IOS 9 Security and SAP BusinessObjects Mobile

This blog discusses IOS 9 security changes and its impact on SAP BusinessObjects Mobile SSL or HTTPs connections.

With introduction of IOS 9 apple has added certain security measures and mandates that might cause existing setups not to work with certain SSL based setups which do not follow the IOS 9 security recommendations.

Quoting ATS requirements from Apple Site :-

Cocoa Keys

iOS 9.0 Whats New in IOS.

“Requirements for Connecting Using ATS

With ATS fully enabled, your app’s HTTP connections must use HTTPS and must satisfy the following security requirements:

• The server certificate must meet at least one of the following trust requirements:The negotiated Transport Layer Security version must be TLS 1.2
  • Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
  • Issued by a trusted root CA and installed by the user or a system administrator
• The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• The leaf server certificate must be signed with one of the following types of keys:
  • Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
  • Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits
• In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length of at least 256 (that is, SHA-256 or greater).”

It is also recommended to follow the ATS requirements which is more secure way for SSL communication.