Rampant fake news: from January 1, 2017 iOS apps must use https!!!

First, false news is so rampant

Just now an old colleague called to ask: our company still use HTTP, immediately to 2017 years, submit AppStore will be rejected, how to do?

Many people in the company have asked this question, answer: HTTP still can be submitted normally, do not meet the requirements of Apple HTTPS can also be submitted normally. You only need to modify the ATS configuration in the next info.plist.

Yesterday (2016-12-21) Apple issued a statement that the adaptation rules for HTTPS were deferred and time was not set. Now, you don't have to change anything.

Previously written related articles: ATS configuration for iOS-2017 years ago, the adaptation provided by ATS. The article also said that after January 1, 2017, use HTTP to modify the ATS configuration. Then I didn't think the fake news would spread so crazy.

Let's take a look at how this fake news is spreading quickly and being fooled: The origins of the news are Apple Developer conference WWDC 2016, Apple's chief security architect, Ivan, said: At the end of 2016, ATS will be required to upload all applications to AppStore.

iOS developers know that when they come out of iOS 9 ATS, everyone likes to use the Allow arbitrary Loads option to ignore ATS. If you do not ignore Ats,app, you will force https.

At the time, WWDC 2016, Ivan said that from January 1, 2017 onwards, all new submission apps are not allowed NSAllowsArbitraryLoads to bypass ATS restrictions by default. The ATS can be configured to fit.

However, various articles on the network began to spread wildly: from January 1, 2017 onwards, must be used HTTPS to pass the audit! Must now meet Apple's requirements for HTTPS certificates and encryption rules!

At first it was a soft-it article, and then the iOS developers were constantly spreading their blog. Well, many people write technical blogs to see other people's views are not verified true or false, directly to use. And now most of the articles are wrong, this is a bit scary ...

Even most of the technical articles are false, think of other social news, fake will be more. The power of the media can affect your perception, even if it is wrong.

Later in the forum, Apple officials also gave explanations: what have changed is the APP Review will require "reasonable justification" for the most ATS exceptions. The goal are to flush out those folks who, when ATS were first released, simply turned it off globally and moved on. That'll no longer be allowed.

Meaning: Do not meet the requirements of ATS, need to explain the reasons. ATS cannot be shut down globally, i.e. no more nsallowsarbitraryloads can be used.

However, the exception domains property of ATS can be used for configuration. Just need to submit the time to explain the reasons for it.

For example: HTTP requests, do not meet the HTTPS requirements, such as: TLS protocol version is low, the forwardsecrecy algorithm does not meet the rules. And so on, these can all be configured.

In addition, yesterday, Apple has a new action: January 1, 2017, you can continue to shut down ATS:

News Address: https://developer.apple.com/news/?id=12212016b

General meaning: In order to give you more time to prepare, this deadline has been extended, the specific time is not decided.

So now you don't have to change anything now.

Second, how to adapt to HTTPS

Because our app is already equipped with HTTPS. Now it's not safe to use HTTP, and it's really low. How to adapt to https it:

1, update the SDK: Friends League, a push, etc., these third-party SDK has been adapted to HTTPS

2, the domain name of the interface if you meet the Apple HTTPS rules, you do not have to configure, if not meet the opportunity needs to be configured according to their own circumstances, such as:

3, our operations are also active in the adaptation, if the use of Nginx, you can directly configure the Ssl_ciphers option in Nginx, our company with the Red ware (similar to F5, Israel's equipment), it needs to be configured separately.

Rampant fake news: from January 1, 2017 iOS apps must use https!!!