ATS and Bitcode in iOS 9

Nathan Hazout June 23, 2016

MobileFirst_Platform iOS ATS Bitcode
Note: Starting IBM MobileFirst Foundation 8.0 Bitcode is now supported.

iOS 9 brings a lot of new features for developers, some of which may affect your development of applications using MobileFirst Platform.

In this post I'd like to talk about two of those features: App Transport Security and Bitcode.

App Transport Security (ATS)

Applications built with XCode 7 for iOS 9 have strict requirements regarding requests made to external hosts. Connections that do not follow the requirements will fail.

These are the App Transport Security requirements:

  • The protocol Transport Security Layer (TLS) must be at least version 1.2.
  • Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers.)
  • Certificates must use at least an SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256 bit or greater Elliptic-Curve (ECC) key.

Source: https://ibm.biz/BdX3kd

Make sure that your production servers are ready for those requirements.

During development there are workarounds to be able to connect to unsecured servers.

Whitelist

You can configure a list of hostnames with exceptions. For example, to allow HTTP (no SSL) for localhost, add the following entries to your Info.plist:

1
2
3
4
5
6
7
8
9
10
11
12

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>localhost</key>
    <dict>
      <!--Include to allow HTTP requests-->
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
    </dict>
  </dict>
</dict>
Note: The domain needs to be a named domain (localhost, sub.domain.com, etc). There are reports that hardcoded IPs do not work.

There are other kinds of exceptions you can configure for each domain, such as the minimum TLS version, forward secrecy requirement, etc. See the full list here: https://ibm.biz/BdX3kd

Disable ATS

At your own risk, you can also disable the ATS features completely, by adding this entry to your Info.plist: 

1
2
3
4
5

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
      <true/>
</dict>

Bitcode

Apple introduced a new feature called Bitcode, an intermediate code uploaded to the Apple App Store. Apple will then compile your application's bitcode to optimize it for each type of devices.

The IBM MobileFirst Platform SDK does not currently support Bitcode. Your application will fail to build and archive unless you disable bitcode completely. In Xcode > Build Settings > Build Options, set Enable Bitcode to No.

You will see an error similar to this:

You must rebuild it with bitcode enabled (Xcode setting ENABLE_BITCODE), obtain an updated library from the vendor, or disable bitcode for this target. for architecture armv7 clang: error: linker command failed with exit code 1 (use -v to see invocation)
To configure the MobilFirst Server with TLS 1.2 with Forward Secrecy support, read this blog post
Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.
Last modified on June 23, 2016