When writing apps intended to be secured with Blue Cedar, you should avoid using certain networking APIs and protocols. These APIs typically involve an out-of-process component that is incompatible with the interception techniques used by the Blue Cedar injectable.
Avoid the use of the following APIs and frameworks:
- SFSafariViewController. SFSafariViewController is a higher level API used to embed web content in an iOS app. It is implemented in terms of WKWebView and has the same limitations.
NSURLSession background transfers. As described in the Apple Developer Library (NSURL Background Transfer Considerations), this API is intended to schedule downloads to execute when the app is not running. Because Secure Microtunnels are only available to code executing in the app, these background downloads fail if the target URL is not publicly accessible.
- NSURLSession push support, as introduced in the WWDC video https://developer.apple.com/videos/play/wwdc2016/711/.
- When writing web-based apps, avoid the use of HTTP/2.0.
When writing web-based apps, avoid using HTML 5 local storage properties directory. For example:
Mixing property access and setItem() / getItem() can have unexpected results. For maximum compatibility, use setItem and getItem exclusively.
- FTP. The Secure Web Stack policy supports HTTP and HTTPS traffic. Please avoid using FTP in apps to be secured with Secure Web Stack.
WKWebView is a newer alternative to UIViewWeb. While WKWebView achieves performance improvements by executing out-of-process, it is only compatible with Blue Cedar 3.21+. See Secure Web Stack to manage which WKWebView traffic to secure.
Note these limitations:
- Apps that use Apple's SFSafariViewController to render web content are not subject to Blue Cedar interception. That is, web traffic is not intercepted and delivered via Blue Cedar security, but is handled normally.
- WebSockets are not supported.
- WKWebView interception may affect app performance.