I am currently developing an application that requires connecting to user provided and possibly also user hosted services. These services don't all support HTTPS. In the past NSAllowsArbitraryLoads would have enabled the user to connect to those services despite App Transport Security. As I understand, NSAllowsArbitraryLoads will be deprecated soon without any direct replacement.
I have two questions about App Transport Security:
NSAllowsArbitraryLoads be deprecated?Along that line, my app should also support untrusted TLS certificates. At the moment, I plan on implementing that in urlSession(_ session: URLSession, task: URLSessionTask, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) of URLSessionTaskDelegate.
Is that a valid and allowed way of handling this situation?
Cheers!
NSAllowsArbitraryLoads will not be deprecated. You can still use it. But from January 2017 on, there will be a new restriction: Apps that have ATS exceptions defined in their info.plist won't be approved anymore, when you don't have a good reason. (this is for new builds only. Any build that is live on the AppStore at the moment won't be affected.)
See Session 706 of the WWDC 2016 for more information. This thread in the Developer Forums may contain some useful information for you, too.
Using URLSession will still work. You don't have to change any of your code. But without the ATS exception, you need trusted TLS certificates.