Is it safe to add localhost to App Transport Security (ATS) NSExceptionDomains?

Question

Is it safe, in terms of security, to add localhost to ATS NSExceptionDomains for development use? It's not very convenient (and it's easy to forget) to remove those lines from Info.plist file before every commit.

<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>localhost</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

Additionally, can Apple reject the application because of this?

Answer 1

You can now do this for local addresses:

<key>NSAppTransportSecurity</key>    
<dict>
    <key>NSAllowsLocalNetworking</key>
    <true/>
</dict>

Apple has blessed this key as an ATS exception — it has said it will not reject apps for using it. More info here: https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html (search in page for "local")

Answer 2

If it is not needed in the production version of the app, I would set up your build configs to use two different Info.plist files. You can basically have your internal version of the plist set up as "Internal-Info.plist" and have the localhost exclusion in it. Then have the production "Info.plist" which does not have that exclusion, giving Apple no reason to possibly reject your app now or in the future.

To configure your builds to automatically pull in the right Info.plist for the type of build:

1. Select your project from the navigator to the left
2. Select the target you want to change (under "TARGETS")
3. Click "Build Settings"
4. Search for "Info.plist"
5. In the Packaging section, you should see a setting called "Info.plist File". Select the row, then click the little triangle to expand it so you can have different settings for different build configs. Change the value for "Debug" to "Internal-Info.plist"

Make sure you copy the "Info.plist" to a new file called "Internal-Info.plist", remove the exclusion from the "Info.plist" and you should be good.

Apple could reject you now for this (only Apple would know), but starting in 2017, Apple will be require a valid reason for any ATS exclusions, so unless you have a valid justification for excluding localhost ATS requirements, it's best to just set it up correctly now.