For anybody working with – whether that’s building, running, or maintaining – mobile apps on the Salesforce platform, forthcoming restrictions to Apple’s ATS security feature will have an impact which must be urgently addressed.
While Apple has extended its original deadline for this, any apps being submitted to the App Store will eventually be affected. This article details the changes which are occurring, as well as highlighting the different implications for MobileCaddy customers and non-MobileCaddy users.
So what exactly is ATS?
App Transport Security (ATS) is a security feature introduced by Apple during its 2015 Worldwide Developer’s Conference (WWDC), to improve the security of applications by forcing all connections to use HTTPS instead of HTTP, ensuring connections between applications and web services are encrypted whilst in transit. Any attempts to make connections to web services which aren’t secured will fail and result in an error.
Apple initially specified a deadline of 1 January, 2017 during its 2016 WWDC as the cutoff point for when all apps being submitted to the App Store must comply with the ATS security feature. However, Apple has recently decided to extend this and will release a new deadline at a later date.
Apple ATS and Salesforce: What’s changing?
Apps which contain exceptions in the info.plist file no longer satisfy the security standards of Apple’s App Store, which up until November of last year would include Mobile SDK-built iOS apps. If an app which contains these exceptions is re-submitted, it will automatically trigger a security review. Any app built with Salesforce’s Mobile SDK 4.3 or earlier will have these exceptions automatically within its info.plist file, which will need to be removed before submission to the app store.
However, since November of last year, Salesforce has reacted to this and its servers have been updated to support Perfect Forward Secrecy (PFS). Since that update, Salesforce servers are compliant with PFS support and are 100% compatible with Apple’s ATS policies.
Now what needs to be done?
If you are subscribing to MobileCaddy for App Store submissions and updates then you don’t need to do anything initially, as this enforcement will only affect your new submissions to the App Store. Any new applications or future upgrades to existing applications will be ATS-compliant.
This is because with MobileCaddy, the majority of the apps can be versioned as a a standard benefit, which means any of those apps won’t need to be re-submitted, as any changes are simply deployed directly. This is also made even easier because at MobileCaddy, we upgrade our apps for the partners and consultancies we work with, to allow them to avoid such challenges completely.
Extracting these unexpected difficulties and pain points so consultancies can continue to concentrate on delivering what their clients need on the app layer is a primary focus within the way MobileCaddy operates.
For anyone not using MobileCaddy
As mentioned, these restrictions will have an immediate impact, in the sense that affected apps shouldn’t be submitted to the App Store. Alternatively, and considerably worse, apps being re-submitted to the App Store because they need to be updated or fixed will be rejected by Apple when the attempt to do so is made.
To ensure an app won’t be confronted with any issues, it’s advised to remove the exceptions. Alternatively, thanks to the recent release of the Mobile SDK 5, updates have been made to our app templates to remove these exceptions. If you simply upgrade your app with forceios 5.0, you’ll get the updated configuration without the need for any manual effort.
If you’re still unsure that your applications are adhering to these updates to ATS, or if there is anything you need to do, we advise that you check out Apple’s What’s New in Security presentation for more information.
Mobile apps you can trust
This issue was first discovered and surfaced as an alert by the inbuilt monitoring system within MobileCaddy’s Trust site, which provides notifications when changes, updates, or potential problems which may affect our mobile apps occur. This automated system allows MobileCaddy to look after its partners’ and end customers’ mobile apps for them, and resolve issues well in advance of them affecting the users themselves, encouraging absolute confidence in their mobile investments. You can learn more about this unique service by visiting the Trust Site by clicking below, or checking out the daily updates courtesy of TrustCaddy on Twitter.