[SunboX]

Think of IoT Devices. For example, Sony's NEX Cameras have a build in HotSpot. You connect your phone to it and you have remote control to your camera. This has no HTTPS by now. Apple would break all those remote control apps. And it can't be fixed by releasing a new app version, because you also have to update the cameras.

[mrpippy]

There are allowances made for local networking.

From the Info.plist key reference (https://developer.apple.com/library/content/documentation/Ge...):

App Transport Security (ATS) applies only to connections made to public host names. The system does not provide ATS protection to connections made to:

* Internet protocol (IP) addresses

* Unqualified host names

* Local hosts employing the .local top-level domain (TLD)

To connect to an unqualified host name or to a .local domain, you must set the value of the NSAllowsLocalNetworking key to YES.

[seanalltogether]

That's assuming you're using bonjour (zero config). I have 2 clients with thousands of in home devices which are using NetBios to resolve a local ip address and directly connecting over http. I imagine there are many other hardware vendors still using this method out there.

[mrpippy]

Sounds like the HTTP connection is being made to an IP address, in which case you should be fine.

[creeble]

It can't even be fixed then because TLS certs aren't possible for LAN connections (or at least not validate-able, which means the same thing).

[n0d3d3v]

TLS certs are about to be possible for LAN connections with Beame.io's open source SDK, though

[dep_b]

A good start would be a warning about insecure connections being made by the app.

[droopybuns]

They had a method for whitelisting vanilla http domains in the app plists. It wasnt going to eliminate http. It was going to push general app transport to TLS by default.

Apple seems to have wildly varying execution. Some things they do are great. Other times their behavior is shockingly erratic.