Understanding iOS App Transport Security (ATS) and Deploying HTTPS with SSL Certificates

After January 1, 2017, all iOS apps that need to access web pages must deal with ATS (App Transport Security). Because ATS requires HTTPS, Apple will close the HTTP door for app developers in 13 days.

1. What is ATS?

ATS stands for App Transport Security, a security mechanism introduced in iOS 9 that by default forces all network requests to use HTTPS.

2. Bypassing ATS?

Because this requirement affected many developers, Apple provided some ways to bypass ATS. For example, you can add the NSAppTransportSecurity dictionary in Info.plist and set NSAllowsArbitraryLoads to YES to disable ATS.

After WWDC 16, Apple increased the enforcement of ATS and required that from January 1, 2017, new app submissions could no longer use NSAllowsArbitraryLoads to bypass ATS.

Although other methods exist, following Apple’s guidance and using HTTPS is clearly the better and safer choice. Bypassing ATS is not recommended; Apple’s push for ATS aims to prevent accidental leakage of personal information and to provide a default secure behavior for apps.

3. Enabling HTTPS

Enabling HTTPS on the app server is not as complicated as it seems; you only need to deploy an SSL certificate.

HTTPS (Hypertext Transfer Protocol Secure) is an encrypted version of HTTP that protects data transmission security.

For certificates, you can choose the free Let’s Encrypt or purchase a CA‑issued certificate. Many cloud providers also offer SSL certificate services that can be deployed to a CDN.

Using Tencent Cloud as an example, the SSL certificate is issued by GeoTrust and can be used for free for one year. Users of Alibaba Cloud or other providers can refer to their respective certificate products.

3.1 Applying for a Certificate

After logging into Tencent Cloud, go to the SSL Certificate Management console and click Apply for Certificate . Currently only GeoTrust certificates are available.

Next, fill in the application information, especially the domain binding. For a domain like abc.com , you need to bind a sub‑domain such as a.abc.com , not the top‑level domain.

After that, you will be required to perform DNS verification manually. Follow the product documentation for domain verification.

Usually the certificate is issued quickly; in the author’s experience it was approved after a single refresh.

3.2 Server Installation of the Certificate

Once the review passes, you can download the certificate from the SSL console and upload it to your app server.

Here we use Nginx as an example; for Apache, IIS, etc., refer to the official documentation.

3.2.1 Obtaining the Certificate Files

In the Nginx folder you will have the SSL certificate file 1_www.domain.com_bundle.crt and the private key file 2_www.domain.com.key :

1_www.domain.com_bundle.crt contains the certificate block "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".

2_www.domain.com.key contains the private key block "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----".

3.2.2 Installing the Certificate

Place the certificate file 1_www.domain.com_bundle.crt and the private key 2_www.domain.com.key for the domain www.domain.com in the same directory, e.g., /usr/local/nginx/conf .

Update the Nginx configuration file conf/nginx.conf as follows:

server
{
listen
443
;
server_name
www.domain.com;
# domain bound to the certificate
ssl
on
;
ssl_certificate
1_www.domain.com_bundle.crt;
ssl_certificate_key
2_www.domain.com.key;
ssl_session_timeout
5m
;
ssl_protocols
TLSv1 TLSv1.
1
TLSv1.
2
;
# protocol configuration
ssl_ciphers
ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
# cipher suite configuration
ssl_prefer_server_ciphers
on
;
location
/ {
root
html;
# site directory
index
index.html index.htm;
        }
    }

After saving, test the configuration with bin/nginx –t . If the test passes, restart Nginx and the site will be reachable via https://www.domain.com .

4. Deploying HTTPS on CDN

Many websites use CDN services; cloud providers often offer free CDN traffic (e.g., Tencent Cloud provides 60 GB free traffic).

For apps or websites using CDN, you can deploy HTTPS on CDN nodes to achieve end‑to‑end encrypted transmission.

4.1 Conditions for HTTPS Configuration

The domain status in the domain management page must be Deploying or Enabled .

The domain must not be a COS‑synchronized .file.myqcloud.com domain.

The domain’s origin type must be Self‑origin, COS‑origin, or FTP‑origin.

Log in to the CDN console, go to the Domain Management page, click the Manage button for the domain, and enter the management page.

In Advanced Configuration , find the HTTPS configuration module.

4.2 Certificate Types

Tencent Cloud CDN currently supports two ways to deploy certificates:

Self‑owned certificate: upload your own certificate and private key to CDN for end‑to‑end encryption; the certificate never leaves the CDN.

Tencent Cloud managed certificate: the SSL certificate obtained earlier.

4.3 Certificate Configuration

Go to the CDN Advanced Tools – Certificate Management page, select the domain, certificate type, and origin method. The domain status must be Deploying or Enabled .

After checking “Tencent Managed Certificate”, select the previously applied certificate from the dropdown, set the origin method to HTTPS, and submit.

Once the certificate is configured, a “Force Redirect” switch appears; enabling it forces HTTP requests to redirect to HTTPS.

5. Verifying the Deployment

After completing the above steps, you need to verify that the deployed SSL certificate meets ATS requirements; otherwise the effort would be wasted.

Cloud providers offer a convenient detection tool: simply input the target domain to perform a one‑click check.

At this point, the app server’s SSL certificate deployment is complete and complies with Apple’s strict ATS requirements.