iOS App Transport Security – Enforced from 2017 for Apple app submissions

The ATS requirement is here.

https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59
(Section NSAppTransportSecurity)

In summary, below is what we need to do in the apps

1. Make every URLs to https
2. Ensure the TLS version is TLS1.2.
3. Have the certificate used in the server to client communication is trusted.

How do we detect if a URL is ATS compliant?

The nscurl tool on OS X El Capitan supports diagnosing ATS secure connections.

For example, /usr/bin/nscurl –ats-diagnostics https://www.example.com will display ATS connection information for http://www.example.com. Run /usr/bin/nscurl -h for more information.

This tools prints PASS / FAIL information. Ensure PASS results for test with diagnose dictionary with NO exceptions specified.

To view the certificate info of a particular Domain or test out the connection, TLS tool will be a good utility.
https://developer.apple.com/library/content/samplecode/sc1236/Introduction/Intro.html#//apple_ref/doc/uid/DTS40014927-Intro-DontLinkElementID_2

Does it affect Socket communication?

Below is the answer from Apple staff (https://forums.developer.apple.com/thread/48979)

Right now ATS is only enforced by our high-level APIs (NSURLSession, NSURLConnection, and anything layered on top of those), and there’s been no announcements about that changing.

Keep in mind, however, that ATS’s enhanced security requirements are not arbitrary; they are defined to give your users a good level of security on an increasingly hostile Internet. As such, your app should aim to comply with these requirements even if ATS is not actively enforcing them.

XCode 4: Wireless iPhone/iPad app distribution (OTA)

XCode 4 seems to be doing something different from XCode 3.x.

Do the following steps

Add Entitlements file and set the key value pair for get-task-allow (Can be debugged) to NO.

Go to Target build settings, under the Code Signing Entitlements section, add the Entitlements.plist under the “Release” setting and ensure that your Ad Hoc Provisioning profile is selected for “Release” under Code Signing Identity.

Create .ipa and .plist files

  1. Edit scheme and select destination to device.
  2. Archive the project (Product -> Archive).
  3. Go to Archives section in Organizer window.
  4. Select the archived distribution file
  5. Click on share… button
  6. Point the identity dropdown to respective Ad Hoc Provisioning profile
  7. Click Next
  8. Select the check box (Save for Enterprise Distribution)
  9. Fillup the fields (Application URL should point to the .ipa file (complete url))
  10. Click on save button (It will create .ipa (app) and .plist (manifest) files)


Create an index.html file similar to the following

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”
        “http://www.w3.org/TR/html4/loose.dtd”&gt;
<html>
<head>
<title>My Cool app</title>
</head>
<body>
<ul>
    <li><a href=”http://mycoolapp/build/distribution.mobileprovision”&gt;
                Install Example Provisioning File</a></li>
    <li><a href=”itms-services://?action=download-manifest&url=http://mycoolapp/build/app.plist”>
                Install Example Application</a></li>
</ul>
</body>
</html>

Check whether the app.plist contain the full url that points to the .ipa file

Place the files in the server (http://mycoolapp/build/)

Launch the browser in the device and point to http://mycoolapp/build/index.html
Download the provisioning profile and the application.

Reference:

http://jeffreysambells.com/posts/2010/06/22/ios-wireless-app-distribution/

http://www.paradeofrain.com/2010/11/taking-the-pain-out-of-ad-hoc-testing/

Blogged with the Flock Browser

XCode 4: Wireless iPhone/iPad app distribution

XCode 4 seems to be doing something different from XCode 3.x.

Do the following steps

Add Entitlements file and set the key value pair for get-task-allow (Can be debugged) to NO.

Go to Target build settings, under the Code Signing Entitlements section, add the Entitlements.plist under the “Release” setting and ensure that your Ad Hoc Provisioning profile is selected for “Release” under Code Signing Identity.

Create .ipa and .plist files

  1. Archive the project (Product -> Archive).
  2. Go to Archives section in Organizer window.
  3. Select the archived distribution file
  4. Click on share… button
  5. Point the identity dropdown to respective Ad Hoc Provisioning profile
  6. Click Next
  7. Select the check box (Save for Enterprise Distribution)
  8. Fillup the fields (Application URL should point to the .ipa file (complete url))
  9. Click on save button (It will create .ipa (app) and .plist (manifest) files)


Create an index.html file similar to the following

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”
        “http://www.w3.org/TR/html4/loose.dtd”&gt;
<html>
<head>
<title>My Cool app</title>
</head>
<body>
<ul>
    <li><a href=”http://mycoolapp/build/distribution.mobileprovision”&gt;
                Install Example Provisioning File</a></li>
    <li><a href=”itms-services://?action=download-manifest&url=http://mycoolapp/build/app.plist”>
                Install Example Application</a></li>
</ul>
</body>
</html>

Check whether the app.plist contain the full url that points to the .ipa file

Place the files in the server (http://mycoolapp/build/)

Launch the browser in the device and point to http://mycoolapp/build/index.html
Download the provisioning profile and the application.

Reference:

http://jeffreysambells.com/posts/2010/06/22/ios-wireless-app-distribution/

http://www.paradeofrain.com/2010/11/taking-the-pain-out-of-ad-hoc-testing/

Blogged with the Flock Browser

Tags: , , , , , ,