Understanding App Transport Security

With iOS 9, Apple introduced App Transport Security (ATS). ATS makes applications safer and more secure by prohibiting the use of non-HTTPS resources. This is a great security feature, as it protects your users from a wide range of attacks that can be executed on regular HTTP connections.

If you paid close attention to the URL that's used to fetch movies, you may have noticed that the URL should be an HTTPS resource, so it should be fine to load this URL. However, the network requests are still blocked by ATS. Why is this?

Well, Apple has strict requirements. At the time of writing this book, the movie database uses the SHA-1 signing of certificates, whereas Apple requires SHA-2. Because of this, you will need to circumvent ATS for now. Your users should be safe regardless, since the movie database supports HTTPS, just not the version Apple considers to be secure enough.

To do this, open the Info.plist file and add a new dictionary key named App Transport Security Settings. In this dictionary, you will need an Exception Domains dictionary. Add a new dictionary key named themoviedb.orgr to this dictionary and add two Booleans to this dictionary. Both should have YES as their values, and they should be named NSIncludesSubdomains and NSTemporaryExceptionAllowsInsecureHTTPLoads. Refer to the following screenshot to make sure that you've set this up correctly:

If you add a new movie to a family member now, nothing updates yet. However, if you go back to the family overview and then back to the family member, you'll see that the rating for the most recent movie is updated. Great! Now, all you need to do is make sure that we observe the managed object context for updates to the movies so they are reloadedĀ if their rating changes.