Guess what? iOS 9 and XCode 7 are finally out, and – like almost always – there’s the usual number of breaking changes that will drive most developers mad. Among the biggest ones there’s the new Apple Transport Security (ATS) feature, which happens to be enabled by default starting from iOS 9.0 and OSX 10.11 and will basically block any non-HTTPS connection for your App.
Yeah, you’ve read it right. Here’s the Apple official statement about that:
It improves the privacy and data integrity of connections between an app and web services by enforcing additional security requirements for HTTP-based networking requests. Specifically, with ATS enabled, HTTP connections must use HTTPS (RFC 2818). Attempts to connect using insecure HTTP fail. Furthermore, HTTPS requests must use best practices for secure communications.
This will undoubtely translate into tears of joy for a lot of developers relying to home-made web services hosted on non-HTTPS environments or non-TLS based storage services (such as Amazon AWS).
Luckily enough, until you find the money to provide yourself with a HTTPS certificate, you can disable the ATS feature by adding the following XML lines in your Info.plist file (right-click on it > Open As > Source Code):
Disable ATS for a specific domain only
<!-- add this key to enable subdomains such as sub.yourserver.com -->
<!-- add this key to allow standard HTTP requests, thus negating the ATS -->
<!-- add this key to specify the minimum TLS version to accept -->
Completely disable ATS