iOS 9 + App Transport Security + Amazon Web Services by Paulo Fierro

The release of iOS 9 is just around the corner and with that comes App Transport Security. This new feature will enforce that your app's network connections follow best practices. This is handled at a low level and is enabled by default in iOS 9 and OS X El Capitan — and may cause issues in existing apps.

We have a few apps that load data from Amazon Web Services over HTTPS and on iOS 9 they stopped working. The reason being that App Transport Security requires server certificates to be signed with SHA-2 by default and at the moment the AWS certificates use SHA-1.

Amazon has announced AWS will move to SHA-2 by September 30, 2015.

Until then we can add the domain in question as an exception and set NSExceptionRequiresForwardSecrecy to NO. This does not turn off ATS (that would be a bad idea) it simply states that we accept ciphers other than SHA-2.

The Info.plist entry

The Info.plist entry

A quick change to your Info.plist and you’re done!

For more information you should watch Session 711 from WWDC 2015.

Update (Oct 1, 2015)

Looks like this is still not working properly. I ran the ATS diagnostics using nscurl on El Capitan and got these results.

Apple Pay + HSBC UK by Paulo Fierro

Apple Pay launched in the UK last month and I’d been looking forward to it because now I’d be able to use contactless payment methods when in the US using my UK bank cards.

First available was American Express, and setting up this card was very straightforward. Simply complete the guided process and you’re done.

I had been using Amex’s fantastic Passbook integration for several months now and had grown accustomed to the notifications you receive when you use your card. Its lightning fast too and I’d often get a notification before the receipt had even been printed.

Thankfully this is another feature of Apple Pay so I promptly removed the pass from Passbook — renamed to Wallet in iOS 9.

Next up was HSBC. They were supposed to be ready at launch, but then got delayed until July 28. I tried the following day and it didn't work. Thinking there were probably teething problems on HSBC's side I decided to leave it for a few days.

So last week I try to add my HSBC card and it still wouldn’t work.



After some searching I came across an article with a solution to the problem and I could barely believe it. Then I realized it was HSBC after all — lets just say that our experiences with them have been less than impressive, so this is actually par for the course.

Turns out, you can't add an HSBC card to Apple Pay if you're outside of the UK.

Amazing. #amazing

You have to:

  1. Disable Location Services (so your location remains unknown).
  2. Use a VPN to tunnel in to the UK. I recommend TunnelBear.
  3. Add your card.


Good job HSBC. I guess I feel more secure?

Smart App Banners + Squarespace pages by Paulo Fierro

Smart App Banners have been around since iOS 6 and are an easy way for websites to link to apps on the App Store. As app promotion methods go, these are intelligent and not as obtrusive as other methods.

To add them to your page you have to add a meta tag to the head of each page where you want the banner to appear. I wanted to add a banner to our Avoid Town page but on Squarespace you don't have access to the raw HTML. However you can provide custom Javascript.

First go to the page you want the banner to appear on and click on the gear icon to access the page's settings.

Screen Shot 2015-07-13 at 18.18.49.png

Now click on Advanced at the top right of the page and you'll be presented with a textarea where you can enter code to be injected into the page.

Next paste in the code below, replacing XXX with your app's ID and YYY with your iTunes affiliate ID (or leave it blank).

You can find your app ID using the iTunes Link Maker and if you haven't you should join the iTunes Affiliate Program.

Disabling callouts in WKWebView by Paulo Fierro

A few months back I wrote about disabling the ability of a user to zoom a web page presented in a WKWebView. This is custom HTML content being displayed in an enterprise app, not a web site, so its not as nefarious as it sounds.

Another wish was to disable callouts. That's the pop-over that shows up when you long-tap on elements in Mobile Safari. They let you copy text, define a word or share a snippet.

A callout on iPad

A callout on iPad

There's no property on WKWebView that lets us do this, but we can do this similar to how we disabled the ability to zoom the page.

We pass a custom WKUserScript to our web view which creates a style tag and adds some styling which sets both -webkit-user-select and -webkit-touch-callout to none on all elements except input fields and textarea elements.

As always, remember that these powers should only be used for good.

Enabling SSL on SQUARESPACE by Paulo Fierro

In 2014 Google made an announcement stating they would boost sites using HTTPS encryption in search results. Apart from that there are several other great reasons for using HTTPS. This site is hosted on Squarespace and while you could access this via a subdomain, I prefer using my actual domain that I own and control.

After some searching I came across this excellent blog post describing how to get SSL for your Squarespace site using CloudFlare. Its fairly straightforward to set up and doesn't cost a thing.