Resolving the "App Transport Security has blocked a cleartext HTTP (http://) resource load" error in iOS applications by configuring Property List Files.

Understanding Property List Files in Xcode

As developers, we often work with property list files (.plist) to configure our iOS and macOS applications. These files contain key-value pairs that define various application settings, such as bundle version, icons, and more importantly, security-related settings like App Transport Security. In this article, we’ll delve into the world of property list files and explore why setting NSAppTransportSecurity to YES may not be sufficient in resolving the “App Transport Security has blocked a cleartext HTTP (http://) resource load” error.

What are Property List Files?

A property list file is a plain-text file that contains key-value pairs, where each key represents a setting or configuration option for your application. These files are used to store application-specific data and settings, such as icons, launch images, and more importantly, security-related settings like App Transport Security.

App Transport Security in iOS

In iOS 9 and later versions, Apple introduced App Transport Security (ATS) as a security feature designed to prevent certain types of HTTP requests from being made by your application. ATS is based on the “HTTP Strict Transport Security” (HSTS) specification, which was developed by Mozilla.

The primary goal of ATS is to mitigate man-in-the-middle attacks and eavesdropping on HTTPS connections. When ATS is enabled, your application can only make HTTPS requests to a specific domain or URL. Any attempts to load HTTP resources will result in an error.

Configuring App Transport Security using Property List Files

To configure App Transport Security using property list files, you need to add the following key-value pairs:

NSAppTransportSecurity: a boolean value indicating whether ATS should be enabled.
NSAllowsArbitraryLoads: a boolean value indicating whether your application is allowed to make arbitrary HTTP requests.

Here’s an example of what this might look like in your property list file:

<dict>
    <key>NSAppTransportSecurity</key>
    <bool>true</bool>
    <key>NSAllowsArbitraryLoads</key>
    <bool>false</bool>
    <key>NSRequiresSecureProtocol</key>
    <bool>true</bool>
</dict>

The Problem with Setting NSAppTransportSecurity to YES

In the original question, the developer attempts to set NSAppTransportSecurity to YES, but this does not seem to resolve the issue. To understand why, let’s take a closer look at what this setting actually does.

When NSAppTransportSecurity is set to YES, ATS will only allow HTTPS requests and block all HTTP requests by default. However, if you want to make arbitrary HTTP requests for specific domains or URLs, you need to add an exception using the NSAllowsArbitraryLoads key.

In the example above, we set NSAllowsArbitraryLoads to FALSE, which means that ATS will not allow any arbitrary HTTP requests. This might seem counterintuitive, but it’s actually the correct approach.

Why Setting NSAppTransportSecurity to YES Does Not Work

Setting NSAppTransportSecurity to YES without adding an exception for specific domains or URLs does not work because ATS is designed to be strict about HTTPS requests. When you set this setting to YES, ATS will only allow HTTPS requests, and any attempts to load HTTP resources will result in an error.

However, if you want to make arbitrary HTTP requests for specific domains or URLs, you need to add an exception using the NSAllowsArbitraryLoads key. If you don’t do this, ATS will not allow any arbitrary HTTP requests, even if you set NSAppTransportSecurity to YES.

Cleaning Your Project and Verifying the Property List File

To resolve the issue, try cleaning your project by running the following command in the Terminal:

xcodebuild clean

This will remove any derived data from your project, which might be causing issues.

After cleaning your project, verify that you’re using the correct property list file. You can do this by checking the Xcode project navigator and ensuring that the correct .plist file is being used for your application.

Conclusion

In conclusion, setting NSAppTransportSecurity to YES alone may not resolve the “App Transport Security has blocked a cleartext HTTP (http://) resource load” error. To fix this issue, you need to add an exception using the NSAllowsArbitraryLoads key and specify specific domains or URLs that are allowed to make arbitrary HTTP requests.

By understanding how App Transport Security works and configuring it correctly using property list files, you can ensure that your application is secure and compliant with Apple’s guidelines.

Last modified on 2025-04-06