Disabling ATS for an in-app browser in iOS 9?

Question

iOS 9 introduces App Transport Security (ATS) to encourage the use of secure connections.

This is great, but what if my app has a built in web browser that the user should be able to use to connect to any website? For example, the Facebook app allows stories to contain links to external websites. When the user taps such a link, rather than launching Safari, it launches an in-app browser.

How can I get this same behavior without enabling the global NSAllowArbitraryLoads flag?

I want all the benefits of enforcing https usage, but want to disable this check in my internal browser. In an ideal world, Apple would allow me to specify a property on my UIWebView to allow it to load insecure URLs, rather than it being all or nothing. There is no way I can whitelist every single domain, since I have no idea which URLs my users will load. I'm looking for a solution that is compatible with iOS 8.

Answer 1

In this case you will need to disable ATS generally, by setting NSAllowsArbitraryLoads to true. If you have specific URLs that you know can support HTTPS (such as your own servers or API servers that you use in the app outside of the UIWebView) then you can create an exception and set NSExceptionsAllowsInsecureHTTPLoads to false for those exceptions

Answer 2

Rather than enabling NSAllowsArbitraryLoads, a more secure solution is to conditionally use SFSafariViewController, which allows arbitrary loads.

If the class exists, then present it, otherwise, present your own UIViewController (which contains a UIWebView).

UIViewController *webBrowser;
if ([SFSafariViewController class] != nil) {
    webBrowser = [[SFSafariViewController alloc] initWithURL:url];
} else {
    webBrowser = [[ABCWebBrowserController alloc] initWithURL:url];
}

[self presentViewController:webBrowser animated:YES completion:nil];