Disable App Transport Security in Xcode 9.2?

Question

I cannot disable App Transport Security (ATS) in Xcode 9.2. I have been (for years) disabling ATS when running builds against my local server environment like so:

Transport security has blocked a cleartext HTTP

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

In Xcode 9.2, a simple request (running against a local Rails app in http mode):

let session = URLSession(configuration: .default)
let url = URL(string: "http://store.dev/api/products.json")!

let task = session.dataTask(with: url) { data, response, error in
    print(data)
    print(response)
    print(error)
}

task.resume()

fails with the error message

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9802, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x60c00024afb0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://store.dev/api/products.json, NSErrorFailingURLStringKey=https://store.dev/api/products.json, _kCFStreamErrorDomainKey=3}

This exact same request (same project as well) succeeds on Xcode 9.1.

In both cases, I'm building against a iOS 11.1 deployment target. You can see that Xcode is changing the url from http to https, which I do not want.

Here is a link to the super basic project that works in Xcode 9.1 but fails in 9.2 (https://github.com/chrismanderson/ats-sample).

I've also tried disabling ATS just for the local store.dev domain, and again, it works on Xcode 9.1 but not 9.2.

Answer 1

I didn't originally put it together, but I think what is happening is that with iOS 11, Apple is supporting HSTS. I believe that support for HSTS preload lists, in combination with Google recently adding the .dev TLD to the HSTS preload list, is likely causing iOS to try to force you to use https, which is failing (I missed that you are trying to use a .dev local domain for testing, which is really the key element here).

I think your only solution is to change your local testing domain to something other than a .dev domain. If you do that, you should be able to connect, and it won't try to force you to https on your local dev environment.

In short, Google has gotten rights to the .dev top level domain, and recently added it to the HSTS preload list to force all communication with .dev domains to be secure. On devices that support HSTS preload lists, this causes all traffic to redirect through HTTPS, which will cause errors on servers that don't support HTTPS.