Does App Store accept self signed certificate apps? - ios

i am a newbie whom developing an app for iOS (and also android i have talked it also for google play) which implemented a socket connection and had to allow all host in order to work with our self-signed certificate installed on server by editing the plist file (NSAllowsArbitraryLoads true) or i need define NSExceptionDomains ?..
in 2016 and before apple still accept it ( i have deployed 1 before ), but i heard there is new regulation for 2017.
Will App Store accept self signed certificate connection for 2017 ? Thank you..

Only high level API's (e.g. NSURLSession, NSURLConnection, etc.) require app transport security.
Low level stuff like POSIX sockets do not use ATS.

Related

Should I add ITSAppUsesNonExemptEncryption to yes in plist in iOS app?

I am using base 64 bit encryption for encrypting the string while sending request over the network in some web apis.
Please let me know in iTunes connect, should I select yes for encryption?
Thanks in advance!!!
As far as you are sending encrypted content over network using iOS's encoding technique base64 encoding, you need to mark it as NO.
You are not using any encryption techniques like AES, DES, RSA, so you are not using encryption at all.
Base64 is not encryption - It is an encoding technique.
Question : Is your app designed to use cryptography or does it contain or incorporate cryptography?
Answer : "YES" to the question if your app is using encryption. Some
examples of encryption use include:
Making calls over secure channels (i.e. HTTPS, SSL, and so on)
Using standard encryption algorithms
Using crypto functionality from other sources such as iOS or macOS
Using proprietary or non-standard encryption algorithms
Answer “NO” if your app does not use, access, implement or incorporate
encryption.
Question : Does your app implement any standard encryption algorithms instead of, or in addition to, using or accessing the
encryption in Apple’s iOS or macOS?
Answer : "YES" to the question if your app implements industry standard algorithms such as AES, DES, RSA, and so on, instead of or in
addition to accessing or using the encryption algorithms available in
Apple’s iOS or macOS.
Answer “NO” if your app does not implement industry standard
algorithms instead of, or in addition to, accessing or using the
encryption algorithms available in Apple’s iOS or macOS.
For more information visit Q&A for iTunes Connect.
Update for Comment about ATS :
NSAllowsArbitraryLoads
Since release of iOS 10 and later, and macOS 10.12 and later, by setting this key as Boolean value YES, disables App Transport Security (ATS). Which may result in rejection of Application from App Store Review.
Use of this key triggers App Store review and requires justification.
So it is recommended to use HTTPS server with TLSv1.2 support.
Enabling this key can also be useful for debugging and development.
NOTE: Disabling ATS allows connection regardless of HTTP or HTTPS
configuration, allows connection to servers with lower Transport Layer
Security (TLS) versions, and allows connection using cipher suites
that do not support perfect forward secrecy (PFS).
This key’s default value of NO results in default ATS behavior for all
connections except those for which you have specified an exception
domain dictionary.

Issue in Intercepting Burpsuite requests from iPad

I am testing an application from iPad and using Burpsuite to capture the traffic. But, in that case, I was not able to capture the following requests for that application:
Login Request
Two Factor Authentication Request
Video Search Request in application
Video Play request in application
How can I capture above mentioned requests ?
(NOTE: I was able to capture some simple GET and POST requests of that application.)
Have you installed the Burp Certificate? If not, use these instructions.
If you have, it's likely that this application uses certificate pinning. There are some tools that can disable certificate pinning, including Burp Mobile Assistant. You need a jailbroken device running iOS 8 or 9. Be aware that Mobile Assistant cannot always disable pinning.
It was the issue of the system on which I am running the burpsuite, which is why the system was not able to process requests and responses.

Apples new security policy over HTTPs and iPv6-Clarifications

We have existing iPhone/ipad application and currently we are consuming HTTP soap and Rest services.
As per the new rules and regulations of Apple, do We need to Convert our existing HTTP services to HTTPs?
Can We user Self signed certificate in the server to make the service SSL enables one?
Is there any problem for the apple if we are using the self signed certificate? or Do we need to purchase new SSL certificate ?
Also currently I am accessing the webservices through the ipv4 address.
Do I need to change it to ipv6?
when will apple start reviewing these conditions? I want to release the updated version of my app on next month. Do I need to follow these rules on the next build onwards?
In terms of ATS (App Transport Security), yes it is a new requirement for all iOS 9 devices running apps built with Xcode 7.
https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/
All connections using the NSURLConnection, CFURL, or NSURLSession APIs
use App Transport Security default behavior in apps built for iOS 9.0
or later, and OS X v10.11 or later. Connections that do not follow the
requirements will fail.
BUT your application can specifically opt-out if needed by adding exceptions to your Info.plist, at least until Apple changes that, assuming sometime in the future they will enforce 100% compliance, maybe the iOS 10 release(?), maybe earlier(?)...
Opt-out Example:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Via: Google Ads Developer :http://googleadsdeveloper.blogspot.ch/2015/08/handling-app-transport-security-in-ios-9.html
Note: You can use "nscurl --ats-diagnostics" via OS-X 10.11 installation to test for ATS compliance on the URLS that your app will use. I would highly recommend doing that before app (re)submission to insure that you do not need to request exceptions via the Info.plist.
Self-signed certs will not work unless you add the signing CA details and trust it, or again disable ATS via an Info.plist exception. Save yourself the trouble and just purchase a compliant SSL cert.
Also currently I am accessing the webservices through the ipv4
address. Do I need to change it to ipv6?
No, your servers do not need to run IPv6, they should but that is up to you and your hosting provider as some mobile operators have moved to IPv6 only due to lack of IPv4 addresses, but, of course, they are providing NAT translation to IPv4.
But your app HAS to be IPv6 enabled/ready in order to work with those providers otherwise you will get an app rejection. I highly recommend reading the Apple doc on this.
Several situations can prevent an app from supporting IPv6 and these get rejected:
IP address literals embedded in protocols. Many communications protocols, such as Session Initiation Protocol (SIP), File Transfer Protocol (FTP), WebSockets, and Peer-to-Peer Protocol (P2PP), include IP address literals in protocol messages. See Use High-Level Networking Frameworks and Don’t Use IP Address Literals.
IP address literals embedded in configuration files. Configuration files often include IP address literals. See Don’t Use IP Address Literals.
Network preflighting. Many apps attempt to proactively check for an Internet connection or an active Wi-Fi connection by passing IP address literals to network reachability APIs.
Using low-level networking APIs. Some apps work directly with sockets and other raw network APIs such as gethostbyname, gethostbyname2, and inet_aton. These APIs are prone to misuse or they only support IPv4—for example, resolving hostnames for the AF_INET address family, rather than the AF_UNSPEC address family.
Using small address family storage containers. Some apps and networking libraries use address storage containers—such as uint32_t, in_addr, and sockaddr_in—that are 32 bits or smaller.
See for more details and how to workaround/resolve the above items:
https://developer.apple.com/library/prerelease/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/UnderstandingandPreparingfortheIPv6Transition/UnderstandingandPreparingfortheIPv6Transition.html#//apple_ref/doc/uid/TP40010220-CH213-SW1
iOS9 requires the server to only support TLSv1.2 and support perfect forward security.
Also must required is for the app to support IPV6 including not using hard-coded IP addresses.
Certificate at the server must be signed by an authorized CA.
New security feature that blocks non-HTTPS traffic in your app. However, this is a new feature that is only enabled for apps building with X Code 7 and iOS 9 SDK today. It will not break existing apps.
For app in non production environment and debug you can disable ATS from plist.
Thanks.

Using NEVPNManager in iOS 8, How can I programmatically create VPN connections to custom VPN types? (e.g. Cisco any connect)

Looking at VPN configuration in apple's Configurator tool, it offers many different types of VPN, such as
L2TP
PPTP
Cisco AnyConnect
Juniper SSL
Check Point Mobile VPN
etc
I'd like to create a custom VPN configuration programmatically using NEVPNManager, however looking at the list of objects added in the NetworkExtension framework there are only 2 protocol classes - NEVPNProtocolIPSec and NEVPNProtocolIKEv2.
I'm new to the world of VPN's, so my question is this:
Are those proprietary VPN types (such as Cisco AnyConnect) just variations of IPSec or IKEv2, and thus can I set them up using one of those protocol classes, or is it not currently possible to do this with NEVPNManager
You can implement your own version of VPN via NEVPNManager, but you can't use it to set up / edit other VPNs (such as Cisco).
Thank you for requesting information about the Network Extension framework. Please note that as of November 10, 2016 this process is not required for developers who wish to use App Proxy, Content Filter, or Packet Tunnel APIs. To use these services please navigate to your Developer Account at https://developer.apple.com/account/ and select the Network Extension capability for the App ID you will be using for your app.
If you are requesting an entitlement for Hotspot Helper APIs and have already filled out the request questionnaire then your request will be addressed at our earliest convenience. Otherwise please visit https://developer.apple.com/contact/network-extension/ and enter the required information.
Regards,
Developer Technical Support
Apple Worldwide Developer Relations

HTTPS/SSL: Apple rules

My iOS app uses a server side service to chat, upload photo, etc. In order to don't have my script "hacked" and keep my header private, i decided to use SSL encryption provided by a certificat on my Apache server which will handle the resquest and give the response by JSON using PHP/MySQL.
But i heard that Apple doesn't allow HTTPS connection on Apple store, is that true ?
i also heard that i need a US gov certificate, is that true ? even if i am not a US resident ? (I'm european).
Even for just SSL which is known ? i don't use sofisticate self coded algorithm !
If someone had that issue that will help me a lot !
Thanks !
No on all counts. I've built and submitted many apps for sale in the US and internationally using self-signed certs on my server with not a peep from Apple.

Resources