SecureTransport PSK Support for TLS

Question

Created 1w

Replies 2

Boosts 0

Participants 3

We have successfully deployed our Qt C++ application on Windows and Android using OpenSSL with TLS Pre-Shared Key (PSK) authentication to connect to our servers.

However, I understand that apps submitted to the App Store must use SecureTransport as the TLS backend on iOS. My understandiunig is that SecureTransport does not support PSK ciphersuites, which is critical for our security architecture.

Questions:

Does SecureTransport support TLS PSK authentication, or are there plans to add this feature?
If PSK is not supported, what is Apple's recommended alternative for applications that require PSK-based authentication?
Is there an approved exception process that would allow me to use OpenSSL for TLS connections on iOS while still complying with App Store guidelines?

The application requires PSK for secure communication with our infrastructure, and we need guidance on how to maintain feature parity across all platforms while meeting App Store requirements

Answered by DTS Engineer in 880087022

Albert asked me to chime in here:

I understand that apps submitted to the App Store must use Secure Transport as the TLS backend on iOS.

That’s not right on a couple of levels:

AFAIK App Review has no requirement that you use a specific TLS implementation [1].
Secure Transport is deprecated, so it’s not the recommend path for anything (-:

We generally recommend that you use the built-in networking stack. You can access that using Network framework. See TN3151 Choosing the right networking API for more background and links.

Note Network framework does support TLS-PSK.

This recommendation is particularly relevant for TLS, where users expect the TLS behaviour of your app to match the TLS behaviour of the system as a whole, for example, in Safari. However, that’s only applies to TLS-PKI. TLS-PSK requires prior agreement between the client and the server, by definition, and so compatibility isn’t a concern. Thus, while you can use Network framework for this, it’s not completely beyond that pale to use BSD Sockets with a third-party TLS-PSK implementation.

Well, other than the fact that BSD Sockets is horrible, but I expect you’re used to that by now (-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I suspect that you’re thinking of App Transport Security (ATS), but that’s only relevant if you use our high-level HTTP API, URLSession, or stuff layered on top of that.

Boost

Answer 1

DTS Engineer OP

Apple

1w

Thanks for the post. I do not anything about Qt.

But if you ever decide to write native iOS code, Network.framework does support TLS PSK.

https://support.apple.com/guide/security/tls-security-sec100a75d12/web

This is a questions for Quinn as he is definitely an expert on that. I would recommend to read his post: https://developer.apple.com/forums/thread/67493

And I’m sure he is going to jump into this thread to provide his expert knowledge.

You are completely free to compile OpenSSL for iOS (arm64) and statically link it into your Qt application last time I was looking into that. The only think I can think that will be tricky, because you are bundling your own cryptography (OpenSSL), when you submit your app to App Store Connect, you must answer Yes to the question asking if your app uses encryption. But its been awhile since then and maybe the process has changed?

Albert Pascual   Worldwide Developer Relations.

1

Answer 2