I am developing an enterprise application. So far every thing was working fine in simulator but when i deploy it on physical devices it crashes. Crash is happening because app is connecting to web services via "HTTP" instead of "HTTPS".
I have added the ATS exceptions in info.plist file. I need to know that enterprise application will continue to work after 2016 (Apple's Deadline) with HTTP?
Application will be hosted in our own servers, and apple doesn't review the enterprise applications.
Update 1 I just need to know enterprise application will continue to work after 2016 with this ATS exceptions or not ?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDisplayName</key>
<string>xxxxxxxx</string>
<key>CFBundleIdentifier</key>
<string>com.xxxxxxx.xxx</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleVersion</key>
<string>1.009</string>
<key>LSRequiresIPhoneOS</key>
<true/>
<key>MinimumOSVersion</key>
<string>9.0</string>
<key>UIDeviceFamily</key>
<array>
<integer>2</integer>
</array>
<key>UILaunchStoryboardName</key>
<string>LaunchScreen</string>
<key>UIMainStoryboardFile</key>
<string>Main</string>
<key>UIRequiredDeviceCapabilities</key>
<array>
<string>armv7</string>
</array>
<key>UISupportedInterfaceOrientations~ipad</key>
<array>
<string>UIInterfaceOrientationLandscapeLeft</string>
<string>UIInterfaceOrientationLandscapeRight</string>
</array>
<key>UIMainStoryboardFile~ipad</key>
<string>Main</string>
<key>UIAppFonts</key>
<array>
<string>Fonts/Montserrat-Black.otf</string>
<string>Fonts/Montserrat-Bold.otf</string>
<string>Fonts/Montserrat-ExtraBold.otf</string>
<string>Fonts/Montserrat-Regular.otf</string>
</array>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>http://xxxxxxx.xxxxx.xxx</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.0</string>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>
</dict>
Any Apple App Store Submissions starting 2017, still can request a App Transport Security (ATS) exception that will be reviewed by Apple. You will need to highly restrict your exception list and not allowed blanket arbitrary http loads. The reviewers can still reject your submission and request additional information.
i.e. Apps requesting US Government NOAA Images over a non-secure channel might to allowed since NOAA currently does not support HTTPS/SSL for those weather radar images.... Again, up to the Apple reviewers...
NSAllowsArbitraryLoadsInWebContentlets you have a strict ATS dictionary but still load arbitrary content in a web view (WKWebView, UIWebView, WebView)
NSAllowsLocalNetworkingallows loading of local resources without disabling ATS for the rest of your app
NSAllowsArbitraryLoadsInMediadisables all ATS restrictions for media that your app loads using the AV Foundation framework. Employ this key only for loading media that are already encrypted, such as files protected by FairPlay or by secure HLS, and that do not contain personalized information.
These do not get Apple reviewed, thus disabling ATS is allowed until a possible future version of iOS that would disallow non-secure traffic, but that is far from a best practice
If your Enterprise app requires non-secure local network-based resources, use the new NSAllowsLocalNetworking exception instead.
If your Enterprise app requires non-secure Enterprise resources obtained over the public internet, you might have security issues that are beyond the scope of just iOS App Transport Security issues.