IOS 9 Secure Your Mobile Applications With ATS

Apple is committed to protecting personal data by providing the minimum amount of information to protect the data security of its users. Data collected during the payment phase with Apple Pay or with contactless payment is stored within the iPhone and not in a cloud, nor sent to merchants or Apple.

The privacy of your mobile users is then more secure.

Authentication to your device is also enhanced with a 6-digit access code (instead of 4).

NEWS FOR DEVELOPERS

To ensure an optimal level of security, Apple focuses on improving the security of computer networks by attacking the VPN by application and control of network traffic (eg UDP).

If you want to submit an app on the Apple Store, you will now need to verify that you are compliant with the new App Transport Security security requirements.

But what is the App Transport Security?

App Transport Security (ATS) is the new security standard to which all iOS developers must bend to develop under iOS 9. ATS secures communications and data exchange between your app and webservices using only the HTTPS protocol (HyperText Transfer Protocol secure). With HTTPS, all exchanged data is now encrypted.

Here are the security requirements of ATS:

  • Your server must support at least TLS version 1.2
  • Only confidential Ciphers (connection encryption) connections are allowed
  • Certificates must use a SHA256 or an algorithm of at least 2048-bit or greater than an RSA or 256-bit key or a key greater than Elliptic-Curve (ECC). Invalid certificates will cause errors and no connection.

If you want to mount your app in iOS 9 or submit a new app on this version of OS, all your exchanges servers (links, webservices …) must now be done under HTTPS, or your connections may fail:

CFNetwork SSLHandshake failed (-9801)
Error Domain = NSURLErrorDomain Code = -1200 "An SSL error has occurred and a secure connection to the server can not be made." UserInfo = 0x7fb080442170 {NSURLErrorFailingURLPeerTrustErrorKey = <SecTrustRef: 0x7fb08043b380>, NSLocalizedRecoverySuggestion = Would you like to connect to the server anyway ?, _kCFStreamErrorCodeKey = -9802, NSUnderlyingError = 0x7fb08055bc00 "The operation could not be completed. (KCFErrorDomainCFNetwork error -1200.)" , NSLocalizedDescription = NSErrorFailingURLKey = https: //yourserver.com, NSErrorFailingURLStringKey = https: //yourserver.com, _kCFStreamErrorDomainKey = 3}

Unsecured traffic between apps and backend servers will be blocked. This means that if your app uses sources from other unsecured backend servers, queries will not be successful and your users will not have any content, which can seriously damage the user experience. Same principle for mobile ads, if they do not comply, they will not charge.

In the event that your applications interact with third-party APIs whose security you can not control, you can specify the exceptions in the Info.plist file of your app or extension.

BUT WE DO NOT RECOMMEND THIS PRACTICE! In addition to not knowing how long this flexibility will be allowed, taking into account the security of your exchanges is favorable for you and your customers.

It is then more than necessary to upgrade your network infrastructure and systems to provide a functional and comfortable mobile experience for your users. But it can be complex and cumbersome when you have neither the time nor the technical means to do it properly.

Also, make your job easier by using the Apps Panel solution .

Indeed, our infrastructure is regularly updated and evolves continuously to bring you maximum security in the development of your mobile project. Concerned about the result and the performance of our tools, our development techniques conform to the recommendations of Apple iOS 9. So you can already benefit from our compliance with iOS 9 without any development or additional costs. .

Leave a Reply

Your email address will not be published. Required fields are marked *