App Transport Security (ATS) and local already secure connections

2
votes

After reading the Apple Docs and numerous Apple Developer forum posts I am still unclear on if you need any ATS exemptions for making a secure (TLS/HTTPS) call to a local network machine (unqualified domain ex: https://MyServer:9000). Part of this doc states the following:

Availability of ATS for Remote and Local Connections App Transport Security (ATS) applies only to connections made to public host names. The system does not provide ATS protection to connections made to:

  • Internet protocol (IP) addresses
  • Unqualified host names
  • Local hosts employing the .local top-level domain (TLD)

To connect to an unqualified host name or to a .local domain, you must set the value of the NSAllowsLocalNetworking key to YES.

Note: Although ATS is unenforced for connection to local hosts, Apple strongly recommends using Transport Layer Security (TLS) for any local connection, along with the use of a self-signed certificate to validate the local IP address

So do I need to add NSAllowsLocalNetworking even to make an already ATS-compliant (forward secrecy, TLS 1.2 etc) secure connection to an unqualified host name (private local server)? Or is NSAllowsLocalNetworking only required for unsecure local calls?

1
iossecurityios10app-transport-security

1 Answers

1
votes

The NSAllowsLocalNetworking key is used to request an ATS exception for local network calls. If your local servers are ATS compliant, you should not need to add the exception. It's simple enough to verify. Simply run your app on an iOS 10 device without that exception in your Info.plist. If the connection is successful on the device, you know that there is no ATS violation that are causing issues. If it doesn't work, you are likely in violation of one of the ATS requirements (although it seems like you've verified some of the high level requirements for ATS compliance).

If you do have a failure, you can test the URL for ATS compliance with the following: use the nscurl --ats-diagnostics <url> command on your Mac. You can find out more about ATS in general, as well is how to use / interpret the results of the nscurl command above in this post.

As a note, the NSAllowsLocalNetworking exception was added in iOS 10, so including it in a build and running on an iOS 9 device will result in no change. If you end up needing it, and you need to support iOS 9, you'll want to add both NSAllowsLocalNetworking and NSAllowsArbitraryLoads in your Info.plist. On iOS 10, it will only disable ATS for local connections, but on iOS9 devices (which don't support the NSAllowsLocalNetworking entry), ATS will be disabled across the board.