Apple OnBase Mobile users, are you ready for 2017? Starting January 1, 2017, Apple will be forcing applications to support App Transport Security (ATS). Two of the requirements for ATS are the use of Transport Layer Security (TLS) version 1.2 and Secure Hash Algorithm (SHA -2). Apps compiled using the iOS 9 SDK are forced to take advantage of ATS.
The purpose behind the change is to improve the privacy and data integrity of connections between an app and Web Services by enforcing additional security requirements for HTTP-based network requests. Because of this, the OnBase Mobile Broker server must support a Handshake Protocol of TLSv1.2 and the certificate hashing algorithm must be SHA-2 with a digest length of at least 256 (SHA-256 or greater). The current mobile applications that are built using the iOS 9 SDK are therefore affected by this. They are:
- OnBase Mobile 16 for iPad
- OnBase Mobile Healthcare 16
By January 1, 2017, all OnBase mobile iOS applications (iPhone and iPad) will be affected by this.
Action You Need to Take
By January 1, 2017, ensure that the server hosting your OnBase Mobile Broker meets all of the ATS requirements.
Verifying your Mobile Broker Server
You can use this link to test publicly-accessible Mobile Broker servers.
After entering the hostname for the Mobile Broker server, the section titled “Handshake Simulation” lists “Apple ATS 9 / iOS 9” and will indicate if TLS 1.2 was successfully negotiated and which connection cipher suite was used. If the cipher suite used is listed below under the Technical ATS Requirements and TLS 1.2 was successfully negotiated, then the server is properly configured for ATS.
On a Mac running OS X El Capitan, run the following command in Terminal:
/usr/bin/nscurl –ats-diagnostics https://your.mobile.broker.server.hostname
After running the command, look for the section near the top labeled, “ATS Default Connection.” A result of “PASS” indicates the server is properly configured for ATS.
For Mobile Brokers which are not publicly-accessible, use Wireshark to monitor the communication to the Mobile Broker. You can use a Wireshark filter to display only TLSv1.2 packets with the following:
ssl.record.version == 0x0303
You will see packets that use the TLSv1.2 protocol if the server has been configured for TLS version 1.2. If you only see a Client Hello packet when monitoring requests coming into the Mobile Broker, then TLSv1.2 was not negotiated between the mobile device and the Mobile Broker.
More information about configuring the server for TLSv1.2 can be found HERE.
Technical ATS Requirements
- Server certificate must meet one of the following:
- Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
- Issued by a trusted root CA and installed by the user or a system administrator
- The negotiated Transport Layer Security (TLS) version must be TLS 1.2.
- The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:
- The leaf server certificate must be signed with one of the following types of keys:
- Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
- Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits
- In addition, the leaf server certificate hashing algorithm must be SHA-2 with a digest length of at least 256 (SHA-256 or greater).
If you have any questions, contact your first line of support or go to the OnBase Community.