Using SSL (HTTPS) will be mandatory for iOS (at January 1 2017)

uzubari · September 2016

Apple will require HTTPS connections for iOS apps by the end of 2016.
Seems a trouble for the developers.
https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/
https://forums.developer.apple.com/thread/48979

jdbc · September 2016

I think Gideros does not support SSL, does not it?

May be LuaSec has to be integrated now:
https://github.com/brunoos/luasec

uzubari · September 2016

I have tried several urls with UrlLoader, it seems working with https.

With ATS enabled on ios, insecure connections are not allowed.
When ATS is enabled, Gideros is able to openURL to https:// urls. And openURL calls to an http:// url is blocked by the ATS framework as expected.

It seems no work is required for Gideros, but the developers who have a backend service will need to ensure that SSL is enabled at server side.

uzubari · September 2016

I would suggest to remove the following entry from info.plist and app-info.plist
This will enable ATS by default. Insecure calls will fail And the developers will be aware of the actions to be taken.

<key>NSAppTransportSecurity</key>
<dict>
	<key>NSAllowsArbitraryLoads</key>
	<true/>
</dict>

hgy29 · September 2016

@uzubari, I agree, if ATS will be enforced by the end of the year, better remove the work around in gideros today.
However some apps must talk to http only servers, like those talking to LAN services (Ip cams and so on) or those using other means than SSL for securing their exchanges, the biggest drawback of SSL being the need for costly certificates.

Maybe we should embed our own http(s) stack in gideros, ex: curl, to be less dependant upon Apple dictature ?

totebo · September 2016

Maybe we should embed our own http(s) stack in gideros, ex: curl, to be less dependant upon Apple dictature ?

HEATHEN!

uzubari · September 2016

@uzubari, I agree, if ATS will be enforced by the end of the year, better remove the work around in gideros today.
However some apps must talk to http only servers, like those talking to LAN services (Ip cams and so on) or those using other means than SSL for securing their exchanges, the biggest drawback of SSL being the need for costly certificates.

It is mentioned that Apple will allow exceptions on ATS if you have a reasonable excuse. But I do not think that costly certificates will be accepted as an excuse

hgy29 · September 2016

But I do not think that costly certificates will be accepted as an excuse

Yeah, they most likely won't

john26 · September 2016

"Maybe we should embed our own http(s) stack in gideros, ex: curl, to be less dependant upon Apple dictature ?"

@hgy29, The win32 export already uses curl for its UrlLoader implementation. Is that what you mean?

hgy29 · September 2016

@john26, yes that's what I mean

ar2rsawseen · September 2016

nowadays ssl certificates are free:
https://letsencrypt.org/

hgy29 · September 2016

Very interesting! there has been attempts before (CACert) but they weren't really accepted by browsers. Letsencrypt seems to be compatible with almost everything, good news!

EricCarr · October 2016

Letsencrypt sounds promising! I just bought one at godaddy for cheap. I've been making https calls in Gideros in android and iOS for two years with no issues in aware of.

Howdy, Stranger!

Categories

In this Discussion

Top Posters

Using SSL (HTTPS) will be mandatory for iOS (at January 1 2017)

Comments

Howdy, Stranger!

Quick Links

Categories

In this Discussion

Top Posters

Using SSL (HTTPS) will be mandatory for iOS (at January 1 2017)

Comments