How can I add NSAppTransportSecurity to my info.plist file?

Question

https://developer.apple.com/videos/wwdc/2015/?id=711 @5:55

I can't seem to be able to add this to my info.plist. There is no value it. I'm running XCode Version 7.0 beta (7A121l), and testing on iOS9.

Because I can't specifically declare what URL's I want as seen in the video, I keep getting "App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file" errors.

However, I don't seem to be able to configure it. Any ideas?

You don't really have a question anymore, you should just go ahead and answer your own question and then accept after the appropriate time delay. — Norman H, Jul 15 '15 at 23:23
what is a domain name ? is this a server base url or any other ? and where to find my app domain name ? — Nik, Jul 30 '15 at 06:40
Domain name is one of the most common term used . Well this is one which is bought and then after hosting you can use it as server base url which you use for API's. There is nothing like app domain name. So you can use the domain name as the one where API's are written. — Ashish, Aug 19 '15 at 10:38

Ashish · Accepted Answer · 2015-08-19T10:27:27.777

147

try With this --- worked for me in Xcode-beta 4 7.0

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>yourdomain.com</key>
        <dict>
            <!--Include to allow subdomains-->
            <key>NSIncludesSubdomains</key>
            <true/>
            <!--Include to allow HTTP requests-->
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <!--Include to specify minimum TLS version-->
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
        </dict>
    </dict>
</dict>

Also one more option, if you want to disable ATS you can use this :

<key>NSAppTransportSecurity</key>  
 <dict>  
      <key>NSAllowsArbitraryLoads</key><true/>  
 </dict>

But this is not recommended at all. The server should have the SSL certificates and so that there is no privacy leaks.

edited Aug 19 '15 at 10:27

answered Jul 25 '15 at 05:46

Ashish

1,978
1
15
7

I have XCode 7.2 (7C68) and I have modified (by disabling completely ATS) the info.plist of my test project. But it is not working. Any clue? – Sanandrea Jan 30 '16 at 17:14
generally it does work... can you paste ur code here and then we can see – Ashish Feb 01 '16 at 11:54
And also if you have two or more domanis you have to add `NSAllowsArbitraryLoads NSExceptionDomains ` Otherwise for me it didn't work for release version for some reason – P.Lorand Jun 27 '18 at 09:20

score 109 · Answer 2 · edited Sep 24 '15 at 08:15

109

You have to add just the NSAllowsArbitraryLoads key to YES in NSAppTransportSecurity dictionary in your info.plist file.

For example,

 <key>NSAppTransportSecurity</key>
 <dict>
      <key>NSAllowsArbitraryLoads</key>
     <true/>
 </dict>

edited Sep 24 '15 at 08:15

Pawan Rai

3,434
4
32
42

answered Sep 24 '15 at 06:44

Hiren Varu

1,447
1
9
8

2

This is a workaround. The real issue is death with in @Ashish's answer – judepereira Aug 12 '16 at 09:14

score 49 · Answer 3 · edited Sep 23 '15 at 13:23

49

That wasn't working for me, but this did the trick:

<key>NSAppTransportSecurity</key>  
     <dict>  
          <key>NSAllowsArbitraryLoads</key><true/>  
     </dict>

edited Sep 23 '15 at 13:23

Chintan Rathod

25,864
13
83
93

answered Jul 25 '15 at 18:51

Bobby

6,115
4
35
36

I think you mean `` instead of `` – Clifton Labrum Sep 18 '15 at 16:28
1

From security point of view, this is exactly a way, how NOT to do it, because nobody will ever review this section of code and update it to properly specified domains. – igraczech Sep 29 '15 at 12:13
1

This is not a good practice. Rather we should allow specific domains. – Ashish Feb 17 '16 at 08:38
3

For other newbies like me: Make sure to put this at the correct position (at the end, enclosed by the existing `` and `` tags: – Pwdr May 15 '17 at 16:43

score 25 · Answer 4 · answered Sep 17 '15 at 19:19

25

Just to clarify ... You should always use httpS

But you can bypass it adding the exception:

answered Sep 17 '15 at 19:19

Manuel Pardo

699
7
6

score 13 · Answer 5 · answered Dec 15 '16 at 08:32

13

Xcode 8.2, iOS 10

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

answered Dec 15 '16 at 08:32

Oleh Malovichko

131
2
6

Paraneetharan Saravanaperumal · Answer 6 · 2016-06-15T09:02:34.703

4

Update Answer (after wwdc 2016):

IOS apps will require secure HTTPS connections by the end of 2016

App Transport Security, or ATS, is a feature that Apple introduced in iOS 9. When ATS is enabled, it forces an app to connect to web services over an HTTPS connection rather than non secure HTTP.

However, developers can still switch ATS off and allow their apps to send data over an HTTP connection as mentioned in above answers. At the end of 2016, Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store. link

edited Jun 15 '16 at 09:02

answered Jun 15 '16 at 08:56

Paraneetharan Saravanaperumal

4,699
2
18
29

after end of this year, new app or update app without using https will be rejected. what about existing app with the bypass ? (we need a force update ?) – Paraneetharan Saravanaperumal Jun 15 '16 at 10:03

score 3 · Answer 7 · answered Dec 20 '15 at 12:34

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>com</key>
        <dict>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
        <key>net</key>
        <dict>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
        <key>org</key>
        <dict>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

This will allow to connect to .com .net .org

Thank you for an example showing how to add multiple domains. — AtheistP3ace, May 20 '16 at 15:51

score 3 · Answer 8 · answered Jul 13 '16 at 08:51

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>uservoice.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSExceptionRequiresForwardSecrecy</key>
                <false/>
            </dict>
        </dict>
    </dict>

score 2 · Answer 9 · answered Dec 18 '16 at 14:04

In mac shell command line , use the following command:

plutil -insert NSAppTransportSecurity -xml "<array><string> hidden </string></array>" [location of your xcode project]/Info.plist

The command will add all the necessary values into your plist file.

score 2 · Answer 10 · answered Oct 20 '20 at 08:19

2

Open your info.plist file of your project with any editor of your preference, then add this code at the end of the file before the last

<key>NSAppTransportSecurity</key>
<dict>
   <key>NSAllowsArbitraryLoads</key>
<true/>
</dict>

answered Oct 20 '20 at 08:19

2apreety18

181
3
8

score 1 · Answer 11 · answered Jun 15 '16 at 09:09

To explain a bit more about ParaSara's answer: App Transport security will become mandatory and trying to turn it off may get your app rejected.

As a developer, you can turn App Transport security off if your networking code doesn't work with it, and you want to continue other development before fixing any problems. Say in a team of five, four can continue working on other things while one fixes all the problems. You can also turn App Transport security off as a debugging tool if you have networking problems and you want to check if they are caused by App Transport security. As soon as you know you should turn it on again immediately.

The solution that you must use in the future is not to use http at all, unless you use a third party server that doesn't support https. If your own server doesn't support https, Apple will have a problem with that. Even with third party servers, I wouldn't bet that Apple accepts it.

Same with the various checks for server security. At some point Apple will only accept justifiable exceptions.

But mostly, consider this: You are endangering the privacy of your customers. That's a big no-no in my book. Don't do that. Fix your code, don't ask for permission to run unsafe code.

score 1 · Answer 12 · answered Jun 16 '16 at 07:52

1

One bad news for developers using NSAppTransportSecurity.

UPDATE:
[Apple will require HTTPS connections for iOS apps by the end of 2016]

https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/

answered Jun 16 '16 at 07:52

Kahng

189
1
8

score 1 · Answer 13 · answered Jan 21 '17 at 19:07

1

XCODE 8, Swift 3: You need to add a row: **

"App transport Security Setting"

** in the info.plist inside information Property list.

answered Jan 21 '17 at 19:07

Robert Juamarcal

167
2
10

How can I add NSAppTransportSecurity to my info.plist file?

13 Answers13

Linked

Related