Disabling ATS for an in-app browser in iOS 9?

Question

iOS 9 introduces App Transport Security (ATS) to encourage the use of secure connections.

This is great, but what if my app has a built in web browser that the user

Answer 1

Rather than enabling NSAllowsArbitraryLoads, a more secure solution is to conditionally use SFSafariViewController, which allows arbitrary loads.

If the class exists, then present it, otherwise, present your own UIViewController (which contains a UIWebView).

UIViewController *webBrowser;
if ([SFSafariViewController class] != nil) {
    webBrowser = [[SFSafariViewController alloc] initWithURL:url];
} else {
    webBrowser = [[ABCWebBrowserController alloc] initWithURL:url];
}

[self presentViewController:webBrowser animated:YES completion:nil];

Answer 2

In this case you will need to disable ATS generally, by setting NSAllowsArbitraryLoads to true. If you have specific URLs that you know can support HTTPS (such as your own servers or API servers that you use in the app outside of the UIWebView) then you can create an exception and set NSExceptionsAllowsInsecureHTTPLoads to false for those exceptions