app-transport-security

My question is related to Apple Transport Security (ATS) and I am too much confused. I want to support all the protocols (all version of TLS and SSL) in my swift app. If I change NSAllowsArbitraryLoads to false, will app work on all protocols by default? Or do I have to specify domain in configuration and add NSExceptionMinimumTLSVersion? <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <false/> <key>NSExceptionDomains</key> <dict> <key>your.servers.domain.here</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSExceptionRequiresForwardSecrecy</key> <false/>

We have an app which shows HTML content in Webview. Currently the content served to Webview is from non secured domain. From iOS10, it supposed to serve from secured domain so before migrating want to clear some doubts. Do the secured HTML page(https) should have CSS and JS links from secured sever too? As some CSS and JS might be from third server. If the secured HTML page(https) is loaded into Webview and had some links which are not secured(http), will those links load in Webview when user taps on it? Thanks in advance for your help. I did a quick test and it appears that any referenced

We recently decided to update a couple of our apps this summer to switch them from http to https in order to follow the new Apple guidelines which go into affect January 2017. The only thing transferred to and from the app is product information, no user info or anything even remotely sensitive. But we want to comply early so that we don't have to worry about it later. The question: Apple seems to be forcing us to deal with US Export Compliance law which requires us to get an approval for an Exporter Registration Number (ERN) , and a SNAP-R which requires a Company Identification Number (CIN)

Is it safe, in terms of security, to add localhost to ATS NSExceptionDomains for development use? It's not very convenient (and it's easy to forget) to remove those lines from Info.plist file before every commit. <dict> <key>NSExceptionDomains</key> <dict> <key>localhost</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key> <true/> </dict> </dict> </dict> Additionally, can Apple reject the application because of this? Joseph You can now do this for local addresses: <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsLocalNetworking</key>

I am developing an app which have a small tweak in it. it will show a preview of the given url (like Facebook,whatsapp does). but if the "User-given" url is in HTTP, I couldn't load the preview when ATS is turned on. so i turned off the whole HTTPS traffic by using NSAllowsArbitraryLoads . is there any way to allow http with ATS enabled? According to Apple , if you build against an older SDK, so iOS 8 or earlier, then ATS is disabled. I don't know exactly what this means, but I'm guessing it is the target build setting Architectures, Base SDK -- not the deployment target setting. This video