Is Apple's push notification endpoint FIPS 140-2 compliant

Hello @jimstr,

Apple has some information on this posted at the below site. I would strongly recommend reviewing it and the other information as it has some really interesting details.

https://support.apple.com/guide/sccc/overview-sccc9b6aa4275/1/web/1.0

From an architecture perspective, I would suggest not trusting Apple by default as that could get you in trouble in the long run. Even if you choose to rely on their current compliance standards, I would still recommend at a minimum encrypting the data in the notification payload and implementing a notification service extension and decrypting the data inside of the application container before posting to the device to at least ensure the plain text is not stored on Apple servers.

Dynamically delivering a certificate to decrypt the data would be ideal, but if that is not possible and it needs to be included in the IPA file that is better than sending plain text through the system.

Hopefully this helps!

Thanks for the quick and insightful answer @ChuckMN. I was hoping to get some kind of document specifically about push notification appliance. Currently we can only deduct the OS side encryption and tls communication are compliant. Not if the push notification endpoint is using certified tls.

Hey @jimstr,

Awesome to hear that you are already using an additional layer of encryption!

Two other resources that might help, but not formally state "compliance".

New Developer Documentation:

• https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server
• https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/sending_notification_requests_to_apns

Old Developer Documentation (My Preference):

• https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1

Neither answer the "compliance" question directly though outside of speaking abstractly to how the service works. One approach to take in a compliance report is to show what systems you have control over and those you do not. Showing that you have compliance within the systems that you are able to control (Certificate Pinning, KMS, etc.) with the ability to ensure cryptographic integrity to the client (assuming you also have client side protections in place) through untrusted space which is essentially the entire Internet because the client wouldn't have control over the client side network connection (assuming a BYOD approach) even with those protections in place (ISP Interference, etc.).

If I am able to find any more specific documents from Apple I will make sure to update the post!

@ChuckMN, great post! Thanks a lot for the guidance. I have already reviewed the old APNS document and found it very informative.