HTTPS support issue

hi,


All apps should use only https now, right ?


In my understaing, client should have safe server certification list, and if a sercer has that cerfitication, the app connect to the server...


and.. what about app world ?


The app should have any certificate of server ?


OR


[All apps should use only https now] means that [All server shuould have normal famous SSL certificate like VeriSign, Comodo] ??


Because safe certificate of server list is managed by a device system, not by each app (so we can not install customized certificate in a certain app)


Is my understaning right ?


😊

Up vote post of stcocoa Down vote post of stcocoa
580 views
Posted by
stcocoa
Reply
Add a Comment

Accepted Reply

I’m not sure I understand your question but it seems to be centred on whether your app can override HTTPS server trust evaluation, and specifically whether your app can talk to a server whose certificate is not trusted by the system by default. There’s three parts to this:

  • At a technical level, apps can override HTTPS server trust evaluation as they have always done (see Technote 2232 HTTPS Server Trust Evaluation). However, such overrides only work if you disable App Transport Security (ATS) for the domain in question.

  • Disabling ATS has App Review implications. ATS is officially documented in the Information Property List Key Reference, but you should also read my App Transport Security pinned post.

  • At WWDC 2016 we announced that App Review would soon require reasonable justification for wide-ranging ATS exceptions. The App Store Review for ATS section of the above-mentioned ATS docs has more details on this.

The upshot of this is that, while it is technically possible for your app to connect to a server whose certificate is not trusted by the system, you’ll have to justify the necessary ATS exceptions to App Review. IMO it’s easier to avoid this whole problem by getting a trusted-by-default certificate for your server. Doing that is not necessarily expensive or difficult (indeed, it’s free and easy if you take the Let’s Encrypt path).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

I’m not sure I understand your question but it seems to be centred on whether your app can override HTTPS server trust evaluation, and specifically whether your app can talk to a server whose certificate is not trusted by the system by default. There’s three parts to this:

  • At a technical level, apps can override HTTPS server trust evaluation as they have always done (see Technote 2232 HTTPS Server Trust Evaluation). However, such overrides only work if you disable App Transport Security (ATS) for the domain in question.

  • Disabling ATS has App Review implications. ATS is officially documented in the Information Property List Key Reference, but you should also read my App Transport Security pinned post.

  • At WWDC 2016 we announced that App Review would soon require reasonable justification for wide-ranging ATS exceptions. The App Store Review for ATS section of the above-mentioned ATS docs has more details on this.

The upshot of this is that, while it is technically possible for your app to connect to a server whose certificate is not trusted by the system, you’ll have to justify the necessary ATS exceptions to App Review. IMO it’s easier to avoid this whole problem by getting a trusted-by-default certificate for your server. Doing that is not necessarily expensive or difficult (indeed, it’s free and easy if you take the Let’s Encrypt path).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment