Categories
Deploy360 Transport Layer Security (TLS)

Apple to mandate TLS in 2017

One of the announcements at the last Apple Worldwide Developers’ Conference (WWDC16) was that Apple would require all apps in its App Store to support TLS 1.2. TLS is a protocol that encrypts data sent between applications over the Internet, and is therefore essential for ensuring that data being transmitted cannot be eavesdropped on.

The best known usage of TLS is in secure web browsing (using HTTPS) which can be visually checked using the padlock icon that appears in browsers when a secure session is established. Unfortunately, mobile apps are often less transparent about the security of their connections when they connect to a server, and it can be much harder to tell whether an app is using TLS.

Apple therefore introduced App Transport Security (ATS) in iOS 9, which forces apps to connect over a secure connection. Until now, it has been possible for apps to disable this so they can use non-TLS enabled services, but from some point in 2017 this will no longer be possible.

Apps were already supposed to have migrated to using ATS by 1 January this year, but with only 3% of the 200 most popular apps (including Facebook, LinkedIn and Skype) found to be fully compliant, Apple has announced an extension to this deadline. Nevertheless, if you’re an iOS app developer or operating services accessed by iOS apps, you need to be ensuring that you can support the ATS requirements over the coming months.

More Information:

Deploy360 also aims to help this process, so please take a look at our TLS section to understand why the use of TLS is important.

Categories
Deploy360 IPv6

Video of Apple WWDC Session About IPv6 and iOS 9 Now Available (And Some Screenshots…)

Want more info about Apple’s new requirement for IPv6 support in iOS 9 applications?  At last week’s WWDC on Friday, June 12, 2015, the session “Your App and Next Generation Networks” covered the topic of IPv6 as well as latency and how to improve the speed of your apps.  The video is now available for viewing (note that on a Mac I was only able to view the video in the Safari browser):

WWDC video about IPv6The IPv6 section was presented by Prabhakar Lakhera, a “Core OS Networking Engineer” at Apple, and runs for about the first 14 minutes of the video.

To give you a view of some of the main points, here are some key screenshots.  First, Prabhakar talked about the need for IPv6 support and pointed out the growth in IPv6 traffic on North American mobile networks (and we’re seeing similar stats at the World IPv6 Launch measurements).

North American mobile networks and IPv6

He then talked about how Apple will use DNS64 and NAT64 to provide connectivity to the IPv4 Internet:

IPv6 using DNS64 and NAT64

He explained that to help in testing, Internet Sharing will now have a “Create NAT64 Network” option:

creating a NAT64 network

and provided a picture of how it all works:

IPv6 testing

He then indicated that 70% of the top 100 free apps had no problem with working over IPv6 and provided these pointers for “What Breaks?”:

What breaks?

It’s interesting to note what he said those points of breakage are:

  • Using IPv4-only storage objects (i.e. storing IPv4 addresses in some form)
  • Using IPv4-only APIs – or using an API in a way that is IPv4-only
  • “Pre-flight checks” (as the app is launching) before connecting and:
    • Checking if the device has an IPv4 address
    • Checking for reachability to 0.0.0.0

These “pre-flight checks” were an interesting item to me as I’d not thought about that mechanism before.  It makes sense for an app developer to check to see if the app can connect out to the Internet before starting to interact with the user.  I’ve had any number of iOS apps do that and warn me when I am not connected to the Internet.  However, only checking for IPv4 would render the app unable to work on an IPv6 network, even if the rest of the code works fine.

Prabhakar then went on to talk about what does work and offered several suggestions:

Apple IPv6 - what works?

Much of this was straightforward:

  • Don’t do a pre-flight check… just try to connect.
  • Use higher-level APIs so you aren’t working with IP addresses

He also encouraged people to read RFC 4038, “Application Aspects of IPv6 Transition”, which is definitely a good read for application developers.

He finished with an interesting addition to iOS 9 and also OS X 10.11.  It has always been possible to use an IP address directly in a URL.  For instance, “http://192.168.10.100/index.html” (which, of course, won’t go anywhere).  But how does an IPv4 “address literal” (as it is called) work in an IPv6-only network?

It turns out that Apple is going to “fix” this by synthesizing an IPv6 address so that the IPv4 literal will still work in an IPv6-only network:

Apple What Works for IPv6

He didn’t provide details of precisely what they are doing for that, but it’s interesting to know about.

There were certainly other parts I didn’t mention… if you are an iOS app developer I’d highly recommend you watch the video.  In fact, I’d also suggest staying on after the IPv6 part is done to watch what Stuart Cheshire has to say about latency and ways to make your app and services work better over congested networks.  Also extremely important!

It’s great to see Apple providing this support and encouraging the movement to IPv6.  We look forward to seeing many more applications work well in IPv6 situations.

If you want to get started learning more about IPv6, please head on over to our Start Here page to find resources to begin!

 

Categories
Deploy360 IPv6

Apple Will Require IPv6 Support For All iOS 9 Apps

Because IPv6 support is so critical to ensuring your applications work across the world for every customer, we are making it an AppStore submission requirement, starting with iOS 9.”  With those words, Sebastien Marineau, Apple’s VP of Core OS, gave a huge boost to IPv6 developer support in Apple’s WWDC Platform State Of The Union (SOTU) address yesterday.

You can watch the Platform SOTU presentation yourself (although you may need the Safari browser to do so). The IPv6 segment begins at 34:16 and Marineau’s statement about the AppStore requirement can be heard at 37:16.

UPDATE: The video of the longer WWDC session about IPv6 is available – and we’ve also captured some of the most important screenshots.

Here, though, is the quick summary.

Why IPv6?

Sebastien Marineau began by talking about IPv6 and why it is important:

Apple IPv6 support

more on IPv6 support

In particular he noted that carriers in several regions of the world are now deploying IPv6-only networks and emphasized the importance of making your application work well for everyone, everywhere.  He reinforced how critical it is to support IPv6:

“If your application doesn’t work properly with IPv6, it will simply not function on those networks, those carriers and for those customers.”

He also explained how Apple has supported IPv6 for over ten years now since early versions of Mac OS X and from iOS 4 onward.

3 Steps For Developers

He went on to explain three steps all developers can take to make sure their applications work over IPv6 networks:

3 steps to make an app work with IPv6

Those steps are:

  • Use the networking frameworks (for example, “NSURLSession”)
  • Avoid use of IPv4-specific APIs
  • Avoid hard-coded IP addresses

Essentially, if app developers are using the higher level APIs and frameworks and aren’t hacking around at the IP layer, their apps should probably “just work” on top of either IPv4 or IPv6.

This is an important point – most iOS developers probably do not need to do anything on the development side. Assuming they have followed best practices in coding and are using the iOS networking frameworks, they should be all set.  Some developers, though, may be using lower level APIs that may involve direct usage of IPv4 addresses. Some developers may also be using the user’s IPv4 address as an identifier or for logging or configuration purposes.

But again, most iOS developers probably don’t need to change their code to support IPv6.

Testing Your App Over IPv6

However, Martineau addressed the question of “how do you test your app over IPv6?“, particularly when many app developers may not have access to a native IPv6 Internet connection.  He indicated that in an upcoming release of Mac OS X there will be a new feature to help with this:

IPv6-only personal hotspot

What I understood Martineau to say was that you will be able to set up a “personal WiFi hotspot” on your Mac and check an “IPv6-only” box.  Your iPhone/iPad with your app could then connect to that specific WiFi network to work in an IPv6-only mode.  The Mac would then provide the gateway to the legacy IPv4 Internet so that the app on the IPv6-only network could connect out to services on IPv4 servers.

THIS IS HUGE! One of the struggles many application developers have had is to easily create an “IPv6-only” network in which to test systems.  Even those of us who are IPv6 advocates/enthusiasts have struggled with making this work well.  It typically involves bringing up a second access point (which you are effectively doing with this new configuration) and then turning off all IPv4 services on that access point, which some access points make difficult to do.

Whenever this feature rolls out in Mac OS X, it will greatly help all of us who are working on apps and systems and want to test them in an IPv6-only environment.

An Important Step

Now, to be clear, most iOS app developers probably won’t have to do all that much to support IPv6.  If they are already using the higher level APIs and networking frameworks they should be all set.  The exact mechanisms of IP address handling are not a concern of theirs.  However, some app developers will have to make some changes, particularly if they are directly using IPv4 addresses as any kind of identifier or in logging.

More importantly, the requirement for AppStore submission will require app developers to test their applications with IPv6 networks, and that alone will suddenly cause the millions of iOS app developers out there to have to learn at least something about IPv6 (if nothing else, the fact that it exists).

Most significantly, though, this step by Apple means that all the iOS apps that run on iOS 9 will work well over the IPv6-only networks that are starting to be deployed.  Even in dual-stack (IPv6/IPv4) networks, this should mean that iOS 9 apps will work better in those environments when, for instance, IPv6 may be faster. (More needs to be understood here about the specifics of the IPv6 support.)

And… this also will help take away the argument used by some network operators who are still not moving ahead with IPv6 that “why should we deploy IPv6 when apps don’t support it?”

Apple’s answer is that, as of iOS 9, all iPhone/iPad apps will support IPv6!

Kudos to Apple for taking these steps, creating this new AppStore submission requirement, and also providing what sounds like a new and easy way to create IPv6-only networks!

We’re looking forward to iOS users being able to use ALL their favorite applications on an IPv6-only network!


UPDATE #1:  Discussions on this post can be found at:

Other articles related to this topic:

UPDATE #2: By way of a tweet I have learned that there is a session at WWDC on Friday, June 12, 2015, about “Your App and Next Generation Networks” that will apparently have more info about IPv6 support.

UPDATE #3 – 19 June 2015: The video of this “Your App and Next Generation Networks” session at WWDC is now available – in the post I link to, I include a number of screenshots about the session.


P.S. If you want to get started with IPv6, please visit our Start Here page to find resources tailored for your role or type of organization.  The time to make the move to IPv6 is TODAY!

Also, hat tip to Adam Iredale on Twitter, who first brought this new requirement to my attention, and to Borja Reinares who provided some more information.