App Transport Security: Resolving Cleartext HTTP Block Issues for Enhanced App Security

David Henegar
3 min read

In this guide, we will discuss App Transport Security (ATS) and how to resolve issues related to cleartext HTTP blocking in your app. By implementing ATS, you can enhance the security of your app's communication with web services.

Table of Contents

Introduction to App Transport Security (ATS)

App Transport Security (ATS) is a feature introduced in iOS 9 and macOS 10.11 that enforces best practices for secure network communications. ATS requires connections to use HTTPS and TLS v1.2 or higher, ensuring that all network traffic is encrypted and secure. By default, ATS is enabled for all apps targeting iOS 9 or later and macOS 10.11 or later. To learn more about ATS, refer to Apple's official documentation.

Understanding Cleartext HTTP Block Issues

Cleartext HTTP block issues occur when your app tries to connect to a web service over an insecure HTTP connection. With ATS enabled, these connections are blocked by default, as they do not meet the minimum security requirements.

These issues can lead to broken features in your app, as the connections will fail, and the app will not receive the expected data from the server. Therefore, it is crucial to resolve these issues to ensure smooth functioning and enhanced security for your app.

Resolving Cleartext HTTP Block Issues

There are two main approaches to resolve cleartext HTTP block issues:

Migrating to HTTPS

The recommended solution is to switch all your app's connections to HTTPS. This approach ensures that your app's communication with web services is encrypted and secure. To migrate to HTTPS:

  1. Obtain an SSL/TLS certificate for your domain. You can get a free certificate from Let's Encrypt or purchase one from a certificate authority (CA).
  2. Install and configure the SSL/TLS certificate on your web server.
  3. Update your app's code to use https:// URLs instead of http:// URLs.

Updating Info.plist

If migrating to HTTPS is not feasible or requires more time, you can temporarily allow cleartext HTTP connections by modifying your app's Info.plist file. Please note that this approach is less secure and should only be used as a temporary solution.

To allow cleartext HTTP connections, follow these steps:

  1. Open your app's Info.plist file.
  2. Add the NSAppTransportSecurity dictionary to the file if it does not already exist.
  3. Inside the NSAppTransportSecurity dictionary, add a new key-value pair with the key NSAllowsArbitraryLoads and the value YES.

Example:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

Remember to remove or set NSAllowsArbitraryLoads to NO once you have migrated to HTTPS.

FAQ

1. What is App Transport Security (ATS)?

App Transport Security (ATS) is a feature introduced in iOS 9 and macOS 10.11 that enforces best practices for secure network communications. ATS requires connections to use HTTPS and TLS v1.2 or higher, ensuring that all network traffic is encrypted and secure.

2. Why is my app's communication being blocked due to cleartext HTTP?

With ATS enabled, connections that do not meet the minimum security requirements (HTTPS and TLS v1.2 or higher) are blocked. This includes cleartext HTTP connections, which are insecure and susceptible to eavesdropping and man-in-the-middle attacks.

3. How do I migrate my app's connections to HTTPS?

To migrate your app's connections to HTTPS:

  1. Obtain an SSL/TLS certificate for your domain.
  2. Install and configure the SSL/TLS certificate on your web server.
  3. Update your app's code to use https:// URLs instead of http:// URLs.

4. Can I temporarily allow cleartext HTTP connections in my app?

Yes, you can temporarily allow cleartext HTTP connections by modifying your app's Info.plist file. Add the NSAppTransportSecurity dictionary with the key NSAllowsArbitraryLoads set to YES. Please note that this approach is less secure and should only be used as a temporary solution.

5. Why should I avoid using NSAllowsArbitraryLoads?

Using NSAllowsArbitraryLoads disables ATS for your app, allowing insecure connections, which can expose your app to security risks. It is recommended to use HTTPS and comply with ATS requirements to ensure the security of your app's communication with web services.

Short Tips and Fixes
Read next

Fix Maven Import Issues: Step-By-Step Guide to Troubleshoot Unable to Import Maven Project – See Logs for Details Error

Troubleshooting Guide: Fixing the I/O Operation Aborted due to Thread Exit or Application Request Error

Resolving the 'Undefined Operator *' Error for Function_Handle Input Arguments: A Comprehensive Guide

Solving the Command 'bin sh' Failed with Exit Code 1 Issue: Comprehensive Guide

Troubleshooting Guide: Fixing the 'Current Working Directory is Not a Cordova-Based Project' Error

Solving 'Symbol(s) Not Found for Architecture x86_64' Error

Solving Resource Interpreted as Stylesheet but Transferred with MIME Type Text/Plain

Solving 'Failed to Push Some Refs to Heroku' Error

Solving 'Container Name Already in Use' Error: A Comprehensive Guide to Solving Docker Container Conflicts

Solving the Issue of Unexpected $gopath/go.mod File Existence

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Lxadm.com.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.