{"id":127826,"date":"2021-06-16T12:00:29","date_gmt":"2021-06-16T12:00:29","guid":{"rendered":"https:\/\/developer.apple.com\/news\/?id=jxky8h89"},"modified":"2021-06-16T12:00:29","modified_gmt":"2021-06-16T12:00:29","slug":"fine-tune-your-app-transport-security-settings","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2021\/06\/16\/fine-tune-your-app-transport-security-settings\/","title":{"rendered":"Fine-tune your App Transport Security settings"},"content":{"rendered":"
\"Padlock<\/div>\n

At Apple, we believe privacy is a fundamental human right. When people connect to a public Wi-Fi hotspot, they expect to use your app to send and receive data without worrying that someone in the vicinity could intercept their connection and gain access to unencrypted data. Allowing even seemingly-innocuous data to remain unencrypted can expose people to snooping and fingerprinting by anyone on the network.<\/p>\n

Transport Layer Security (TLS) uses encryption to protect connections from prying eyes, and URLSession provides strong TLS connections by default with App Transport Security (ATS). <\/p>\n

If you need to connect to older servers that don’t support TLS, however, you can now add ATS exceptions to your app. Ideally, exceptions should just carve out the specific domains or frameworks that make insecure connections, and you should limit any exceptions you do request. Avoid sending data unencrypted except when absolutely necessary for your app to function.<\/p>\n

Identify necessary ATS exceptions<\/h3>\n

To make sure your app \u2014 and the data used within it \u2014 is as secure as possible, it\u2019s important to identify whether your app is currently making insecure connections.<\/p>\n

To check, disable all your active ATS exceptions by setting their values in your Info.plist to \u201cNO.\u201d From there, open your app or run your unit tests. If your app makes an insecure connection, Xcode will generate runtime errors for each one.<\/p>\n

<\/div>\n

If your app is generating insecure connections, there are a few steps you can take to remove them.<\/p>\n

Secure your servers<\/strong><\/p>\n

If your app connects to servers you control, make sure those servers support secure connections. This requires a TLS certificate. If you use a hosting service, check whether they offer certificates, and make sure those certificates meet the requirements detailed in \u201cPreventing Insecure Network Connections.\u201d<\/p>\n

Preventing Insecure Network Connections<\/a><\/p>\n

Use HTTPS<\/strong><\/p>\n

If your app connects to servers you don\u2019t control, you should always attempt to connect to those servers over HTTPS instead of HTTP. You can identify whether a server supports HTTPS by simply changing \u201chttp:\/\/\u201d to \u201chttps:\/\/\u201d in your URL string and trying to load data from that website. You can check this manually in a browser, or run code as follows:<\/p>\n

let<\/span> request =<\/span> URLRequest<\/span>(url: URL<\/span>(string: \u201chttps:<\/code><\/pre>\n
Many websites redirect HTTP connections to HTTPS. Connecting over HTTPS first can often improve the performance of your app. Note, however, that while a website may use HTTPS, that doesn\u2019t mean it\u2019s ATS-compatible. For instance, it may be using an outdated version of TLS, which, on Safari, displays a \u201cThis Connection Is Not Private\u201d warning.<\/p>\n
<\/div>\n
Remove unnecessary exceptions<\/strong>
\nOn websites where you no longer receive ATS runtime errors, you can remove those exceptions. Locate \u201cApp Transport Security Settings\u201d in your Info.plist and click the \u201c-\u201d icon to remove the exceptions in question.<\/p>\n
<\/div>\n
Configure exception domains<\/h3>\n
If your app still needs to make insecure connections to specific domains, you can configure ATS exceptions for just those domains.<\/p>\n