All of my current iOS apps have adopted App Transport Security (ATS) – a new security feature in iOS 9 that enforces stricter security requirements for networking requests. It is a great feature but I often need to temporarily disable it during development. The two most common reasons to do so are:

1) You cannot use a tool like Charles Proxy to sniff network traffic while ATS is enabled.
2) You cannot connect to a server with a self signed certificate (e.g. an internal dev box) while ATS is enabled.

To disable ATS the developer must edit the application’s Info.plist by adding a key in the NSAppTransportSecurity dictionary called NSAllowsArbitraryLoads and assigning it a value of true.

There are a few problems with having developers manually disable ATS like this:

  • A clean checkout and build doesn’t work with internal dev boxes or tools like Charles.
  • A developer needs to remember / find the correct entries to add or modify in Info.plist.
  • A developer might accidentally commit the local edit which would be a security risk.

To solve these issues I wrote a Build Phase Run Script that automatically disables App Transport Security in DEBUG Simulator builds. It modifies the copy of Info.plist in the build directory so there is no source code change to undo.

For now I decided to keep ATS enabled for DEBUG Device builds. Keeping it enabled for some DEBUG builds should (hopefully) increase the likelihood that developers will find future ATS issues before release. In other words: I don’t want to completely hide ATS from developers.

With all of that said, here is the script: