Some users have reported (via app store reviews and other channels) issues with "App Transport Security (ATS)" and this is understandable.
First, "Insecure network connections" are allowed by ATS if the request is to private IP ranges as defined by RFC 1918:
- 192.168.0.0/16
- 10.0.0.0/8
- 172.16.0.0/12
You'll also need to confirm when the app (like flo) asks for "Local Network" permission.
Second, the CGNAT range (100.64.0.0/10) is unfortunately not treated as private by Apple's ATS. Some VPN providers such as Tailscale use this range.
Third, technically, a VPN connection is not considered "insecure" even if web requests are made using HTTP. However this interpretation is subject to Apple's implementation not mine.
Options
1. NSAllowsArbitraryLoads: true
This option bypasses ATS restrictions, but neither I nor the app should be blamed if something goes wrong. This option is unlikely to ever be implemented.
2. Use a TLS Certificate
Using a TLS certificate is highly recommended. It's secure, free, and follows best practices™
However setting it up can be challenging especially if reverse proxy is not your thing.
- If you're using Tailscale (me too btw), consider using
tailscale cert. The setup is relatively straightforward
- If you're using a VPN provider other than Tailscale, you probably already know what you're doing
- A "CDN" like Cloudflare and others may help you to setup TLS certificates with one click
3. Other Options
If you still prefer not to use a TLS certificate for personal reasons, here are alternatives:
- Use Tailscale Subnet Router to advertise the private IP where your Navidrome server resides. This option will allow you to bypass ATS
- Most VPN providers use RFC 1918 private IP ranges, so you likely won't encounter issues in the first place
- If you're accessing your server via a public IP, consider to rethink your implementation. Refer to the Security Considerations section in the Navidrome documentation to learn more
Conclusion
There is no solution from the flo (app) side to fix this issue. This GitHub issue is provided so users can find answers to their questions.
Some users have reported (via app store reviews and other channels) issues with "App Transport Security (ATS)" and this is understandable.
First, "Insecure network connections" are allowed by ATS if the request is to private IP ranges as defined by RFC 1918:
You'll also need to confirm when the app (like flo) asks for "Local Network" permission.
Second, the CGNAT range (100.64.0.0/10) is unfortunately not treated as private by Apple's ATS. Some VPN providers such as Tailscale use this range.
Third, technically, a VPN connection is not considered "insecure" even if web requests are made using HTTP. However this interpretation is subject to Apple's implementation not mine.
Options
1.
NSAllowsArbitraryLoads: trueThis option bypasses ATS restrictions, but neither I nor the app should be blamed if something goes wrong. This option is unlikely to ever be implemented.
2. Use a TLS Certificate
Using a TLS certificate is highly recommended. It's secure, free, and follows best practices™
However setting it up can be challenging especially if reverse proxy is not your thing.
tailscale cert. The setup is relatively straightforward3. Other Options
If you still prefer not to use a TLS certificate for personal reasons, here are alternatives:
Conclusion
There is no solution from the flo (app) side to fix this issue. This GitHub issue is provided so users can find answers to their questions.