Chris Dzombak

App Transport Security: What, Why, How?

In this talk, I answer all your questions about App Transport Security: What is it? Why does it matter? How do you make your server compatible with it, and how do you configure your app to talk to non-compliant servers? Which other apps are using ATS? How does it work alongside other security strategies, like using plain old HTTPS or certificate pinning?

This talk was given at Ann Arbor CocoaHeads in January 2016.

Q&A Followup

I’d like to note some topics that came up in Q&A and provide additional thoughts & context.

If I use certificate pinning, can I also use App Transport Security?

Yes. As long as the certificate you’re pinning came from a trusted certificate authority, it will satisfy App Transport Security’s rules, and you are free to perform additional checks, like verifying that the certificate is the one you expect. App Transport Security doesn’t stop you from performing additional validation; it only stops you from using self-signed certificates, or other certificates that iOS cannot verify are trustworthy.

Additional reading on certificate pinning: HTTP Public Key Pinning; Certificate and Public Key Pinning.

Are there performance implications due to using TLS everywhere?


It seems like a lot of these debugging, testing, and deployment issues could be vastly improved.

Yes. Apple has provided the bare minimum possible in documentation and tooling around App Transport Security. Specifically:

Previous writing

September 18, 2015: “Nobody is using App Transport Security; what’s next?

As always, I welcome discussion and feedback; I’m @cdzombak on Twitter.