App Transport Security required in iOS apps submittet after January 1st 2017

2017-05-24 14:03:29 UTC

Edit: Apple have extended the deadline until further notice.

https://developer.apple.com/news/?id=12212016b&1482372961 

 

Apple will implement strict security requirements for apps submitted after January 1st 2017. This article tells you what you need to know regarding ATS when upgrading your app.

Don’t worry, Visiolink will guide you all the way.

What is ATS?

App Transport Security (ATS) is a functionality in iOS. New requirements by Apple states that ATS is mandatory after January 1st 2017 for all developers submitting to App Store. It forces an app to connect to websites through a HTTPS protocol rather than a HTTP protocol, which keeps user data secure while in transit by encrypting them. ATS also requires Transport Layer Security (TLS) v1.2.

What does this mean exactly?

Apple have enforced strict security rules for what kind of websites an app can connect to. If an app links to a website that doesn’t follow those security rules, that website-link won’t work. This is not just Visiolink apps, but all apps submitted to App Store. This is mainly relevant for advertisements, because we can’t control where they link or the security of that connection.

Example: A clickable advertisement links to a website inside the app. If that website doesn’t follow the security rules, then the clickable ad will open a blank page.

Are live apps affected?

No. This is only relevant for apps submitted after 1st January 2017. Although if you need a resubmit, it becomes relevant.

What have Visiolink done?
We have taken several steps to avoid errors and blank pages.

  • We have an option to exclude known domains at build time, which solves the issue with our own servers and other relevant domains (but only if we know them at build time, which excludes ads)
  • We also make use of the option to allow unsafe HTTP connections in web-views
    • Note: While we can allow unsafe HTTP connections, we don’t have the same option for HTTPS connections that do not use TLS v1.2, which means they won’t work. If you try to click one of those links, a blank page will open.
  • As default, your app is now configured to open links from the pdf, articleview and livefeed out of the app and instead opening those links in Safari. This will make sure that all links work, regardless of the advertisers’ website security.

What should I do?

Before the next update of your iOS app, if your app has links to your website/server, you should go through the links in the app and make sure that your security lives up to Apple’s requirements.

  • If the server uses HTTPS, please make sure that the TLS v1.2 is supported
  • If the server uses HTTP, please consider if it should be converted to HTTPS for improved security

How to test server security?

Go to the link below and enter the link you want to test. It will analyze your server security.

https://sslanalyzer.comodoca.com/

If you use a HTTP link, you will get an error (because that protocol doesn’t use TLS).

Otherwise you will get an overview of your security details. Look under Protocol Versions - TLS v1.2 and check whether its supported or not.

So, is that it?

There might also be issues with 3. party SDK in customized or co-created apps. Visiolink will contact you if that is the case.

What if I don’t want to open links out of the app?

We can configure your app to open links in-app as was default previously, but then some ads might not work. We only recommend this if every advertiser have an updated webserver security, and this is nearly impossible to ensure.

Var denne artikel en hjælp?
0 ud af 0 fandt dette nyttigt
Har du flere spørgsmål? Send en anmodning

Kommentarer