0
Completed
Allison Reber (Communication Director) 3 months ago in Content Publication / AppFactory // Next Gen App • updated 2 weeks ago 5

What is the Apple ATS standard?

The App Transport Security (ATS) is a standard introduced by Apple in order to improve application security best practices. It applies to web links within an app. For example, a link presented as http://www.aquafadas.com will need to be read https://www.aquafadas.com.

https means that the server that hosts this website has been secured (SSL) by an authentication certificate.


Is the ATS update required?

No, the update is not obligatory. At the time you submit your application, you can simply indicate that it is not ATS compatible. For applications that are already online, there are no compatibility requirements from Apple.

But it will become a requirement from Apple. So, better prepare yourself by replacing your links http by those in https (and by having the appropriate servers secured by the technical team).

What will happen if I do not replace the current http links with the https links?

If, upon submission, you claimed an ATS compatibility, the http links will not work and an error message will appear indicating that it was blocked for security reasons.


What do I need to do to have my applications ATS compatible?

  • Update your application using AppFactory 4.7. Aquafadas is ensuring that your application will get a secure connection to our servers. All applications built with AppFactory 4.7 (and later) are aligned with Apple’s requirements. Only your content, hosting, if you manage it on your own, and url addresses created in AppFactory should be compatible.
  • Replace all http:// links created in AppFactory and in your Store Model (when you created the layout of your application in Cloud Connect) with https:// links.
  • Host you AVE files on a secured server (SSL). Note that Apple has published a list of available trusted root certificates for secured server: you have to be compatible with this list. If Aquafadas is hosting your files, please note that all our servers are already secured.
  • Include https:// links only in your AVE files. For your convenience, Aquafadas automatically converts all http links from your files into https. As of today, most websites (including YouTube, Facebook…) use secured servers and already get an https:// address (for example https://youtube.com).
  • Test your application to check all the links included (otherwise your application may simply be rejected).

What should I do if my server is not secured (SSL)?

Aquafadas automatically converts all http links from your AVE files into https. But, should your server not be secured, and therefore links to your server not be converted, you can document specific links in AppFactory. How?

Option 1) Upon creating your application, you can indicate up to 3 http domain names that should not be converted into https.

Beware that upon submitting to Apple, you will have to specify those unsecured links (for your application not to be rejected).

Option 2) If you have more than 3 http domains names that should not ne converted into https, select the button "Allow arbitrary load on http domains".


When will you publish v4.7 of AveAppFactory ?

Is there any timeline for it both of iOS and Android ?

Bonjour Allison,

And what happens if you have to link to a web, perhaps an adviser, and its server is not SSL?

Can I name the link as https://www.******.com and it will work?

Merci!

Luis

Hello Luis,


If you put https:// the server will try to access it with SSL, and the server has to be compliant or you won't be able to reach the page.


As specified in Allison's post above, we have a solution for this particular case:


What should I do if my server is not secured (SSL)?

Aquafadas automatically converts all http links from your AVE files into https. But, should your server not be secured, and therefore links to your server not be converted, you can document specific links in AppFactory. How? Upon creating your application, you can indicate up to 3 http domain names that should not be converted into https.

Beware that upon submitting to Apple, you will have to specify those unsecured links (for your application not to be rejected).


You can find the fields to set the domains that should be accepted in HTTP in the new fields available in AppFactory iOS, under General Information > Domain Exception.


Kind regards,

Kevin

Aquafadas Support