Keywords: iOS | App Transport Security | info.plist configuration | HTTP requests | network security
Abstract: This technical paper comprehensively addresses the cleartext HTTP request blocking issue caused by App Transport Security (ATS) in iOS 9 and later versions. Through detailed analysis of info.plist configuration, it presents two primary solutions: global configuration for arbitrary loads and domain-specific exceptions. The article includes complete XML code examples, configuration procedures, and security best practices to help developers properly handle ATS restrictions while maintaining application security.
Overview of App Transport Security Mechanism
Since iOS 9, Apple introduced the App Transport Security (ATS) mechanism, mandating that all network connections use HTTPS encrypted transmission. This security measure aims to protect user data from man-in-the-middle attacks and other security threats. When an application attempts to establish insecure HTTP connections, the system throws a "Transport security has blocked a cleartext HTTP resource load" error, prompting developers to configure appropriate security exceptions.
Error Analysis and Root Causes
This error indicates that the application is trying to load network resources through unencrypted HTTP protocol, and the ATS mechanism has automatically blocked such insecure connections. This situation commonly occurs in scenarios such as accessing third-party APIs that don't support HTTPS yet, connecting to local development servers, or using legacy network services. The error message explicitly states that temporary exceptions can be configured via the info.plist file, providing developers with flexible solutions.
Global Allow Arbitrary Loads Configuration
For development phases or applications requiring connections to multiple insecure domains, a global allow arbitrary loads configuration can be adopted. This method disables ATS restrictions for all connections by setting NSAllowsArbitraryLoads to true. The specific configuration code is as follows:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>While this configuration is simple and effective, it carries significant security risks. Apple may reject applications using this configuration during app review, especially when the application lacks sufficient justification for disabling ATS. This solution is recommended only during development testing or when dealing with legacy systems.
Domain-Specific Exception Configuration
A more secure approach is to configure exceptions for specific domains, allowing insecure connections only for necessary domains. This method meets functional requirements while maximizing the security protection provided by ATS. The following is configuration code using example.com as an example:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
</dict>In this configuration, the NSExceptionAllowsInsecureHTTPLoads key allows the use of HTTP protocol for specified domains, while the NSIncludesSubdomains key extends the exception to all subdomains. This granular control ensures that only explicitly specified domains can bypass ATS restrictions.
Detailed Configuration Implementation Steps
Configuring ATS exceptions in Xcode requires editing the info.plist file. Developers can complete the configuration through the following steps: first select the info.plist file in the project navigator, then right-click and choose "Add Row" to add a new entry. Enter "App Transport Security Settings" as the key name, with the type set to Dictionary. Add corresponding configuration key-value pairs under this dictionary, choosing between global allow or domain exception schemes based on requirements.
For XML editing, the above code snippets can be directly inserted into the info.plist source file. It's important to note that the info.plist file follows a specific XML structure, and configuration code should be placed in appropriate positions, typically alongside other application configuration items.
Security Considerations and Best Practices
While ATS exception configurations solve connectivity issues, developers must balance functional requirements with security risks. Apple strongly recommends using HTTPS connections whenever possible and configuring exceptions only when absolutely necessary. For production environment applications, priority should be given to upgrading services to HTTPS rather than relying on ATS exceptions.
When exception configurations must be used, it's recommended to follow these principles: limit the number of exception domains, clearly document the rationale for each exception, and regularly review the necessity of exception configurations. For applications involving sensitive data transmission, HTTP connections should be completely avoided to ensure adequate protection of user data.
Version Compatibility and Future Development
The ATS mechanism, introduced since iOS 9, has been continuously enhanced in subsequent system versions. Different iOS versions may have varying requirements and limitations for ATS configuration. Developers need to monitor updates in Apple's official documentation to ensure configuration schemes are compatible with target system versions.
As network security standards continue to improve, Apple may further tighten ATS policies. Therefore, applications relying on ATS exceptions should develop long-term migration plans toward full HTTPS to adapt to future security requirement changes.