Disable App Transport Security in Xcode 9.2?

Question

I cannot disable App Transport Security (ATS) in Xcode 9.2. I have been (for years) disabling ATS when running builds against my local server environment like so:

Transport security has blocked a cleartext HTTP

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

In Xcode 9.2, a simple request (running against a local Rails app in http mode):

let session = URLSession(configuration: .default)
let url = URL(string: "http://store.dev/api/products.json")!

let task = session.dataTask(with: url) { data, response, error in
    print(data)
    print(response)
    print(error)
}

task.resume()

fails with the error message

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9802, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x60c00024afb0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://store.dev/api/products.json, NSErrorFailingURLStringKey=https://store.dev/api/products.json, _kCFStreamErrorDomainKey=3}

This exact same request (same project as well) succeeds on Xcode 9.1.

In both cases, I'm building against a iOS 11.1 deployment target. You can see that Xcode is changing the url from http to https, which I do not want.

Here is a link to the super basic project that works in Xcode 9.1 but fails in 9.2 (https://github.com/chrismanderson/ats-sample).

I've also tried disabling ATS just for the local store.dev domain, and again, it works on Xcode 9.1 but not 9.2.

Answer 1

I didn't originally put it together, but I think what is happening is that with iOS 11, Apple is supporting HSTS. I believe that support for HSTS preload lists, in combination with Google recently adding the .dev TLD to the HSTS preload list, is likely causing iOS to try to force you to use https, which is failing (I missed that you are trying to use a .dev local domain for testing, which is really the key element here).

I think your only solution is to change your local testing domain to something other than a .dev domain. If you do that, you should be able to connect, and it won't try to force you to https on your local dev environment.

In short, Google has gotten rights to the .dev top level domain, and recently added it to the HSTS preload list to force all communication with .dev domains to be secure. On devices that support HSTS preload lists, this causes all traffic to redirect through HTTPS, which will cause errors on servers that don't support HTTPS.

Answer 2

On the navigator on the left-hand side of the screen in XCode, click your main project file, in which all the files and folders are stored. Click on the Info tab. Under "Custom iOS Target Properties", you used to see an option to change the App Transport Security Settings (ATS). It is not explicitly stated, but still available.

As you mouse over the options, you should see a + in a small circle. Click on it. XCode will prompt you to create an "Application Category". IN that list that appears, scroll up and select "App Transport Security Settings".

Click on that option. Once that is created, it should prompt you to change the BOOL value (default should be "NO"). At the far right, you should see a set of up and down arrows. Click on this to change the BOOL to yes.