Chapter 15. Security
iOS 10 didn’t change much with regard to the Security framework. A few things were added, mainly about the keychain. There are also some additions that are about Application Transport Security, or ATS. ATS is now incorporated into iOS, so all apps compiled with the new Xcode, and running under the latest iOS version, will by default use HTTPS for all their network traffic. There are some pros and cons to this: it is good because it strongly encourages the use of secure connections for everything, but sometimes it can be annoying to force using a secure connection for everything!
There are also some changes that affect the way we can store values in the keychain, but overall, not much to worry about.
15.1 Protecting Your Network Connections with ATS
You want to control the details about the HTTPS channels through which your network connections go, or use a non-secure channel (HTTP).
I do not personally suggest using non-secure connections. However, in some cases, if you are using a backend that does not provide an HTTPS variant, you will be eventually forced to go through HTTP. In this chapter, I’ll help you figure out how to do that as well.
As I said, by default, all domain names that you use in your URLs will be going through secure channels. But you can indicate specific exceptions. ATS has a dictionary key in your info.plist file called
NSAppTransportSecurity. Under that, you have another dictionary key called
NSExceptionDomains. Under ...