5 Replies Latest reply on Dec 7, 2016 10:59 AM by mikebeargie

    iOS Security:  ATS

    taylorsharpe

      I'm just passing this on from Steven Blackwell, noted FM Security expert, that emailed this out to a lot of people, but I think many will find it useful here:

       

      Those of you doing work in the iOS area might wish to read this article:

       

      http://www.macworld.com/article/3147513/security/app-developers-not-ready-for-ios-transport-security-requirements.html

       

      Steven

      ---

      Steven H. Blackwell

      Platinum Member Emeritus

      FileMaker Business Alliance

       

       

      Realtech@fmpug.com Brought to you by FMPug.com - A Developer's Best Friend!

       

      FindFileMakerDevelopers.com - Superior FileMaker Talent At Your FingerTips!

      http://www.findfilemakerdevelopers.com

       

       

       

      Thank you Mr. Blackwell for keeping us informed. 

        • 1. Re: iOS Security:  ATS
          mikebeargie

          It's not adopted widely because apple is not enforcing it yet.

           

          When Apple drops the hammer and forces developers to use it, then 99% of those apps will release updates within a week (or risk using their subscriber base).

           

          Currently, my app CoreScope does not work in iOS10 because Apple dropped the URL "round trip" ability out of iOS10 completely. I have been working on a way around it but it's quite tough due to the new sandboxing terms. It's much easier for me to make a "plugin" for the FileMaker iOS SDK and offer the features that way.

           

          TL;DR, Rigorously enforcing security, software and hardware standards is why Apple products are usually superior (at least in count of bugs manifested and security breaches) then the windows or android based counterparts. So I welcome a forced security protocol like this.

          • 2. Re: iOS Security:  ATS
            codecruncher

            Thanks! Does anyone know if the current FM SDK 15.0.2 is already in compliance?

            • 3. Re: iOS Security:  ATS
              mikebeargie

              With the webviewer object and Insert From URL, I would be wary to say yes. This requires an official FileMaker answer for confirmation.

              • 4. Re: iOS Security:  ATS
                john_wolff

                "This requires an official FileMaker answer for confirmation."

                 

                Indeed Mike!

                 

                From my reading of the original article, I figure the ATS requirement only applies to FMGo apps that are accessing sites and data that are outside of the LAN.  Am I correct??

                 

                John

                • 5. Re: iOS Security:  ATS
                  mikebeargie

                  From my understanding of ATS, the requirement would be for ANY communication between a device and HTTP based web service. My guess would be that it would apply to the FM Go SDK for apps you want to submit, and ALSO with the FileMaker Go app itself.

                   

                  Meaning that using unsecured URLs in Insert From URL and Web Viewer objects may be blocked when used from inside FileMaker Go.

                   

                  The only way I would see around it is if FileMaker instituted a private web service that acts as an intermediary between FM Go and the outside world, taking your insecure URL and returning the results all via a secure channel. But that has privacy and usability repercussions written all over it.