Update, 14/02/2017: Salesforce has recently decided to extend the date from which the security updates discussed in this article will take effect. The TLS 1.0 disablement deadline will now fall on July 22, 2017 (except for sandboxes, for which the extended disablement date is July 15, 2017). For more information, a full update can be found in this alert, published this week by Salesforce.
Salesforce will no longer support a version of a common security protocol known as TLS v1.0. Those accessing the Salesforce platform will consequently be required to use TLS v1.1 at a minimum, which will have an impact on business users of Salesforce mobile apps, as well as partners delivering apps for their Salesforce clients. This article explains what this means for MobileCaddy customers, and provides more detail for anyone not using MobileCaddy for their Salesforce mobile apps.
What you need to know with MobileCaddy
One of the key benefits of using MobileCaddy to deliver mobile apps within a business is an environment manager which is built-in as an inherent part of the product. This is a system that not only monitors changes to the environment all our apps operate within, but allows us to easily repair problems and deploy fixes as well, ensuring confidence and trust in the apps’ performance are maintained at all times.
As the environment manager oversees everything from the platform to the operating systems, and even the devices the apps are running on, we became aware of the TLS changes well in advance, allowing us to prepare and adjust accordingly.
As a result, all MobileCaddy applications are built on the required Salesforce Mobile SDK versions to alleviate this particular security issue, meaning there’s no need for any of our partners or customers to take action to ensure their apps will continue to run with the same security and reliability as they always have.
However, if you’re not a MobileCaddy customer and are concerned about your Salesforce mobile applications, here’s what you need to know:
What is Transport Layer Security?
Transport Layer Security (TLS) is a protocol which enables secure communication, via the Internet, between two endpoints, such as a browser and a web server. TLS has actually succeeded a previous protocol, known as Secure Sockets Layer, although it’s still commonly referred to by some as SSL. These protocols involve an authentication ‘handshake’ which allows the client to confirm the validity of the server it’s reaching, and sets up a secure, encrypted end-to-end connection.
It’s common for mobile devices, including mobile phones and tablets, to make use of public wireless networks. Use of these without TLS in place is extremely risky, because those running the access points could indeed have malicious intentions, or could be without sufficient security measures of their own in place.
Using an open or public access point to connect to the Internet without TLS makes it very possible for other devices or malicious software to intrude on your connection, and to gain access to all the data passing between the two endpoints.
So what does this mean for Salesforce users?
With Salesforce’s announcement, as of Summer ’16, any new production orgs have since required TLS 1.1 or above by default. For existing production orgs, this removal of support for TLS 1.0 is set to be on March 4, 2017 (at the time of writing).
For Salesforce users, the information travelling between their mobile devices and the platform is likely to be very sensitive, containing personal, and often financial details of employees and clients alike, which simply must remain confidential at all times. As such, every effort should be made to make all data transactions as secure as possible, and TLS plays a crucial role in making sure this is the case.
What does this mean for Salesforce mobile apps?
This will have an impact on any business which has built custom mobile apps using the Salesforce Mobile SDK, or any consultancy or solution provider delivering apps with this technology. This more complex class of apps is required to use certain levels of the SDK in order to call upon TLS 1.1 and above.
If your business is building bespoke Salesforce mobile apps using the Mobile SDK, we strongly advise to use the latest version with the necessary support for TLS 1.1 by default, which is now v5.0.0 following a recent update. For those using older SDKs, such as v4.0.2 for Android or v3.x for iOS, TLS v1.1 was also the default.
For consultancies using the Salesforce Mobile SDK to deliver custom apps for their clients, it’s crucial to take the necessary steps to ensure that the end users are not affected by issues of this nature. The mobile technology landscape changes so quickly, and so often, keeping up with that pace to prevent apps from failing once deployed within a business is an essential requirement.