Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apples new security policy over HTTPs and iPv6-Clarifications

We have existing iPhone/ipad application and currently we are consuming HTTP soap and Rest services. As per the new rules and regulations of Apple, do We need to Convert our existing HTTP services to HTTPs?

Can We user Self signed certificate in the server to make the service SSL enables one? Is there any problem for the apple if we are using the self signed certificate? or Do we need to purchase new SSL certificate ?

Also currently I am accessing the webservices through the ipv4 address. Do I need to change it to ipv6?

when will apple start reviewing these conditions? I want to release the updated version of my app on next month. Do I need to follow these rules on the next build onwards?

like image 388
Roshil K Avatar asked Oct 30 '22 18:10

Roshil K


1 Answers

In terms of ATS (App Transport Security), yes it is a new requirement for all iOS 9 devices running apps built with Xcode 7.

https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/

All connections using the NSURLConnection, CFURL, or NSURLSession APIs use App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X v10.11 or later. Connections that do not follow the requirements will fail.

BUT your application can specifically opt-out if needed by adding exceptions to your Info.plist, at least until Apple changes that, assuming sometime in the future they will enforce 100% compliance, maybe the iOS 10 release(?), maybe earlier(?)...

Opt-out Example:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Via: Google Ads Developer :http://googleadsdeveloper.blogspot.ch/2015/08/handling-app-transport-security-in-ios-9.html

Note: You can use "nscurl --ats-diagnostics" via OS-X 10.11 installation to test for ATS compliance on the URLS that your app will use. I would highly recommend doing that before app (re)submission to insure that you do not need to request exceptions via the Info.plist.

Self-signed certs will not work unless you add the signing CA details and trust it, or again disable ATS via an Info.plist exception. Save yourself the trouble and just purchase a compliant SSL cert.

Also currently I am accessing the webservices through the ipv4 address. Do I need to change it to ipv6?

No, your servers do not need to run IPv6, they should but that is up to you and your hosting provider as some mobile operators have moved to IPv6 only due to lack of IPv4 addresses, but, of course, they are providing NAT translation to IPv4.

But your app HAS to be IPv6 enabled/ready in order to work with those providers otherwise you will get an app rejection. I highly recommend reading the Apple doc on this.

Several situations can prevent an app from supporting IPv6 and these get rejected:

  • IP address literals embedded in protocols. Many communications protocols, such as Session Initiation Protocol (SIP), File Transfer Protocol (FTP), WebSockets, and Peer-to-Peer Protocol (P2PP), include IP address literals in protocol messages. See Use High-Level Networking Frameworks and Don’t Use IP Address Literals.
  • IP address literals embedded in configuration files. Configuration files often include IP address literals. See Don’t Use IP Address Literals. Network preflighting. Many apps attempt to proactively check for an Internet connection or an active Wi-Fi connection by passing IP address literals to network reachability APIs.
  • Using low-level networking APIs. Some apps work directly with sockets and other raw network APIs such as gethostbyname, gethostbyname2, and inet_aton. These APIs are prone to misuse or they only support IPv4—for example, resolving hostnames for the AF_INET address family, rather than the AF_UNSPEC address family.
  • Using small address family storage containers. Some apps and networking libraries use address storage containers—such as uint32_t, in_addr, and sockaddr_in—that are 32 bits or smaller.

See for more details and how to workaround/resolve the above items: https://developer.apple.com/library/prerelease/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/UnderstandingandPreparingfortheIPv6Transition/UnderstandingandPreparingfortheIPv6Transition.html#//apple_ref/doc/uid/TP40010220-CH213-SW1

like image 56
SushiHangover Avatar answered Nov 11 '22 14:11

SushiHangover