As of iOS 9, all connections must be secure and follow a certain criteria. However, older apps that use http connections continue to work without an update. Why is this?
According the Documentation ATS is only enabled when you link against iOS 9.0 / macOS 10.11 or later. If you link against an older SDK version your app just continues to work without the ATS requirements.
If you link your app against an SDK for an operating system older than iOS 9.0 or OS X v10.11, your Internet connections continue to work but ATS is disabled, no matter which version of the operating system your app is running on. ATS is not available on operating systems older than iOS 9.0 or OS X v10.11; those older operating systems ignore the NSAppTransportSecurity key.