Jeffrey Carpenter

ATTN: RSA SecurID Customers..Apple iOS ATS Issue and What to Do About it

Blog Post created by Jeffrey Carpenter Employee on Nov 15, 2016

Apple has recently updated its requirements for secure communications between iOS applications and servers, known as Advanced Transport Security (ATS). All developers, including RSA, who post updates to their iOS applications starting in 2017 will need to adhere to these new requirements. Because of these new communication requirements, many RSA customers using the RSA SecurID Software Token for iOS (iPhone and iPad) that deploy using our CT-KIP protocol will be impacted.

 

What Apple Did

Apple updated the communication protocols developers must use to communicate between the iOS application and a server.

 

There are three main updates that are required:

  • The use Transport Layer Security (TLS) version 1.2 or later
  • The use of Forward Secrecy Ciphers
  • The use of SSL certificates are signed using SHA-256 or later

 

Beginning with any new application or any updates to an existing application starting on January 1, 2017, the new communication protocols must be used. RSA has had these protocols present in our application for some time. In 2017, Apple will only allow apps that use the new protocols to be updated/added to the app store.

 

It’s important to note that customers’ existing iOS software tokens will continue to work and run without interruption even after January 1, 2017. It is only when RSA makes an update to the application sometime in 2017 that customers on an older release who are provisioning tokens to users using CT-KIP (the only time we use the communication protocols) may be impacted.

 

The remedy is for customers to get to the latest release of RSA Authentication Manager. This release utilizes these new communication requirements. Customers should also check any network equipment that sits in the path of a potential CT-KIP communication channel. Our recommendations:

 

  • AM 7 customers must upgrade to latest AM 8.x
  • AM 8.1 customers must be on SP1 P3 or later
  • AM 8.2 customers are OK
  • Customers must also check network appliances used for CT-KIP provisioning. Anything in the potential pathway of communication, i.e. load balancers, proxy servers, etc. must also support the use of the new protocols.

 

Customers who use our file-based provisioning should see no change but are still encouraged to upgrade to the latest release. NOTE: QR Code Provisioning using the self-service console utilizes CT-KIIP.

Outcomes