App Transport Security for iOS 10 Apps
During a security presentation at WWDC, Apple revealed the deadline for all apps in its App Store to switch on App Transport Security (ATS) before January 1, 2017.
Join the DZone community and get the full member experience.Join For Free
January 1, 2017
During a security presentation at Worldwide Developers’ Conference, Apple revealed the deadline for all apps in its App Store to switch on App Transport Security (ATS) before January 1, 2017.
It is important for app publishers to note that this applies to all services they use:
- mBaaS or Mobile backend as a service provider
- SaaS platforms for mobile app performance management, crash analysis, basic analytics,
- Push notification service providers,
- Growth Intelligence platforms for Contextual marketing and Growth Automation platforms
You will not be able to submit apps to the app store if your provider does not support HTTPS or TLS 1.2. Apps submitted before Jan 1, 2017, are expected to continue to work with HTTP.
With iOS 9, a new security feature App Transport Security (ATS) is available to iOS apps and is automatically enabled when you link your app against the iOS 9.0 SDK or later. All connections from the app to internet resources using NSURLConnection, NSURLSession and CFURL are required to follow the ATS security requirements. When connections do not meet these requirements, they fail with an exception. From App Transport Security (developer.apple.com):
App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn’t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app’s Info.plist file.
Published at DZone with permission of Dickey Singh, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.