AppTransportSecurity + Self Signed certificate

Our software communicates with devices on local network that have self signed certificates that our software can independently verify. However there doesn't seem to be a way to get this working with ATS, as canAuthenticateAgainstProtectionSpace and didReceiveAuthenticationChallenge are never called.


We have no other options than using self signed certificates for the devices so right now the only option is to disable ATS completely. Is there anything else we can do?

Replies

Our software communicates with devices on local network that have self signed certificates that our software can independently verify. However there doesn't seem to be a way to get this working with ATS, as canAuthenticateAgainstProtectionSpace and didReceiveAuthenticationChallenge are never called.

Correct. If the server is in a domain with ATS enabled, the connection will fail before these delegate callbacks are issued.

We have no other options than using self signed certificates for the devices so right now the only option is to disable ATS completely. Is there anything else we can do?

If you always connect to the device via its .local name, you can disable ATS for just that domain. That’s better than disabling ATS entirely.

Alternatively, if the server can be in any domain, you could disable ATS entirely and then re-enable it for specific domains of interest to your app.

There is not, alas, a way to disable ATS for something like ‘local IP addresses’. This has been discussed in depth in another DevForums thread.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Unfortunately the server can be any computer on user's local network. There's no guarantee it has a domain name, it doesn't even need to have bonjour installed. It may not even have local IP address, some users simply setup port forwarding on router and connect to router external address directly.


So disabling ATS entirely and reenabling it for specific domains does seem like the only solution right now. Will ATS be enforced during app review? This is not exactly an uncommon situation.

Will ATS be enforced during app review?

I don’t work for App Review and can’t give you definitive answers on their behalf; if you need a definitive answer, you will have to contact App Review directly directly.

My general advice on situations like this is:

  • If you think that ATS could reasonably provide an alternative solution that’d better meet your needs, file an enhancement request asking for that. In your case, however, I suspect that disabling ATS is the right solution.

  • If you have behaviour within your app that you’d like to explain to App Review, including a discussion of that behaviour in the review notes when you submit the app.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"