Fix App Transport Security (ATS) blocks Network connection in iOS

Security is always a strict part of iOS, and you should always follow Apple rules in order to upload your app to App Store. If you have ever seen problems with ATS or SSL when connecting to the network, maybe this article can help you.

What is App Transport Security?

App Transport Security (ATS) is a network security feature that requires network connections made by your app are secured by Transport Layer Security (TLS) protocol using reliable certificates and ciphers.

ATS blocks connections that don’t meet minimum security requirements from Apple.

You can find the ATS setting by checking NSAppTransportSecurity key in your app Info.plist file.

ATS settings

If you want to connect to a server that isn’t fully secure, you can add exceptions to loosen some ATS requirements.

You can find more definitions of those properties:

Allow Arbitrary Loads: NSAllowsArbitraryLoads
Allows Arbitrary Loads for Media: NSAllowsArbitraryLoadsForMedia
Allow Arbitrary Loads in Web Content: NSAllowsArbitraryLoadsInWebContent
Allows Local Networking: NSAllowsLocalNetworking
Exception Domains: NSExceptionDomains

Configure Exceptions Only When Needed; Prefer Server Fixes

The easy solution

Check these errors:

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app’s Info.plist file.
// Or
An SSL error has occurred and a secure connection to the server cannot be made.

If we saw them, the first and easiest solution is setting NSAllowArbitraryLoads to YES. And done!

Allow Arbitrary Loads

But it is not a good solution. Actually, in 2016, Apple required developers to support ATS (source). Currently, in 2021, you are still able to upload your app to App Store with NSAllowArbitraryLoads = YES but it is better to follow Apple rules (maybe one day the reviewer will not approve your app because of this).

Exceptions Domain

Now it is time to find all requirements that your server is not able to satisfy.

Open your Terminal, and use this command:

nscurl https://example.com --verbose --ats-diagnostics

You will see all the ATS diagnostics. Check Result : PASS and find the minimum requirements (except Allowing Arbitrary Loads as we mentioned above) that your server needs.

Then in order to pass ATS requirements, you can ask your server to fix it or add keys to Info.plist

Example result:

Starting ATS Diagnostics

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://example.com
A test will “PASS” if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================

Default ATS Secure Connection

ATS Default Connection
ATS Dictionary:
{
}
Result : FAIL
Error : …}
================================================================================

Allowing Arbitrary Loads

Allow All Loads
ATS Dictionary:
{
NSAllowsArbitraryLoads = true;
}
Result : PASS

…
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
NSExceptionDomains = {
“example.com” = {
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS

As you can see here, NSExceptionRequiresForwardSecrecy = false will make our connection pass. So you need to ask your server to check the Forward Secrecy problem.

Or set it in the Info.plist file.

Set NSExceptionRequiresForwardSecrecy = false

Now you are safe to upload your app to App Store and don’t need to worry that one day the reviewer will reject your app because of ATS issues.