iosiphonehttpsapp-transport-security

Is it safe to add localhost to App Transport Security (ATS) NSExceptionDomains?


Is it safe, in terms of security, to add localhost to ATS NSExceptionDomains for development use? It's not very convenient (and it's easy to forget) to remove those lines from Info.plist file before every commit.

<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>localhost</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

Additionally, can Apple reject the application because of this?


Solution

  • You can now do this for local addresses:

    <key>NSAppTransportSecurity</key>    
    <dict>
        <key>NSAllowsLocalNetworking</key>
        <true/>
    </dict>
    

    Apple has blessed this key as an ATS exception — it has said it will not reject apps for using it. More info here: https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html (search in page for "local")