When ATS is officially executed (with no exceptions) in January 2017, will I be able to leave a non-https website link in an app that is allowed to be opened by safari rather than in an in-browser app? Or is this practice also unacceptable?
Is there any way to maintain reference to a non-https site once this change takes place? Or is this practice DOA?
App Transport Security only affects server calls within the app. If you are loading the URLs in Safari, you will be fine. In fact, here is a good tutorial for a developer who attempts to load pages in the UIWebView, but if it fails due to ATS, they load it in Safari instead.
One additional note is that you should consider using
SFSafariViewController to open the URLs within your app, but with all of the benefits of opening in Safari.
SFSafariViewController allows arbitrary loads (meaning it doesn't enforce ATS), but it allows you to keep users within your app. It's certainly worth considering if you are targetting iOS 9 and newer.
Also, your question has a bit of an incorrect statement in that ATS will be more strict starting in 2017, but there will still be exceptions allowed. Certain media streams will not require ATS (because of the overhead of encryption on something like a video), as well as your apps can still request an exception from Apple, but it remains to be seen what Apple will deem a valid justification for exceptions. Also, Apple will still be allowing apps to put in exceptions for the forward secrecy requirement of ATS. So it's not quite as simple as your question states.
It appears Apple has added a new exception you can use to allow non-ATS connections in
WKWebview instances. It is
NSAllowsArbitraryLoadsInWebContent. This should do exactly what you are looking for. Here is a great summary of the latest with ATS: preparing for ATS in 2017.