Managing ATS in iOS9 Cordova applications

If you are writing a Cordova app and noticed that it stopped working in iOS9, that’s probably because of Apple Transport Security (ATS). This effectively forces all AJAX communication in your Cordova app to be https.

In principle this is a good thing as everyone should of course be using https for remote calls. However, if you develop against a local server with Vagrant or similar, chances are that you aren’t going to be using https.

Therefore you need to add an exception to the project’s app.plist file for your domain. Unfortunately Cordova overwrites this file each time you rebuild the project, so the best way to deal with this is using a hook and a small script that uses plistbuddy to update the file each time. Credit to James in this thread for this approach.

So, create a file in <cordova-project>/hooks/after_prepare/, give it execute permissions with chmod +x and then use the following file contents, replacing local.server with whatever your local server is called.

You can add as many exceptions as you need (even against remote servers, although that’s not recommended and apparently might affect your app being accepted into the App Store).


# Bypass ATS for test servers
cat << EOF |
Add :NSAppTransportSecurity:NSExceptionDomains:local.server:NSTemporaryExceptionAllowsInsecureHTTPLoads bool true
while read line
/usr/libexec/PlistBuddy -c "$line" $PLIST


Leave a Reply

Your email address will not be published. Required fields are marked *