16

I suddenly get a message on iOS 9 :

The resource could not be loaded because the App Transport Security policy requires the use of a secure connection

Searched a bit and found that setting NSAllowsArbitraryLoads to YES fixes this which actually works.
However I also found that Apple may reject the App for this. Though stated in App Transport Security Technote

NSAllowsArbitraryLoads

A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. Listed domains use the settings specified for that domain.

But since this is the only solution working right now and also Apple may or may not reject the App, just wanted to confirm before publishing.

Update: Apple passed the review and my app is live now with this setting :)

Community
  • 1
  • 1
Nitish
  • 13,845
  • 28
  • 135
  • 263

2 Answers2

22

Update:

Apple announced that iOS apps have until January 1, 2017, to enable App Transport Security.

So,if you plan submit app to app store after 2017,please turn on ATS.

Also,see this link

====== Old answer=====

My experience:

I submit my app at 9/17/2015, and have passed the app store review process and successfully released the app.

Here is the info.plist screenshot of my app. enter image description here

So,I do not think apple will reject the app for this reason for now

Update:

My new app passed apple review process at 10/30/2015 with this key set to YES.

Leo
  • 24,596
  • 11
  • 71
  • 92
  • 1
    It seems quite bizarre that Apple introduced this security feature, but make it trivial to get around it ?? – Fattie Sep 25 '15 at 15:12
  • Here's exactly how to address the issue for anyone googling here http://stackoverflow.com/a/32038743/294884 – Fattie Sep 25 '15 at 15:56
  • Maybe not now, but in the upcoming iterations of iOS, apple may start rejecting such apps. – Nishant Oct 07 '15 at 06:16
  • My App with this setting got live :) – Nitish Oct 13 '15 at 09:13
  • Glad to hear that. My new app also passed the review process today – Leo Oct 13 '15 at 09:16
  • 1
    From what i understand, this is about allowing an app to opt-in on important domains/subdomains, so if a weaker security layer is noticed, iOS can block the connection. This would allow an app developer to say "really don't allow MITM attacks on foo.com" – Steve Riggins Nov 17 '15 at 18:49
1

Wasted a considerable amount of time (⏱ == ) because of this. Testing new NSURL... code failed with some users, worked with others. Had no idea why. Then stumbled on the log output which I normally don't watch (who really sees logs on an iPhone, seriously...) and there was this warning.

That was a rather nasty trick Apple... wasted time in debugging, wasted time in frustrating users, losing credibility in having software that "works". Broken spokes due to Apple's stick shoved in there. Going to have to toss Apple under the bus with my testers on this one.

Ref: NSAppTransportSecurity : NSAllowsArbitraryLoads NSAppTransportSecurity : NSExceptionDomains

enter image description here

Cerniuk
  • 14,220
  • 2
  • 29
  • 27
  • Oh yes, the whole error text is: App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file. – Cerniuk Nov 14 '15 at 17:44