Enable clear-text local traffic on iOS not working in .net MAUI

I’m trying to connect to http in my .net MAUI app and I disabled the Apple Transport Security (ATS) following Microsoft documentation (from here) by adding below configuration in the info.plist file:

<key>NSAppTransportSecurity</key>    
<dict>
    <key>NSAllowsLocalNetworking</key>
    <true/>
</dict>

However, I’m still getting below error message when attempting to communicate with the API using http:

[0:] An error occurred: 'Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection., NSErrorFailingURLStringKey=http://restapi.adequateshop.com/api/Tourist, NSErrorFailingURLKey=http://restapi.adequateshop.com/api/Tourist, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <27DB8D6A-2EB6-41FE-953E-6FA2BFDBEDDC>.<1>"
), _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <27DB8D6A-2EB6-41FE-953E-6FA2BFDBEDDC>.<1>, NSUnderlyingError=0x280b9b330 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}}'. Callstack: ''

Any idea how to resolve this? Thank you in advance.

>Solution :

The key that is specified in that documentation page only works for local addresses like IP addresses or addressed that end in .local as see in the Apple documentation here.

From your error message it seems that you are trying to reach a regular web address. In that case the key you need is: NSAllowsArbitraryLoads so that it opts out of ATS altogether.

Your full entry will then look like this:

<key>NSAppTransportSecurity</key>    
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

However, I would not recommend doing this. Please try to get your endpoints on https. It should not be expensive anymore nowadays and this way your users and you will be at risk.

If you really can’t add https, try to limit the unsafe connections made for your app to a single domain, how that is done can be found here in the Apple documentation.

Basically your info.plist entry should now look something like this:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <false/>
  <key>NSExceptionDomains</key>
  <dict>
    <key>adequateshop.com</key>
    <dict>
      <key>NSIncludesSubdomains</key>
      <true/>
      <key>NSExceptionAllowsInsecureHTTPLoads</key>
      <true/>
    </dict>
  </dict>
</dict>

But again, I would recommend fixing the server to be secure above all.

Leave a Reply