect to your app without App Transport Security.

When you want to connect to a single domain that does not use HTTPS you should not use NSAllowsArbitraryLoads because that disables all the security for all domains. Instead you should specifically override the HTTPS requirement for this one domain only.

You can do that like this in your Info.plist file:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>yourdomain.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

To sum things up: App Transport Security is a good thing, because it encourages you to use HTTPS connections which are more secure than ordinary HTTP connections. Because you cannot always use HTTPS it offers you the opportunity to allow insecure connections. It is good practice to use these security overrides only exactly where you need them.

How do I load an HTTP URL with App Transport Security enabled in iOS 9?

See Apple’s Info.plist reference for full details (thanks @gnasher729).

You can add exceptions for specific domains in your Info.plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>
    </dict>
</dict>

All the keys for each excepted domain are optional. The speaker did not elaborate on any of the keys, but I think they’re all reasonably obvious.

(Source: WWDC 2015 session 703, “Privacy and Your App”, 30:18)

You can also ignore all app transport security restrictions with a single key, if your app has a good reason to do so:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

If your app does not have a good reason, you may risk rejection:

Setting NSAllowsArbitraryLoads to true will allow it to work, but Apple was very clear in that they intend to reject apps who use this flag without a specific reason. The main reason to use NSAllowsArbitraryLoads I can think of would be user created content (link sharing, custom web browser, etc). And in this case, Apple still expects you to include exceptions that enforce the ATS for the URLs you are in control of.

If you do need access to specific URLs that are not served over TLS 1.2, you need to write specific exceptions for those domains, not use NSAllowsArbitraryLoads set to yes. You can find more info in the NSURLSesssion WWDC session.

Please be careful in sharing the NSAllowsArbitraryLoads solution. It is not the recommended fix from Apple.

— kcharwood (thanks @marco-tolman)

Transport security has blocked a cleartext HTTP

If you are using Xcode 8.0+ and Swift 2.2+ or even Objective C:

Sample Image

If you want to allow HTTP connections to any site, you can use this keys:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

If you know which domains you will connect to add:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>example.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

Xcode:App Transport Security

Need to change the Settings you need to change,Target -> Info
Sample Image


Related Topics

Firebase Custom Event Parameters Not Visible in Console

Create Tap-Able "Links" in the Nsattributedstring of a Uilabel

Test iOS App on Device Without Apple Developer Program or Jailbreak

Set the Maximum Character Length of a Uitextfield

Uitextfield Text Change Event

Uiimage(Contentsoffile:) Returning Nil Despite File Existing in Caches Directory

How to Localise a String Inside the iOS Info.Plist File

Creating a Blurring Overlay View

Move Textfield When Keyboard Appears Swift

Wkwebview Not Loading Local Files Under iOS 8

How to Create a Custom Pop Up View With Swift

What Happens When Testflight App Expire

How to Debug 'Unrecognized Selector Sent to Instance' Error

How to Exit Iphone Application

Applications Are Expected to Have a Root View Controller At the End of Application Launch

Why Is There Extra Padding At the Top of My Uitableview With Style Uitableviewstylegrouped in Ios7

Swift - Get Device'S Wifi Ip Address

Explaining Difference Between Automaticallyadjustsscrollviewinsets, Extendedlayoutincludesopaquebars, Edgesforextendedlayout in Ios7


Leave a reply



Submit