Disabling TLS 1.0: Preparing Mobile SDK Apps for the Big Change

In early 2017, Salesforce will disable TLS 1.0 and will begin using TLS 1.1/1.2 exclusively. This change is slated to occur on the following schedule: 

Sandbox Instances

June 25, 2016, at 9:30 AM PDT (16:30 UTC)

Production Instances

March 4, 2017, at 9:30 AM PST (17:30 UTC)

Details for this change are publicly available in the following knowledge article:

Salesforce disabling TLS 1.0

This change will affect existing users of applications built on certain versions of Mobile SDK. To avoid loss of functionality in your app, apply the following mandatory changes to your app as soon as possible.

After TLS 1.0 is disabled on a Salesforce instance, apps that are not compliant with TLS 1.1 or 1.2 will not be able to connect to that Salesforce instance.

iOS

The iOS platform (version 5.0 or later) supports TLS 1.1/1.2 out of the box. No changes are required for Mobile SDK apps built with iOS 5.0 or later. Older apps must upgrade to a supported iOS version.

Android

Unfortunately, some work might be required to ensure that your Android applications don’t break when TLS 1.0 is disabled on a Salesforce instance. We have a fix that enforces TLS 1.1/1.2 on Mobile SDK Android applications: https://github.com/forcedotcom/SalesforceMobileSDK-Android/pull/981. This fix is available in Mobile SDK 4.0 and later.

Android Versions Affected

  • Earlier than KitKat (4.4) – Android versions older than KitKat (4.4) don’t support TLS 1.1/1.2 and therefore are no longer supported. Existing applications that target these platforms will stop working when TLS 1.0 is disabled.
  • KitKat (4.4) – Applications targeting KitKat will work with the fix mentioned above (https://github.com/forcedotcom/SalesforceMobileSDK-Android/pull/981). Be sure to apply the fix to your application and publish the fixed version to the Google Play Store before Salesforce begins to disable TLS 1.0. See Applying the Mobile SDK Fix on Android 4.4 (KitKat) for instructions on implementing the patch.
  • Lollipop (5.0) or later –  Lollipop and later Android releases use TLS 1.1/1.2 by default and don’t require the Mobile SDK fix mentioned above. Existing applications that target these platforms will continue to work without changes.

 

Applying the Mobile SDK Fix on Android 4.4 (KitKat)


As an application developer, use one of the following options to ensure that your customers on KitKat aren’t affected by the TLS 1.0 disablement.

  1. Upgrade to the current version of Mobile SDK, and release a new version of your application before the Production Instances deadline shown above.
    OR
  2. Cherry-pick the pull request mentioned above (https://github.com/forcedotcom/SalesforceMobileSDK-Android/pull/981), and apply it to your local version of Mobile SDK. Release a new version of your application before the Production Instances deadline shown above.
tagged , , , , Bookmark the permalink. Trackbacks are closed, but you can post a comment.
  • Robert Strunk

    Thanks for the write up. Passing this on to help spread the word.