For app developers who use or are looking to use Akamai application acceleration services, we've provided the following information to help you understand how our services comply with Apple iOS 9 App Transport Security (ATS) requirements.
What is ATS?
ATS is one of many new features that come bundled with iOS 9. It's designed to prevent sensitive information from being accidentally disclosed and provides secure default behavior. It is turned on by default in iOS 9 and OS X v10.11.
Applications compiled or built in the iOS version 9 environment will use HTTPS (secure HTTP) by default and will also require the use of SHA-2 signatures on server certificates. Use of ATS will be required in new AppStore submissions.
Another change to the AppStore submission requirements relates to IPv6. Only applications that work on IPv6 networks will be accepted by Apple.
"Because IPv6 support is so critical to ensuring your applications work across the world for every customer, we are making it an AppStore submission requirement, starting with iOS 9," he said. "If your application doesn't work properly with IPv6, it will simply not function on those networks, those carriers and for those customers."
The iOS Developer Library explains the ATS requirements this way:
"If you're developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file."
Using ATS with Akamai
Akamai's infrastructure allows developers to deliver their iOS9 apps securely. But there are some steps developers will need to take to ensure the proper configuration.
Akamai provides two methods of serving HTTPS traffic to your app, through the use of either a Shared Certificate or a Custom Certificate. The Shared Certificate is used when you do not require your own hostname to be used and is in the format https://customer.akamaized.net or https://customer-a.akamaihd.net.
The Custom Certificate is used when you need to deliver HTTPS using your own hostname and is in the format https://www.customer.com.
Because ATS defaults to HTTPS for communication between the iOS application and Akamai, if your app currently uses your own hostname you will need to add the Custom Certificate Option to your contract, or you will need to add the Shared Certificate Option and migrate your URLs to the format described above. If you configure a secure property on our Secure Delivery network, and accept all the defaults, your certificate will meet ATS requirements.
For either certificate option, requests made on Akamai that use HTTPS will also use HTTPS when connecting back to the origin. Users will need to ensure that your origin is configured to support HTTPS with a trusted and valid certificate.
Using IPv6 with Akamai
Akamai offers ample support for IPv6. Akamai serves 50 billion IPv6 requests per day, with traffic peaks exceeding 1 million IPv6 requests per second. IPv6 delivery support has been available in many Akamai products for well over three years. Over 250 Akamai customers have opted-in to deliver content over IPv6 by dual-stacking many thousands of hostnames, including on many major websites across a wide range of industries. Hundreds of thousands of additional web hostnames are dual-stacked on Akamai by resellers and cloud provider customers who have enabled default dual-stack delivery for SaaS properties and smaller Web sites.
To learn how you can take immediate advantage of Akamai's secure delivery services for custom or shared certificates, please contact us with some information so we best serve your needs.