App Transport Security
App Transport Security (ATS) is an iOS and macOS networking security feature introduced by Apple that requires applications to use HTTPS with strong TLS configurations for all network connections, blocking plaintext HTTP traffic by default.
Since iOS 9, ATS has been enabled by default for all applications, requiring that every network connection use TLS 1.2 or later with forward secrecy cipher suites and certificates signed with at least SHA-256. This policy eliminates a broad class of transport-layer vulnerabilities by preventing developers from accidentally or intentionally making unencrypted connections to backend servers.
Developers can declare exceptions to ATS in their application's Info.plist file for specific domains that do not yet support the required TLS configuration. However, Apple's App Store review process scrutinises ATS exceptions, and applications with blanket exemptions that disable ATS entirely must provide justification. The intent is to push the entire ecosystem toward strong transport security as a baseline.
ATS complements but does not replace certificate pinning. While ATS ensures that connections use modern TLS with valid certificates, it does not prevent interception by an attacker who has installed a trusted root certificate on the device. Certificate pinning adds an additional layer by restricting which specific certificates or public keys the application will accept.
On Android, a similar mechanism called Network Security Configuration was introduced in Android 7.0, allowing developers to define trust anchors, certificate pins, and cleartext traffic permissions in an XML configuration file. Together, these platform-level features have significantly raised the baseline security of mobile network communications across both major ecosystems.