This article is aimed at a different purpose: to look at the different speed bumps that can show up while building an app alongside ATS, and to explain how to get around them. There are lots of great little tricks that have only cropped up in OS X release notes or on Stack Overflow, or that can only be discovered by building a sample app.
[…]
With this more extensive ATS dictionary in our app’s Info.plist, we turn the “allows insecure HTTP loads” flag back off for the
example.comdomain and all its subdomains. When our app makes any connection to a host in that domain, then, we’ll be receiving the full protection of ATS.This exception mechanism can handle even more complex scenarios. For example, consider what might happen if most servers in
example.comwere correctly secured with HTTPS, but one server – say,insecure.example.com– wasn’t yet fully ATS-compatible. We can handle this by defining another more specific exception for just that host[…][…]
In both of these error cases, we can set the environment variable
CFNETWORK_DIAGNOSTICSto1in order to get more information on the console about the failure. After turning this variable on in our app’s scheme, you’ll notice a new log line with a path to a diagnostic file; this file, in turn, is filled with information about all the actions the CFNetwork layer is taking on behalf of your app’s networking code.[…]
If you have access to an OS X machine running 10.11 or later, the command-line utility
nscurlprovides some basic ATS debugging capabilities.
While Google remains committed to industry-wide adoption of HTTPS, there isn’t always full compliance on third party ad networks and custom creative code served via our systems. To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully.
Note that this allows all HTTP requests to succeed, not just ones pertaining to Google ads.
So in a year where malware-laden ads are becoming increasingly frequent, Google’s response is not to convert their ad network to HTTPS, but rather to tell developers to reduce the security of their apps.
To be clear, developers should only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful.
Previously: App Transport Security.