App Shelves notification: App Store security new rules effective January 17

Shaming

Source: Public number Shaming world view

Id:mobview

Do the promotion may not understand what is ATS (App Transport Security), but this is a time bomb, tipping point at the end of 2016, the consequence is you do not notice, may lead to the product can not be on the APP store shelves, although no violation of the lower shelf so serious, But the results are equally deadly. There are still 2 months of buffering, but many developers have not thought of it, and it is necessary to give them a wake-up call.

ATS was introduced in 2015 by Apple to strengthen the network transport security standards, require all the app to get data from the Web to use a secure HTTPS link, and further emphasize the use of the latest TLS1.2 version of HTTPS.

Note: You can distinguish between the two criteria from the URL prefix of/HTTP///https://

Apple also knows that a lot of web content is still using insecure HTTP links, so it defines the set of ATS switch Options (Dictionary), which allows you to set the Info.plist file (as shown), but I estimate 99.9% Developers will choose to open the option to allow any link, and most people forget about it for a while, as if nothing has happened.

Now is the time to wake up to face the reality, Apple in WWDC has revealed that the end of the mandatory use of ATS, that is, starting from 17, the Apple audit team will be ATS as a mandatory audit, Apple's temper, may be hard to come, anyway, has given a buffer period of more than a year!

What should I do when I get a knife? What should be done as a CP? Let's talk about this problem today!

First of all, we need to understand the specific policies, and then make reasonable guesses on this basis, so that each CP according to their own specific situation after the assessment will know what to do. However, the big principle is to react quickly and not to be lucky!

Of course, HTTPS is the trend, Apple enforcement ATS is also in line with the user responsible attitude, understandable. In the implementation of the scale, I think Apple will also be flexible assessment, there must be some "I will know it when I see it" fuzzy situation, presumably the App store's old drivers have the hint.

Although the 17 ATS will become mandatory standards, but this is divided into several different situations, in order to help you understand, Shaming from the promotion and development of two angles to say

Promotion angle

1. Content source of the app if you have a home site, go and technical check the use of which transmission standards, if you still use HTTP or is less than TLS1.2 https, or hurriedly rectification, or ready and Apple Audit Mill, ready to apply for a special case of good reasons. In my Constellation Apple series there are two articles, "fickle Gemini, unspeakable difficulties: the history of the strongest audit team, hidden Secrets" and "stuffy melon Taurus, this should announcing the world but silence: Developer account, Audit accelerated disclosure", to understand how to deal with the audit team, as well as the role of the developer account in the audit process, is still very necessary.

2. App content if it comes from a known third party, you can use the technology to set up the ATS switch (referred to below), but it is best to communicate with third parties and urge all of their transmissions to be encrypted using TLS1.2.

3. The content of the app comes from an unknown third party, such as allowing users to access any website through the app, ignoring ATS, but the content from its own website must be followed by the first one. Also ask what kind of framework the technology uses, and if it is WebKit, it is recommended to switch to safari, otherwise there may be trouble in the future.

4. If it is an app that provides streaming content and does not want to obey ATS, it must be encrypted at the source, and with Apple's streaming framework, you can temporarily ignore ATS.

Therefore, we can decide according to their own situation is what kind of countermeasure, of course, the best way is to use the TLS1.2 HTTPS security standards, it is not necessary to think about how to explain to Apple, in order to win the special case!

But there is a question that is not yet particularly clear: How do you deal with apps that don't reach the standard? I personally don't believe that the app will be down for this reason, and Apple's most likely option is to wait until the app iterations to reject the shelves. Then maybe someone will think: Then I will not update! Oh, maybe also a way. All in all, a new round of cat and mouse games starts again.

Development perspective

1. The following switch is turned on in the ATS settings, and no reasonable explanation is submitted, then 100% is rejected

1. Nsallowsarbitraryloads, turning on this switch is equivalent to turning off ATS

2. Nsexceptionallowsinsecurehttploads, using the HTTP link of your own website

3. Nsexceptionminimumtlsversion, using HTTPS links with its own website below the TLS1.2 standard

As for what is reasonable explanation, this is completely a subjective judgment process, perhaps some people feel that their reasons are very good, but if you can not persuade Apple Audit, your app is not on the line, this Test team communication skills and English level!

2. In the following cases, Apple gives an exception and does not need an explanation:

• The app provides streaming services, and the media source has encrypted the content so that ATS can be ignored as long as the content is loaded using Apple's AV Foundation framework;

• Do not use forward secrecy (full forward secrecy) technology, you can turn off the nsexceptionrequiresforwardsecrecy switch in the ATS settings (default is on);

• Nsthirdpartyexception, which uses third-party links, and includes several switches that use third-party HTTP links or HTTPS that are below the TLS1.2 version.

Some people will think, that I have my website disguised as a third-party site, using this special case is not good, bingo! If you can withstand a refusal or even heavier punishment, perhaps you can try, but there are reasons to believe that Apple has many ways to judge the associated sites, can not afford the risk of people do not try.

3. ATS Setup also has a switch nsallowsarbitraryloadsinwebcontent, open after allowing the use of any web links, this and nsallowsarbitraryloads some differences, Primarily for apps that provide web browser-like services, you cannot restrict the type of links because you do not know which sites users will be browsing in advance.

However, Apple recommends that if you want to provide browser-class services, use Sfsafariviewcontroller, which is better than Wkwebview, which is more appropriate for users accessing Web content.

For more information about ATS settings, you can refer to Apple's official documentation for development.

In addition, Apple has proposed to abandon the following older standards

• UCS

• SSLv3

• SHA-1

• 3DES

and migrate to the latest security standards, including

• Forward secrecy

• SHA-2

• OCSP stapling

Apps on the shelves notice: App Store security new rules January 17 effective