How to Figure Out Which Url Is Being Blocked by App Transport Security

How can I figure out which URL is being blocked by App Transport Security?

Editor Note: @jessedc points out in the comments below the link to the official Apple documentation on how to do this: https://developer.apple.com/library/content/qa/qa1887/_index.html

Okay, I have an answer I don't like! I still very much want a better one.

In my application:didFinishLaunchingWithOptions: method I added the line

setenv("CFNETWORK_DIAGNOSTICS", "3", 1);

When I ran the app then, in the log I can find an entry that looks like this:

2015-07-02 15:27:56.152 MyApp[45041:9125662] CFNetwork diagnostics log file
created at: /Users/micah.hainline/Library/Developer/CoreSimulator/Devices/
11BCA581-5F5F-494D-932A-2ECFCA33EA93/data/Containers/Data/Application/
9ACC6941-8039-4B86-B5E8-A6C66E2AD520/Library/Logs/CrashReporter/CFNetwork_com
.myapp.MyApp_45041.nwlrb.log

When I open that file I have a huge number of log entries about everything that's happened on the network. I search for kCFErrorDomainCFNetwork in that file and get logs for failed network requests. I can use that to see what URLs the system was trying to hit, and then can add that URL to the exceptions for App Transport Security.

Transport security has blocked a cleartext HTTP

If you are using Xcode 8.0+ and Swift 2.2+ or even Objective C:

If you want to allow HTTP connections to any site, you can use this keys:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

If you know which domains you will connect to add:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>example.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

App Transport Security blocks routing via custom url scheme

This issue has been resolved. I logged out the endpoint I was hitting and checked if it satisfied ATS requirements by doing in Terminal:

nscurl --ats-diagnostics https://www.example.com/

It turned out that the particular subdomain I was trying to fetch failed all ATS requirements. My server team has fixed the issue and made the endpoint secure.

App Transport Security has blocked a cleartext HTTP resource

You need to correct it like this:

To make it easier, this is the correct xml in the info.plist

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>localhost</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
            </dict>
        </dict>
    </dict>

change the localhost to your actual server

Check the table for NSAppTransportSecurity options

If you want to all communications with any domain, you can do this:

 <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
    </dict>

However, you should use the latest just in the developing phase.

iOS app API calls blocked by App Transport Security

Seems that your app is still trying to access the server in http and not https. Have you reviewed all the urls that your app is accessing?

Maybe your server send the application redirects to an http site?

Try to add a breakpoint on your networking layer and review the urls you are trying access.

---

Related Topics