Transport security has blocked a cleartext HTTP

Question

What setting do I need to put in my info.plist to enable HTTP mode as per the following error message?

Transport security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

Assume that my domain is example.com.

**Moderator Note**: There are already 36 answers to this question. Before adding *another*, please make sure your solution is **new**. — Matt, Jul 11 '16 at 17:45
**NOTE:** Solutions here suggest that you should turn ATS off (`Allow arbitary loads`). Soon this won't be possible since **Apple will require ATS** (Originally the end of the year - deadline has been extended) - https://developer.apple.com/news/?id=12212016b — Jakub Truhlář, Jan 03 '17 at 15:55
https://firebase.google.com/docs/admob/ios/app-transport-security — Alex1987, Jan 04 '17 at 11:52
@Jeef why have you added iOS 10 tag? were there any additional changes in iOS 10 in that matter? I feel that it was introduced in iOS9 and that tag should be sufficient in terms of iOS versions — Julian, Sep 27 '18 at 13:47

score 1012 · Answer 1 · edited Oct 05 '19 at 13:32

1012

Use NSAppTransportSecurity:

You have to set the NSAllowsArbitraryLoads key to YES under NSAppTransportSecurity dictionary in your info.plist file.

edited Oct 05 '19 at 13:32

Gaurav Singla

2,271
26
43

answered Aug 04 '15 at 10:42

User123335511231

11,654
4
18
22

173

Let it be known: **THIS IS A WORKAROUND!** Anytime you're using HTTP over HTTPS you are opening up your user's device(s) to vulnerabilities. Sure it's unlikely in many cases but ethical programming is best practice. Just sayin' ... - also, +1 for the working (for testing purposes) – Jacksonkr Aug 29 '15 at 17:37
1

Thanks. Anyway ... Of course this is just a workaround. Production apps should always use https whenever possible. I only use this workaround for development phase. – Firanto Aug 31 '15 at 12:30
43

This is NOT a solution - this is a HACK! To add individual domain "exceptions" see this answer below: http://stackoverflow.com/a/32560433/1103584 – DiscDev Sep 16 '15 at 17:25
2

This is a bad answer because it chooses the LEAST secure solution to the problem and offers it alone, with absolutely no context which might inform the questioner as to what implications need to be considered when choosing this option, or what problems they might encounter. Since there was already an answer that gave a more secure solution, but also included this solution with the necessary caveat, your answer was totally unnecessary and obsolete before ever being posted. This is a bad answer. – Leo Flaherty Oct 01 '15 at 11:10
21

While this solution is known to be vulnerable, it is the **only** solution I would recommend during **DEVELOPMENT**. Having to type in every exact domain during development is just silly (especially if you are using third party web services). – reTs Nov 03 '15 at 11:42
1

Although this solution is known as a "workaround", sometimes it's the *only* solution. My app uses third party web services, and need redirect users to URLs of all kinds of different product webs which might use http instead of https. It's impossible to explicitly write down all domain names in the exception list. – euccas Nov 21 '15 at 21:16
2

KMLong and whyceewhite have (and had at the time of this answer) both already given answers which include the information included here as well as a more secure solution which is better to use when possible, as well as an explanation of why the problem is happening in the first place and what needs to be considered when choosing how to address it. This answer on the other hand merely shoves some code that is easy to copy-paste without giving anyone any concept of what consequences it might have. Anyone who's serious about making a good product should care about understanding what they're doing – Leo Flaherty Nov 23 '15 at 10:23
6

Name of those keys have changed now "App Transport Security Settings" under that "Allow Arbitrary Loads" – vishal dharankar Dec 21 '15 at 11:28
I just updated my apps to IOS 9. This security improvement seems pretty half baked (like the original iCloud APIs). I ended up using this override, although I tried putting individual sites. They failed intermittently with app transport errors, so I gave up. Guess we have to wait until IOS 10 – ski_squaw Jan 15 '16 at 19:43
@Jacksonkr: there are servers you can't control directly, you can't ask them to switch to https – Mar 24 '16 at 12:58
1

@IanBell Technically you *can* ask them, but to your point they can always say no. My aim was to put caution out there, that is all. – Jacksonkr Mar 24 '16 at 13:19
@Jacksonkr: very often lots of open data are not https – Mar 24 '16 at 13:42
16

Why are so many people against this solution? This definitely is NOT a hack! Many apps need to communicate to the actual internet where the security protocol is not always under your control. For example, it seems very reasonable to be able to show images from other servers that don't have an SSL certificate. – Oren Apr 05 '16 at 04:31
It is never going to work after this year. http://stackoverflow.com/questions/31254725/transport-security-has-blocked-a-cleartext-http/37830469#37830469 – Paraneetharan Saravanaperumal Jun 15 '16 at 10:10
@ParaSara That is not true. You will simply need to provide a justification to Apple. If you have a valid reason to disable ATS, they will allow it. Now, it remains to be seen what Apple sees as a "valid reason". Also, you can continue to disable the forward secrecy aspect of ATS with no need for justification. – wottle Aug 02 '16 at 18:25
@Oren You can trivially set up an image proxy, if you need to do that. People are against disabling ATS because it is a significant security risk, and it's not something you should ever do. – Sven Slootweg Sep 29 '17 at 09:19
Yes, this is a workaround, the correct solution is not up to iOS development, the endpoint you are using should be secure HTTPS. – User123335511231 Aug 25 '19 at 08:42
How do I achieve this exception functionality through config profile ? Considering config profile having same architecture like a .plist file, I tried adding `NSAppTransportSecurity` along with required parameters but still getting ATS error. Please help. – node_analyser Mar 12 '22 at 10:50
From the official Apple developer site: https://developer.apple.com/news/?id=jxky8h89. Here you can set exceptions for a specific domain. – Neur0 Jun 15 '22 at 09:38

score 856 · Answer 2 · edited Nov 14 '15 at 20:35

856

Here are the settings visually:

edited Nov 14 '15 at 20:35

Undo

25,519
37
106
129

answered Nov 14 '15 at 19:08

Cerniuk

14,220
2
29
27

I am using PhoneGap and this worked perfectly. Exactly the trick to avoid the issue. Now I can build. Thank you! – Paul Nov 20 '15 at 18:40
12

I don't have that option. – User Mar 29 '16 at 03:26
26

If you open your Info.plist directly you can just add the **NSAppTransportSecurity** dictionary, and then create the **NSAllowsArbitraryLoads** item within that (see the answer edited by Umar Farooq, below). – Stoph Apr 01 '16 at 15:40
The silver bullet worked for me, but the Exception domains did not. – JavaLatte Apr 02 '16 at 19:43
3

Same here -- exception domains didn't work with 7.3 for me. – RegularExpression Apr 10 '16 at 05:15
1

i was busy configuring info.plist which didnt work until i see this! thanks ;) – Umit Kaya Apr 21 '16 at 03:56
exception domains weren't working for me, either, but i figured out why - the domain I was trying to contact (in my case, covers.openlibrary.org) was only redirecting to a different domain (in my case, ol-covers1.us.archive.org) - when I added that 2nd domain as an exception domain, it worked. – Epaga Apr 25 '16 at 17:48
@nickalchemist: It's working on iOs 9.3.1. Just met with the same problem. – nafsaka Jun 01 '16 at 07:31
i am using xcode 7, and while i was testing my app on an ipad I encounterd this problem, this particular solution helped me and fixed it. – samouray Jun 08 '16 at 08:58
It is never going to work after this year. http://stackoverflow.com/a/37830469/4947520 – Paraneetharan Saravanaperumal Jun 15 '16 at 10:09
4

This option does not exist - XCode 7.3.1 – jameshfisher Jun 23 '16 at 13:14
**NOTE**: Soon this won't be possible since **Apple will require ATS** (Originally the end of the year - deadline has been extended) - https://developer.apple.com/news/?id=12212016b – Jakub Truhlář Jan 03 '17 at 15:57
2

Right click `App Transport Security Settings`, not `Bundle OS Type Code` – bigpotato Jan 17 '17 at 20:40
2

When you add an domain to the `Exception Domains`, you need to make it look like this: https://www.dropbox.com/s/3q32sx1h5t6hu20/Screenshot%202017-02-11%2001.49.49.png?dl=0 – Joshua Pinter Feb 11 '17 at 08:51
1

Also, I read somewhere that the docs say the domain must be a string, **not** an IP Address. – Joshua Pinter Feb 11 '17 at 19:56
3

The info from @JoshPinter worked for me with XCode 8. – Matthew Bellantoni Mar 21 '17 at 19:32
This works in Xcode Version 8.2.1 (8C1002), March 2017 - Thanks. – BHUVANESH MOHANKUMAR Mar 23 '17 at 14:10
FYI, this IS the contents of your info.plist – Alex Zavatone Mar 10 '19 at 20:53

score 767 · Answer 3 · edited Jun 20 '22 at 12:59

767

See the forum post Application Transport Security?.

For example, you can add a specific domain like:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>example.com</key>
    <dict>
      <!--Include to allow subdomains-->
      <key>NSIncludesSubdomains</key>
      <true/>
      <!--Include to allow HTTP requests-->
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
      <!--Include to specify minimum TLS version-->
      <key>NSTemporaryExceptionMinimumTLSVersion</key>
      <string>TLSv1.1</string>
    </dict>
  </dict>
</dict>

The lazy option is:

<key>NSAppTransportSecurity</key>
<dict>
  <!--Include to allow all connections (DANGER)-->
  <key>NSAllowsArbitraryLoads</key>
      <true/>
</dict>

###Note:

info.plist is an XML file so you can place this code more or less anywhere inside the file.

edited Jun 20 '22 at 12:59

Neur0

367
5
13

answered Jul 06 '15 at 20:19

KMLong

8,345
2
16
19

1

How can I do that, I mean what is the way to add this code to the Info.plist because I do not know where to paste this code? – lmiguelvargasf Jul 30 '15 at 15:08
2

@lmiguelvargasf open your info.plist in a plain text editor – Dan Beaulieu Jul 30 '15 at 20:24
1

Works fine for me with beta 5. This should be the accepted answer. – Pierre Aug 18 '15 at 11:15
The lazy options worked always. The domain option worked only if I added "www.mywebpage.com" in the .pliest file which I opened as source code. This solution worked for Xcode 7.0 beta 5 (7A176X) iOS 9.0 beta. self.thankYou("@KMLong") :) – MB_iOSDeveloper Aug 27 '15 at 09:12
by lazy options ,all web service working fine except one web service one web service return **internal server error (500)** in iOS 9 but working fine in iOS8 or later – amit gupta Sep 22 '15 at 10:20
I love the lazy option ahahha :) The thing is though, what if you have lots of different website links which could potentially load.... you can't list them all..... – Supertecnoboff Oct 02 '15 at 10:51
1

Probably good to show official apple docs: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/ – hris.to Oct 06 '15 at 08:28
9

I still get the error: exception domain is set and NSAllowsArbitraryLoads is false. Even with NSAllowsArbitraryLoads set true the error shows up. Does anyone else here have this issue? – klaevv Oct 13 '15 at 12:57
3

As of 1/30/2016 Apple doc shows that the keys no longer have the Temporary word in them, e.g.: NSExceptionAllowsInsecureHTTPLoads NSExceptionMinimumTLSVersion See https://developer.apple.com/library/prerelease/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html – Philippe Monnet Jan 30 '16 at 21:32
3

In case anyone else is pulling their hair out because doing these simple changes to info.plist isn't working.. add the changes to Project>Target>Info>Custom iOS Target Properties – BlueGuy Feb 24 '16 at 07:26
Im on XCode 7.2. Changed the keys without "Temporary" word in them. Still doesn't work. Anybody found a solution? – GeneCode Mar 08 '16 at 08:39
Thanks, mate! Worked fine on 9.2.1. Cheers. – Felipe Mar 17 '16 at 18:48
9.2.1 gives same error for me if i also add NSExceptionDomains after NSAllowsArbitraryLoads – user1709076 Mar 18 '16 at 13:29
Can´t use IOS simulator with this, only real devices – Tiago_nes Jul 06 '18 at 10:13
The best option for me was to make the api run in https – Tiago_nes Jul 06 '18 at 11:10

score 597 · Accepted Answer · edited Sep 24 '20 at 18:21

597

If you are using Xcode 8.0+ and Swift 2.2+ or even Objective C:

If you want to allow HTTP connections to any site, you can use this keys:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

If you know which domains you will connect to add:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>example.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

edited Sep 24 '20 at 18:21

Itay Brenner

800
6
19

answered Oct 28 '16 at 07:06

Anit Kumar

8,075
1
24
27

35

Why is `NSAllowsArbitraryLoads` set to `true`? You subvert the purpose of ATS. Also see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Your software just made the list. – jww Jun 06 '17 at 04:04
8

@jww This is the purpose of this post. The site I need to connect to to play audio doesn't use HTTPS yet and I'm not trying to wait. – ThinkDigital Jul 21 '18 at 00:00
7

This will not work in iOS 10.0+ or MacOS 10.12+ It actually says to allow all arbitrary loads EXCEPT those mentioned (example.com). Thus it would do the reverse of what is desired. NSAllowsArbirtraryLoads should be set to false here. more info: [Apple docs](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW60) – Freek Sanders Mar 12 '19 at 14:45
1

Agree, why on earth is everybody upvoting this ? there is no point using NSAllowsArbitraryLoads if you set an exception domain. – thibaut noah Jul 19 '19 at 08:02
1

NSAllowsArbitraryLoads does not need to be true, so it must be removed. NSExceptionDomains is enough which enables nonsecure connection to that domain only. NSAllowsArbitraryLoads = true will enable nonsecure connection to any domain so if still setting it to true makes the NSExceptionDomains nonsense to have as it includes all domains already – mister_giga Jan 17 '20 at 19:52
Works on Swift 5 smoothly – Alan Silva Feb 11 '20 at 03:05

score 356 · Answer 5 · edited May 06 '22 at 09:54

356

This was tested and was working on iOS 9 GM seed - this is the configuration to allow a specific domain to use HTTP instead of HTTPS:

<key>NSAppTransportSecurity</key>
<dict>
      <key>NSAllowsArbitraryLoads</key> 
      <false/>
       <key>NSExceptionDomains</key>
       <dict>
            <key>example.com</key> <!--Include your domain at this line -->
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
            </dict>
       </dict>
</dict>

NSAllowsArbitraryLoads must be false, because it disallows all insecure connection, but the exceptions list allows connection to some domains without HTTPS.

Here it is visually:

edited May 06 '22 at 09:54

Tamás Sengel

55,884
29
169
223

answered Sep 14 '15 at 08:36

Sound Blaster

4,778
1
24
32

7

THIS should be marked as the answer. Tested and working on iOS 9 GM seed to allow a specific domain to use http without taking the "lazy" way and completely opening your app up. – DiscDev Sep 16 '15 at 17:18
2

How do I add this to my info.plist? – JMStudios.jrichardson Sep 20 '15 at 01:33
1

If you open info.plist with sublime text app then you get the xml – JMStudios.jrichardson Sep 20 '15 at 03:17
8

Ok I added that entry to my info.plist and I'm still getting this error - " App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file." – KMC Oct 05 '15 at 16:57
Thank you this works! Looks like the NSAllowsArbitraryLoads = False is required for the NSExceptionDomains to work. – mikemike396 Oct 16 '15 at 13:22
does not work on 9.1 tvOS , tryng to open this link NSURL *videourl = [NSURL URLWithString:@"http://:@mysubdomain.myserver.com/cam1/video.cgi"]; – atrebbi Oct 25 '15 at 09:49
@user30646 Did you change the domain? yourdomain.com should be changed to "whatever your domain is" – funct7 Dec 02 '15 at 02:30
What if I don’t have a domain name and just use an IP address? – Roman Shapovalov Sep 22 '16 at 13:51
1

@RomanShapovalov Using IP addresses is strongly not recommended because all iOS apps must conform IPv6, see Apple Docs about this – Sound Blaster Sep 27 '16 at 09:39
2

@RomanShapovalov if you must use an IP address, try adding .xip.io to the end of the IP address and add xip.io to your NSExceptionDomains. See http://xip.io. I connect directly to IP when developing (but not release) and this works great for me. – tpankake Oct 13 '16 at 17:16
this should be the correct answer. The accepted answer sets NSAllowsArbitraryLoads to true, which allows urls through from any domain. It should be set to false – adamF Sep 09 '17 at 05:07
3

Wasn't working for me until I realised I had put it in the wrong info.plist in my test project. Make sure you put it in the right one! – Chucky Feb 17 '18 at 17:08
@ConsBulaquena, it will go inside your `Info.plist` file. – Hemang Apr 25 '18 at 06:22
Still helps, 2020/05/03, Xcode 11.3.1, logically this makes sense, practically it works (adding exception while setting `NSAllowsArbitraryLoads ` to `NO`) – infinity_coding7 May 03 '20 at 16:07

Julian · Answer 6 · 2018-09-05T11:09:29.427

This is a quick workaround (but not recommended) to add this in the plist:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Which means (according to Apple's documentation):

NSAllowsArbitraryLoads
A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. Listed domains use the settings specified for that domain.

The default value of NO requires the default App Transport Security behaviour for all connections.

I really recommend links:

Apple's technical note
WWDC 2015 session 706 (Security and Your Apps) starts around 1:50
WWDC 2015 session 711 (Networking with NSURLSession)
Blog post Shipping an App With App Transport Security

which help me understand reasons and all the implications.

The XML (in file Info.plist) below will:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <false/>
    <key>NSExceptionDomains</key>
    <dict>
        <key>PAGE_FOR_WHICH_SETTINGS_YOU_WANT_TO_OVERRIDE</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

disallow arbitrary calls for all pages, but for PAGE_FOR_WHICH_SETTINGS_YOU_WANT_TO_OVERRIDE will allow that connections use the HTTP protocol.

To the XML above you can add:

<key>NSIncludesSubdomains</key>
<true/>

if you want to allow insecure connections for the subdomains of the specified address.

The best approach is to block all arbitrary loads (set to false) and add exceptions to allow only addresses we know are fine.

For interested readers

2018 Update:

Apple is not recommending switching this off - more information can be found in 207 session WWDC 2018 with more things explained in regards to security

Leaving the original answer for historic reasons and development phase

@SoundBlaster for what case and what you see wrong in my answer to down vote? — Julian, Sep 21 '15 at 09:20
by adding in plist(NSAppTransportSecurity NSAllowsArbitraryLoads), all web service working fine except one web service one web service return internal server error (500) in iOS 9 but working fine in iOS8 or later — amit gupta, Sep 22 '15 at 10:19
@SoundBlaster made a change, now you shouldn't have objections :) — Julian, Oct 07 '15 at 07:36
Thanks, how do you actually add the `NSIncludesSubdomains ` ? Does every setting have to be surrounded by ``? how do you edit this damn plist file? What's the formatting? :D Thank you. — Agent Zebra, Aug 10 '16 at 19:11

score 120 · Answer 7 · edited Jun 06 '17 at 03:52

For those of you who want a more context on why this is happening, in addition to how to fix it, then read below.

With the introduction of iOS 9, to improve the security of connections between an app and web services, secure connections between an app and its web service must follow best practices. The best practices behavior is enforced by the App Transport Security to:

prevent accidental disclosure, and
provide a default behavior that is secure.

As explained in the App Transport Security Technote, when communicating with your web service, App Transport Security now has the following requirements and behavior:

The server must support at least Transport Layer Security (TLS) protocol version 1.2.

Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)

Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.

Invalid certificates result in a hard failure and no connection.

In other words, your web service request should: a.) use HTTPS and b.) be encrypted using TLS v1.2 with forward secrecy.

However, as was mentioned in other posts, you can override this new behavior from App Transport Security by specifying the insecure domain in the Info.plist of your app.

To override, you will need to add the NSAppTransportSecurity > NSExceptionDomains dictionary properties to your Info.plist. Next, you will add your web service's domain to the NSExceptionDomains dictionary.

For example, if I want to bypass the App Transport Security behavior for a web service on the host www.yourwebservicehost.com then I would do the following:

Open your app in Xcode.
Find the Info.plist file in Project Navigator and "right-mouse" click on it and choose the Open As > Source Code menu option. The property list file will appear in the right pane.
Put the following properties block inside of the main properties dictionary (under the first <dict>).

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.example.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

If you need to provide exceptions for additional domains then you would add another dictionary property beneath NSExceptionDomains.

To find out more about the keys referenced above, read this already mentioned technote.

This worked in 2 of my apps, but it's not working on a 3rd one. Has anyone else encountered a situation of using the above fix and still getting the same error message? (and yes I updated the dictionary to use my API domain, not the one in the code) — helloB, Sep 22 '15 at 21:41
This worked for a Cordova/Phonegap/Ionic app editing file `./platforms/ios//-Info.plist` with `NSAllowsArbitraryLoads=false` and many exception domains to services with varying TLS/HTTP/HTTPS combinations. Initially used `NSAllowsArbitraryLoads=true` then adjusted, troubleshooting the rules through trial and error to comply with guidelines and submit for approval. Note `config.xml` `` statements partially populate this file, but currently requires adjustment by direct editing or via XCode to get the details correct. — jimmont, Dec 10 '15 at 20:10
Also `` (in config.xml) sets `NSAllowsArbitraryLoads=true` (for Cordova/Phonegap/hybrid apps — jimmont, Dec 10 '15 at 20:19
Why is `NSExceptionAllowsInsecureHTTPLoads` set to `true`? You subvert the purpose of ATS. Also see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Your software just made the list. — jww, Jun 06 '17 at 03:53

score 70 · Answer 8 · edited Jan 17 '16 at 19:37

70

I do not like editing the plist directly. You can easily add it to the plist using the GUI:

Click on the Info.plist in the Navigator on the left.
Now change the data in the main area:
- On the last line add the +
- Enter the name of the group: App Transport Security Settings
- Right click on the group and select Add Row
- Enter Allow Arbitrary Loads
- Set the value on the right to YES

edited Jan 17 '16 at 19:37

gondo

979
1
10
29

answered Nov 06 '15 at 08:06

Vincent

4,342
1
38
37

To clarify: if "Allow Arbitrary Loads" is YES, and there are "Exception Domains", then the loads that are allowed are restricted to the ones in the Exception Domains. Is that correct? – Nov 20 '15 at 00:40
is that a safe way to do it if I want to release the application? – Lamour Feb 19 '16 at 11:13
**No.** By allowing arbitrary loads, your app can connect to any domains freely. In security point of view, you should control & limit which domain / website should the app connect to, to avoid unexpected network usage. – Raptor Jan 05 '17 at 02:33
Most apps route only to known servers. This is controlled by the developer. So the security Issues are known. – Vincent Jan 05 '17 at 10:26
Why is `NSAllowsArbitraryLoads` set to `YES`? You subvert the purpose of ATS. Also see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Your software just made the list. – jww Jun 06 '17 at 04:00
Sometimes you have to access a non-secure website. In those cases you can use the code above. In all other cases using SSL is advised. – Vincent Jun 06 '17 at 07:48
I have implemented this is multiple projects. All work. Can you give more info on your case? – Vincent Dec 10 '18 at 16:52

Jayprakash Dubey · Answer 9 · 2016-03-10T12:51:16.023

There are two solutions for this :

Solutions 1 :

In Info.plist file add a dictionary with key 'NSAppTransportSecurity'
Add another element inside dictionary with key 'Allow Arbitrary Loads'

Plist structure should appear as shown in below image.

Solution 2 :

In Info.plist file add a dictionary with key 'NSAppTransportSecurity'
Add another element inside dictionary with key 'NSExceptionDomains'
Add element with key 'MyDomainName.com' of type NSDictionary
Add element with key 'NSIncludesSubdomains' of type Boolean and value set as YES
Add element with key 'NSTemporaryExceptionAllowsInsecureHTTPLoads' of type Boolean and value set as YES

Plist structure should appear as shown in below image.

Solution 2 is preferred since it allows only selected domain whereas solution 1 allows all insecure HTTP connections.

Why is `NSAllowsArbitraryLoads` set to `YES`? You subvert the purpose of ATS. Also see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Your software just made the list. — jww, Jun 06 '17 at 04:02

score 22 · Answer 10 · edited Jul 02 '16 at 19:09

22

Transport security is available on iOS 9.0 or later. You may have this warning when trying to call a WS inside your application:

Application Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

Adding the following to your Info.plist will disable ATS:

<key>NSAppTransportSecurity</key>
<dict>
     <key>NSAllowsArbitraryLoads</key><true/>
</dict>

edited Jul 02 '16 at 19:09

Peter Mortensen

30,738
21
105
131

answered Sep 18 '15 at 17:36

Malek Belkahla

510
5
17

1

NSAllowsArbitraryLoads must be false, if true it allows all insecure connection – Thiago Arreguy Sep 19 '15 at 12:03
by adding in plist all web service working fine except one web service one web service return internal server error (500) in iOS 9 but working fine in iOS8 or later – amit gupta Sep 22 '15 at 10:18
1

Accepted on the store? – Vrashabh Irde Sep 23 '15 at 09:15
Very bad advice; see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Given the question if full of the recommended way to do things, "me too" answers like this are not needed. – jww Jun 06 '17 at 03:49

Mojtaba Hosseini · Answer 11 · 2021-06-11T07:44:40.970

⛔️ Don't use bad practices!

Many of the answers (including the accepted one) tell you to make your app's network communication entirely unsecured! by setting the Allow Arbitrary Loads to Yes (or true). That is the most dangerous setting for network requests! And it is ONLY for testing and temporary purposes.

You can see this Apple Engineer clearly saying this in here in WWDC18 even for Web Content and you are trying to allow them all!

✅ Set `Allow Arbitrary Loads` to `NO` !!!

You must always use HTTPS for your networking stuff. But if you really can't, just add an exception to the info.plist

For example, if you are using http://google.com and getting that error, You MUST change it to https://google.com (with s) since it supports perfectly.

But if you can't somehow, (and you cant convince backend developers to support SSL), add JUST this unsecured domain to the info.plist (instead of making it available for ALL UNSECURE NET!)

score 16 · Answer 12 · edited Jul 02 '16 at 19:23

16

Development Example

Here is a screenshot of a plist which keeps ATS intact (=secure), but allows that connections to localhost can be made via HTTP instead of HTTPS. It works in Xcode 7.1.1.

edited Jul 02 '16 at 19:23

Peter Mortensen

30,738
21
105
131

answered Nov 30 '15 at 08:49

Sebastian

8,952
3
32
30

Are there any ways to make localhost secure, i.e. using HTTPS, in react-native so that we do not have to use the default `NSExceptionAllowsInsecureHTTPLoads - YES` config? – milkersarac Jan 20 '17 at 07:44

score 16 · Answer 13 · edited Jun 06 '17 at 04:03

According to Apple, generally disabling ATS will lead to app rejection, unless you have a good reason to do so. Even then, you should add exceptions for domains that you can access safely.

Apple has an excellent tool that tells you exactly what settings to use: In Terminal, enter

/usr/bin/nscurl --ats-diagnostics --verbose https://www.example.com/whatever

and nscurl will check whether this request fails, and then try a variety of settings and tell you exactly which one passes, and what to do. For example, for some third-party URL that I visit, this command told me that this dictionary passes:

{
    NSExceptionDomains = {
        "www.example.com" = {
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}

To distinguish between your own sites and third-party sites that are out of your control, use, for example, the key NSThirdPartyExceptionRequiresForwardSecrecy.

its great tool to check before actually test with the application. save time. but any resource to read to understand the out put of this command. — damithH, Jan 10 '17 at 09:11
Interesting tool. In my case it overstates things though. It lists three keys including `NSExceptionAllowsInsecureHTTPLoads = true;`, but it turns out that one's not needed. — Chris Prince, Jun 26 '17 at 04:08

score 14 · Answer 14 · answered Jan 09 '17 at 06:28

14

Go to your Info.plist

Right Click on empty space and Click on Add Row
Write the Key Name as NSAppTransportSecurity, Under it
Select Exception Domains, Add a new item to this
Write down your domain name that needs to get accessed
Change the Domain type from String to Dictionary, add a new Item
NSTemporaryExceptionAllowsInsecureHTTPLoads, that will be a boolean with a true value.

answered Jan 09 '17 at 06:28

Gr8Warrior

699
7
11

1

Why is `NSAllowsArbitraryLoads` set to `true`? You subvert the purpose of ATS. Also see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Your software just made the list. – jww Jun 06 '17 at 04:05

score 12 · Answer 15 · answered Oct 07 '15 at 08:29

12

Figuring out what settings to use can be performed automatically, as mentioned in this technote:

/usr/bin/nscurl --ats-diagnostics --verbose https://your-domain.com

answered Oct 07 '15 at 08:29

ecotax

1,933
17
22

You do need OS X 10.11 (El Capitan) for this, apparently. – ecotax Oct 07 '15 at 08:43

score 11 · Answer 16 · answered Sep 12 '16 at 18:17

NOTE: The exception domain in your plist should be in LOWER-CASE.

Example: you have named your machine "MyAwesomeMacbook" under Settings->Sharing; your server (for test purposes) is running on MyAwesomeMacbook.local:3000, and your app needs to send a request to http://MyAwesomeMacbook.local:3000/files..., your plist you will need to specify "myawesomemacbook.local" as the exception domain.

--

Your info.plist would contain...

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>myawesomemacbook.local</key>
    <dict>
      <!--Include to allow subdomains-->
      <key>NSIncludesSubdomains</key>
      <true/>
      <!--Include to allow HTTP requests-->
      <key>NSExceptionAllowsInsecureHTTPLoads</key>
      <true/>
    </dict>
  </dict>
</dict>

score 10 · Answer 17 · edited Jul 02 '16 at 19:30

On 2015-09-25 (after Xcode updates on 2015-09-18):

I used a non-lazy method, but it didn't work. The followings are my tries.

First,

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.xxx.yyy.zzz</key>
        <dict>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSTemporaryExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

And second,

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>www.xxx.yyy.zzz</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.1</string>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

Finally, I used the lazy method:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

It might be a little insecure, but I couldn't find other solutions.

Why is `NSAllowsArbitraryLoads` set to `true`? You subvert the purpose of ATS. Also see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Your software just made the list. — jww, Jun 06 '17 at 03:58

score 9 · Answer 18 · edited Jul 02 '16 at 19:10

9

Use:

Add a new item, NSAppTransportSecurity, in the plist file with type Dictionary, then add sub item NSAllowsArbitraryLoads in dictionary of type Boolean, and set bool value YES. This works for me.

edited Jul 02 '16 at 19:10

Peter Mortensen

30,738
21
105
131

answered Sep 21 '15 at 09:11

Tejinder

1,507
19
22

1

NSAllowsArbitraryLoads must be false, if true it allows all insecure connection – Thiago Arreguy Sep 21 '15 at 16:12
by adding in plist all web service working fine except one web service one web service return ***internal server error (500)*** in iOS 9 but working fine in iOS8 or later @ThiagoArreguy – amit gupta Sep 22 '15 at 10:18
Very bad advice; see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Given the question if full of the recommended way to do things, "me too" answers like this are not needed. – jww Jun 06 '17 at 03:51
I Know its a bad advice, but it's just a solution for the time being in development mode only. Apple has provided us flexibility, if its that much bad, they wouldn't allow this. – Tejinder Jun 06 '17 at 04:03

score 9 · Answer 19 · answered Jan 16 '19 at 10:56

9

In swift 4 and xocde 10 is change the NSAllowsArbitraryLoads to Allow Arbitrary Loads. so it is going to be look like this :

<key>App Transport Security Settings</key>
<dict>
     <key>Allow Arbitrary Loads</key><true/>
</dict>

answered Jan 16 '19 at 10:56

Faris

1,206
1
12
18

score 6 · Answer 20 · edited Jul 02 '16 at 19:27

6

It may be worth mentioning how to get there...

Info.plist is one of the files below the Main.storyboard or viewController.swift.

When you click on it the first time, it usually is in a table format, so right click the file and 'open as' Source code and then add the code below towards the end, i.e.:

 <key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/></dict>

Copy paste the code just above

 "</dict>
</plist>"

which is at the end.

edited Jul 02 '16 at 19:27

Peter Mortensen

30,738
21
105
131

answered Oct 25 '15 at 17:18

Naishta

11,885
4
72
54

Why is `NSAllowsArbitraryLoads` set to `true`? You subvert the purpose of ATS. Also see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Your software just made the list. – jww Jun 06 '17 at 04:00

score 6 · Answer 21 · answered Jan 24 '20 at 06:35

6

How to fix it?

Below steps to fix it.

answered Jan 24 '20 at 06:35

Kamani Jasmin

691
8
11

score 5 · Answer 22 · edited Jul 02 '16 at 19:25

5

Update for Xcode 7.1, facing problem 27.10.15:

The new value in the Info.plist is "App Transport Security Settings". From there, this dictionary should contain:

Allow Arbitrary Loads = YES
Exception Domains (insert here your http domain)

edited Jul 02 '16 at 19:25

Peter Mortensen

30,738
21
105
131

answered Oct 27 '15 at 19:21

MkaysWork

625
1
7
11

score 4 · Answer 23 · edited Jul 20 '18 at 14:40

4

For those who came here trying to find the reason why their WKWebView is always white and loads nothing (exactly as described here how do I get WKWebView to work in swift and for an macOS App) :

If all the rocket science above does not work for you check the obvious: the sandbox settings

Being new to swift and cocoa, but pretty experienced in programming I've spend about 20 hours to find this solution. None of dozens hipster-iOS-tutorials nor apple keynotes – nothing mentions this small checkbox.

edited Jul 20 '18 at 14:40

shim

9,289
12
69
108

answered Oct 09 '17 at 10:44

Alekseev Vladimir

89
2

Oh my god, thank you so much! You saved me the same 20 hour search! – Brecht Machiels Apr 30 '18 at 11:05
2

not seeing that section in the Capabilities section of the target (Xcode 9.4.1) – shim Jul 20 '18 at 14:42

score 3 · Answer 24 · answered May 24 '19 at 12:02

By default, iOS only allows HTTPS API. Since HTTP is not secure, you will have to disable App transport security. There are two ways to disable ATS:-

1. Adding source code in project info.plist and add the following code in root tag.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

2. Using project info.

Click on project on the project on the left pane, select the project as target and choose info tab. You have to add the dictionary in the following structure.

score 3 · Answer 25 · answered Jan 11 '21 at 12:32

3

** Finally!!! Resolved App transport Security **

  1. Follow the follow the screen shot. Do it in Targets info Section.

answered Jan 11 '21 at 12:32

Sanjay Mali

506
6
13

score 3 · Answer 26 · answered Dec 31 '21 at 11:03

In Swift 5 we have two way to overcome this problem. we need to add the NSAppTransportSecurity in info.plist

I give the info.plist sourcecode and image for reference

First one is Add the NSAppTransportSecurity -> NSAllowsArbitraryLoads in info.plist.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <false/>
    </dict>
</dict>
</plist>

Another one method is Add the NSAppTransportSecurity -> NSExceptionDomains in info.plist and add the domain of the URL and enable the permissions to load there sub-domains(NSIncludesSubdomains) and Allow the insecure HTTP loads(NSExceptionAllowsInsecureHTTPLoads)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>NSAppTransportSecurity</key>
    <dict>
      <key>NSExceptionDomains</key>
      <dict>
        <key>www.7timer.info</key>
        <dict>
          <key>NSIncludesSubdomains</key>
          <true/>
          <key>NSExceptionAllowsInsecureHTTPLoads</key>
          <true/>
        </dict>
      </dict>
    </dict>
  </dict>
</plist>

score 1 · Answer 27 · answered Aug 14 '17 at 06:12

Using NSExceptionDomains may not apply an effect simultaneously due to target site may load resources (e.g. js files) from external domains over http. It can be resolved by adding these external domains to NSExceptionDomains as well.

To inspect which resources cannot be loaded try to use Remote debugging. Here is a tutorial: http://geeklearning.io/apache-cordova-and-remote-debugging-on-ios/

score 0 · Answer 28 · answered Mar 21 '16 at 12:41

0

For Cordova, if you want to add it into your ios.json, do the following:

"NSAppTransportSecurity": [
   {
      "xml": "<dict><key>NSAllowsArbitraryLoads</key><true /></dict>"
   }
]

And it should be inside of:

"*-Info.plist": {
   "parents": {
   }
}

answered Mar 21 '16 at 12:41

zeusstl

1,673
18
19

Just in config.xml didn't work. Not sure if both are necessary, but the ios.json solution sealed the deal for me. – zeusstl Mar 21 '16 at 12:45
Why is `NSAllowsArbitraryLoads` set to `true`? You subvert the purpose of ATS. Also see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Your software just made the list. – jww Jun 06 '17 at 04:02

score -1 · Answer 29 · edited Jul 02 '16 at 19:28

Like many have noted, this is a feature issue that comes with iOS 9.0. They have added a thing called App Transport Security, and I too was annoyed when it broke my Apps.

You can bandage it with the NSAllowsArbitraryLoads key to YES under NSAppTransportSecurity dictionary in your .plist file, but ultimately you will need to re-write the code that forms your URLs to form the HTTPS:// prefix.

Apple has re-written the NSUrlConnection class in iOS 9.0. You can read about it in NSURLConnection.

Else, you may have to back out of iOS 9.0 until you have time to implement the correct solution.

Transport security has blocked a cleartext HTTP

29 Answers29

⛔️ Don't use bad practices!

✅ Set `Allow Arbitrary Loads` to `NO` !!!

Development Example

Linked

Related

Transport security has blocked a cleartext HTTP

29 Answers29

⛔️ Don't use bad practices!

✅ Set Allow Arbitrary Loads to NO !!!

Development Example

Linked

Related

✅ Set `Allow Arbitrary Loads` to `NO` !!!