Fix iOS 9 App Transport Security Issues In Apache Cordova

The release of iOS 9 has caused a mess of problems in the Apache Cordova, Ionic Framework, and PhoneGap communities.  Problems spanning from styling issues, to permission issues, and even stricter security requirements that Apache Cordova wasn’t ready to handle.

Here I’m going to discuss App Transport Security (ATS) an issue that is rapidly appearing amongst app developers.

If your Apache Cordova application uses the InAppBrowser plugin to access external resources such as websites, you might have experienced the following error:

Although not fun to see, it is actually a good thing because iOS wants connections to be secure.  This security measure can actually be overwritten to allow your application to perform like it did in earlier versions of iOS.  You need to add the following to your Xcode info.plist file:

Building and running your application again should present better results.  ATS is not limited to only the InAppBrowser plugin, even though that is the most reported cause that I see.

A Real Life Example

Let’s say you are using the ng-cordova-oauth library that I wrote.  Out of the box it will work fine with Android and iOS versions earlier than 9.0.  However in iOS 9 you’ll get ATS errors.  When you try to initiate the oauth login flow you’ll be left with a blank screen wondering what went wrong.

If you don’t want to disable App Transport Security for all domains, you can make domain exceptions as described in the official documentation released by Apple.  This will keep application security as strong as possible.

Conclusion

As much of a pain App Transport Security (ATS) seems in iOS 9, it is actually a positive thing for your users.  With a few modifications you can make exceptions to allow communication between the application and insecure external resources.