App Transport Security with IP address
So, what is App Transport Security? In a nutshell: this new mechanism in iOS 9 would protect the transmission channel between our app ad the server, forcing to use the TLS or SSL encryption.
I recently received a task, to demonstrate how to display and download data from a remote web server in iOS. The specs started with “Download an xml/json file from the following url:“, and the url host name was an IP address.
Immediately after the creation of the appropriate functions, I have the error:
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
Unfortunately in my example there was no secure layer involved. Since I have been a strong supporter of ssl wrapped connections, my first idea was to allow the insecure communication between the specific IP address and my app, but unfortunately you can not add exceptions, based on IP address. The solution was to completely remove the ATS for this application :(.
In order to remove the App Transport Security from your application, you have to edit your app info.plist file from Xcode, and add another key, called “App Transport Security Settings”, by clicking the small + sign on the right side of the first line (“Information Property List”). You also need to add the subset of information to this “App Transport Security Settings” dictionary, so click on the right side, and you can add a subdirectory, and change it to “Allow Arbitrary Loads”.
Since I don’t wanted to just disable it without any warning, and risking that I am going to forget it, when the app goes to production, I added the following code to the Appdelegate didFinishLaunchingWithOptions:
NSDictionary *settingsForATS = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"NSAppTransportSecurity"];
if ([settingsForATS count] > 0) {
for (id curKey in settingsForATS) {
if ([curKey isEqual: @"NSAllowsArbitraryLoads"] && settingsForATS[curKey]) {
NSLog(@"Warning! App Transport security is switched off!");
}
}
}
As you can see, almost all of the info.plist settings can be queried by
[[NSBundle mainBundle] objectForInfoDictionaryKey:@""]
I found a really good article about how to set up for different type of secure connection use cases here: http://www.neglectedpotential.com/2015/06/working-with-apples-application-transport-security/
Apple’s official documentation for ATS is available here, along with other info.plist keys.
I hope I could help you, and you can always share your thoughts in comments.