Xcode 7.1 beta 2- Disable ATS

2
votes

Heyy, I have spent the last day or so racking my brain trying and failing to disable the ATS, I know it is deemed bad too, but I am currently only working on the app internally. I have tried many suggestions online to no avail, latest try below of info.plist. I am lost as to what to do? 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleDevelopmentRegion</key>
    <string>en</string>
    <key>CFBundleExecutable</key>
    <string>$(EXECUTABLE_NAME)</string>
    <key>CFBundleIdentifier</key>
    <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>$(PRODUCT_NAME)</string>
    <key>CFBundlePackageType</key>
    <string>BNDL</string>
    <key>CFBundleShortVersionString</key>
    <string>1.0</string>
    <key>CFBundleSignature</key>
    <string>????</string>
    <key>CFBundleVersion</key>
    <string>1</string>

    <key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>localhost</key>
    <dict>
      <!--Include to allow subdomains-->
      <key>NSIncludesSubdomains</key>
      <true/>
      <!--Include to allow HTTP requests-->
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
      <!--Include to specify minimum TLS version-->
      <key>NSTemporaryExceptionMinimumTLSVersion</key>
      <string>TLSv1.1</string>
    </dict>
  </dict>
</dict>
</dict>
</plist>

Debug console eror print

error=Optional(Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7f9670e85620 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://localhost/sfc/manualorder.php, NSErrorFailingURLKey=http://localhost/sfc/manualorder.php, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.})

1
iosxcodeios9xcode7
I wouldn't bother with the exception domain, I would just turn ATS off altogether. It is a good idea, in theory, but in practice there is still a lot of http services out there. I think Apple have gone a bit too far with ATS. Blocking insecure ciphers and bad TLS versions is good but simply disallowing HTTP means that I have had to turn ATS off in several of my apps because I don't know the servers that my users are going to connect toPaulw11
Hello Paul I would be in total agreement with you, thus have tried to turn it off and have tried many solutions none of which are seem to be working on xcode 7.1 beta 2. The way Nicolas S has suggested should be working but it does not seem to be at all.Vaishal Patel
It shouldn't matter what version of Xcode you are using. It will depend on the iOS version. Are you using 9.1 beta? Make sure you are editing the correct plistPaulw11
@Paulw11 I would like to hope not. iOS 9.0 IS the version on the simulators and 9.0.2 on iphone. I only have a the one info.plist as I am awareVaishal Patel
i just downloaded Xcode 7.1 beta 2 and loaded an existing app with ATS disabled and it worked fine. I am using the NSAllowsArbitraryLoads keyPaulw11

1 Answers

5
votes

If you want to disable ATS, you can just add this to the Info.plist

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

And when you're finished working on your app, you can re enable it and go granular with whitelisting your domains.

Like this, the first includes all subdomains and the second does not:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>maindomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
        <key>other.domain.net</key>
        <dict>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

One added step that you may require if you're testing on simulator, is to both clean the project and reset the content and settings of the simulator, then build and run again.