As you may be aware, versions of the TLS protocol below 1.2 are considered insecure due to exploits and the majority of the industry has already moved to support TLS 1.2+ only in most environments, which resolves security vulnerabilities found in previous versions of TLS. As part of our ongoing commitment to secure communications, IBM will begin supporting TLS 1.2+ only on April 1, 2019.

More information about WCA networking security can be found here.

This change may affect existing mobile contacts using our mobile app SDK who receive push notifications on older devices that do not negotiate, use, and/or support later versions of TLS.

Who may be affected?
• iOS users with iOS 8.4.1 or lower
• Android users with Android 4.4 or lower

Users with iOS 9.0 and higher or Android 5.0 and higher are not affected by this issue. If you intend to support only them, no action is required.

What will happen on devices that are unable to support TLS 1.2?

Devices which do not support TLS 1.2 will be unable to connect to our WCA servers. This will prevent users of those devices from:

• Registering new mobile user IDs
• Updating push tokens
• Receiving inbox messages
• Receiving In-app messages
• Sending attributes
• Sending events (including location events)
• Reporting time zone or OS changes

These devices will continue to receive simple pushes as long as their push tokens remain the same, but will lose that ability if their push token changes, since they will be unable to report the change back to IBM WCA. All connections from devices that do not support TLS 1.2+ to the WCA pod specified in the baseURL will fail.

What WCA Client actions are required?

iOS Actions

iOS application providers have one option: your users will need to upgrade to iOS 9 or higher. Apple has not provided any other workarounds.

Note: If you have set NSAppTransportSecurity to something other than the default values in your app’s Info.plist, you must make sure TLSv1.2 is supported.

Android Actions

Android application providers have three options for older devices.

Option 1: Migrate to Android WCA SDK 3.7.1.2.9 or higher.

IBM has added code to patch the Android security provider in the WCA SDK. Any users of the SDK who also have Google Play Services 5.0 or higher will automatically support TLS 1.2 if they are using WCA SDK 3.7.1.2.9 or higher.

In other words, if you have WCA SDK 3.7.1.2.9 or higher, you don’t have to do anything. Your app will use TLS 1.2 when connecting via HttpUrlConnection.

If you choose this option, your users will need time to migrate to your new app release.

Option 2: Load the Android TLS 1.2 Security Provider via Google Play Services manually

If upgrading to the latest Android SDK would be too difficult, Google has provided a way for apps to update the security provider via Google Play Services 5.0 to support TLS 1.2. Instructions for doing this can be found at:
Update your security provider to protect against exploits

This is the same method used by the WCA SDK for versions 3.7.1.2.9 and higher.

If you choose this option, your users will need time to migrate to your new app release.

Option 3: Require your users to upgrade to Android 5.0 to use your app.

All versions of Android 5.0 and higher (API 21) support TLS 1.2 and it is enabled by default. If you do not intend to support earlier APIs, dropping support for older platforms is an option.

If you choose this option, you may have users who choose not to upgrade, or who are unable to upgrade. If you have code which prevents users from running your app on unsupported platforms, you may want to use that to force an upgrade or uninstall.

Support for TLS 1.3 and beyond

The industry moves very rapidly on security matters. IBM is dedicated to maintaining high security, and as such we are already actively planning for the upcoming TLS 1.3. We will update our clients accordingly as these updates approach.

For additional information or to answer further questions, please open a WCA support case.

Join The Discussion

Your email address will not be published. Required fields are marked *