Hello,
A customer has requested the development of a home assistance app to be published on the App Store. The app will connect to a server running locally at the end user's home, for example on a Raspberry Pi. Users would enter the IP address or hostname of their personal server into the app.
A strict requirement is that, for data protection reasons, there must not be any proxy server. The app should only communicate directly with the local server (e.g., Raspberry Pi). We are able to solve technical challenges such as DNS, dynamic IP, and port forwarding, router configuration.
However, I'm concerned about Apple's requirement that the endpoint – in this case, the Raspberry Pi at the user's home – must not use self-signed SSL certificates. While it may be technically possible to secure the home server with a certificate provider like Let's Encrypt, it is unrealistic to expect a typical user with no technical training to accomplish this setup independently.
Is there a recommended solution to this problem, particularly in the context of IoT devices and apps? Any advice or experiences would be deeply appreciated.
I'm concerned about Apple's requirement that the endpoint … must not use self-signed SSL certificates.
You’ve misunderstood Apple’s position here. I suspect you’ve read about App Transport Security and assumed that its additional security requirement are enforced everywhere. That’s not the case. Rather:
- ATS is only enforced in specific situations.
- Even when it is enforced, there are ways to opt out of it.
- Some of those opt-out mechanisms involve providing a justification to App Review. In my experience, App Review applies a light hand here, accepting any reasonable justification.
- Some opt-out mechanisms don’t even require that, most notably
NSAllowsLocalNetworking.
IMPORTANT I don’t work for App Review and thus can’t make definitive statements about their policy. So the above comments are based on my experience working through issues like this with other developers.
Is there a recommended solution to this problem, particularly in the context of IoT devices and apps?
While I don’t think there’s anything in the official docs, I’ve put my thoughts on this topic in TLS For Accessory Developers.
Oh, and I have a more info about edge cases like this in Extra-ordinary Networking.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
