19

The new ATS involved by iOS 9 cause lots of http related functionalities stop working. I have to add all the http request url into a whitelist or I could simply disable the ATS by setting NSAllowsArbitraryLoads to YES.

Does anybody know if App Store will reject the submission if the NSAllowsArbitraryLoads has been set to YES?

jayatubi
  • 1,972
  • 1
  • 21
  • 51
  • There's no obvious reason for rejection as NSAllowsArbitraryLoads is a part of public api and is documented. If you can list all hosts your app is using it is probably better to add them to plist file instead of using wildcard exception. Note also that in that case that list of hosts will be easily accessible by anyone who can read plain text :) – Vladimir Jul 21 '15 at 09:01
  • My guess is that in future it will cause a scary message to users upon app install. – funkybro Sep 11 '15 at 14:13
  • Anyone knows if this is also true for macOS applications ? – Rodrigo Gonzalez Aug 18 '17 at 18:29

6 Answers6

18

Thanks for everyone's answer.

The good news is Apple Accepted my app with NSAllowsArbitraryLoads set to YES.

UPDATE (Thanks @Vijayts): Apple will reject Apps not conforming to ATS after the end of Dec 2016.

Source

However, If you need to load a http:// resource only in web (UIWebView/WKWebView/SafariViewController) then the following should suffice.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoadsInWebContent</key>
    <true/>
</dict>
Community
  • 1
  • 1
jayatubi
  • 1,972
  • 1
  • 21
  • 51
15

UPDATE: Apple will reject Apps not conforming to ATS after the end of Dec 2016.

Source

However, If you need to load a http:// resource only in web (UIWebView/WKWebView/SafariViewController) then the following should suffice.

NOTE: This key is available only from iOS 10.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoadsInWebContent</key>
    <true/>
</dict>
Vijay Tholpadi
  • 2,135
  • 1
  • 15
  • 20
  • That's a big impact. Does this only affect the iOS network APIs. How about the 3rd party libs such as curl? – jayatubi Jun 15 '16 at 05:57
  • I think there are exceptions for already encrypted bulk data, like media streaming. Not sure about curl though. – Vijay Tholpadi Jun 15 '16 at 06:05
  • @Vijayts please also mention, that this key is only supported in iOS 10.0+ – Julian F. Weinert Jun 29 '16 at 01:43
  • 3
    So what do we do in iOS 8 and iOS 9 ? – Henning Jun 30 '16 at 13:54
  • @Henning Check out [this](https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html) link and scroll down to the `NSAllowsArbitraryLoadsInWebContent` section. Basically you can disable ATS completely but enable `NSAllowsArbitraryLoadsInWebContent`. I think that means that for iOS 9, ATS is disabled but for iOS 10+ ATS is only disabled for WebViews, since `NSAllowsArbitraryLoadsInWebContent` ignores what ever you put in `NSAllowsArbitraryLoads`. But I have yet to test this. Just going off what the link says. – hvaughan3 Jul 27 '16 at 17:37
  • Guys, I have to set NSAllowsArbitraryLoads to YES in my app which is planing for submit to appstore next week. Is there any latest news on this? Does apple will reject my app? Anyone who recently got pass the review with NSAllowsArbitraryLoads set to YES please let me know. – smartsanja Jun 21 '17 at 06:39
7

It seems Apple has changed its plans:

Supporting App Transport Security

To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed. https://developer.apple.com/news/?id=12212016b

Community
  • 1
  • 1
SoftDesigner
  • 5,640
  • 3
  • 58
  • 47
5

Latest we heard from Apple about NSAllowsArbitraryLoads was in Dec 2016. https://developer.apple.com/news/?id=12212016b

Apple is still accepting new apps and updates. My new app got approved in April 2017 with NSAllowsArbitraryLoads set to YES. I recently submitted updates too, no issues no rejection.

Bilal
  • 18,478
  • 8
  • 57
  • 72
2

All connections using the NSURLConnection, CFURL, or NSURLSession APIs use App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail.

However, You can specify exceptions to the default behavior in the Info.plist file in your app or extension. Use the keys in the property list for specific exceptions or to turn off App Transport Security. Table 1-1 shows the keys and their types, and uses indentation to indicate structure.

Here is the source link: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html

Rajender Kumar
  • 1,377
  • 19
  • 32
0

I have an app that allows users to specify a URL to be displayed in a web view during execution. This URL may be an HTTP URL. For this reason I include NSAllowsArbitraryLoads set to yes.

I have submitted an update to this app after December 2016 and had no problems.

My plist also specifies NSAllowsArbitraryLoadsInWebContent and I specify exceptions that activate TLS for known web services that my app uses where TLS is supported.

I simply included a review note that explained that NSAllowsArbitraryLoadsInWebContent is not sufficient since my app is supported on iOS 9.

I have never even had a question from app review on this.

Paulw11
  • 108,386
  • 14
  • 159
  • 186