Does iOS "app transport security enforcement“ mean I need to switch APIs to https?

Question

I am now watching wwdc and saw this. Does it mean all api that I am using should already become htpps?

Also, in my info.plst, I put "Allow Arbitrary Loads" as YES. Do I need to remove and support https?

Answer 1

The short answer is: Yes. All your APIs should use https from the moment on Apple enforces this. (They announced this moment to be the January of 2017) Apple will enforce this in the future but they postponed the enforcement to a date yet to be announced.

Your exisiting apps in the store will still work but you can not submit new apps that do not comply to ATS.

Allow Arbitrary Loads will definitely lead to a rejection then but you shouldn´t already use this today for your production app and rather use exceptions per domain.

Apple also announced that there will still be exceptions for servers that are not under your control. You can mark them as Third party exceptions with the help of the following entries in your plist file:

NSThirdPartyExceptionAllowsInsecureHTTPLoads
NSThirdPartyExceptionRequiresForwardSecrecy
NSThirdPartyExceptionMinimumTLSVersion

But there is no insurance that Apple will accept these servers as third party exceptions and therefore accept your app.

Here is some more information about the topic.

Hope this helps!