iOS push notifications using TLS certificate vs. using authentication tokens

For 2020, you can only realistically use the "token" method. The older approach is legacy and they will probably axe it.

Your private key will look like this

let keystring = `-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49Aas8d76as8das687asd687asd68as8brwUIWA46qcXis
zCu6dbd4s8d7b5s86gf98ugtr28re7089a7d6tbvpiiui524kyfpq9861eFJP7we
eE7rX4182609457ohgyj3lhgp98wfb698bfg69287f2k4htgwpo876grwo7XDklz
9fdg689d
-----END PRIVATE KEY-----`

your key id will look like this

let keyId = "CTU7XXBPRH"

and your Apple team id is your usual Apple team id, which looks like "YWD3UUTEWD".

Nowadays - thank goodness - it is relatively easy to get the private key and key id from inside your company's account on the Apple developer website.

If you want to test sending a push on an ordinary Node server on AWS, I strongly recommend this outstanding new npm, APNS2 https://www.npmjs.com/package/apns2

let bn = new BasicNotification(deviceToken, 'Hello')

It's about that easy to send pushes.

Tips:

Don't forget the damned "development/sandbox" pushes only work ON AN IPHONE TETHERED TO YOUR MAC/XCODE!

  • development/sandbox pushes - only for an iPhone tethered to your Mac with a build running from Xcode

  • production pushes - they do work completely fine with TestFlight builds.

Additionally: don't forget that the so-called development/sandbox pushes are often flakey. Often, they don't arrive for hours, they don't arrive at all, they simply don't work in many regions.

Don't forget that it is TOTALLY OK to use the "production" ones, simply, with a TestFlight app.

So

  1. Make a build
  2. Push it to your TestFlight account. Wait a few minutes as usual until the build comes through,
  3. Install it from TestFlight to your phone
  4. You will now get all the pushes - instantly!

Whereas if you

  1. Make a build
  2. Just build/run to your tethered iPhone
  3. You do NOT get any pushes.
  4. It's true that you can get the so-called "development" pushes, but they are often very flakey.

(To be clear, when using APNS2, if you do want to try "development" pushes, to order "development" pushes, simply use the extra line of code explained at the bottom here https://www.npmjs.com/package/apns2 )


Token-based authentication is newer and essentially simplifies APNS authentication. It is based on a public and private key pair that you can generate on your Apple developer account.

Here are the main reasons why it is simpler:

  • The same key can be used for development and production apps whereas different certificates are needed when using certificate-based authentication.
  • The same key is used for all your apps referenced in your Apple developer account. Certificate-based authentication needs one certificate per app.
  • The key does not expire. Certificates do expire and need to be renewed every year or so.

A good source of intel is the 2016 WWDC video regarding APNS: https://developer.apple.com/videos/play/wwdc2016/724/


In 2021, Apple's Setting Up a Remote Notification Server state

Both techniques have advantages and disadvantages, so decide which technique is best for your company.

Both Fattie and Ika have said that TLS/ Certificate based authentication is inferior. The Project UI in Firebase also uses language which doesn't explain much IMHO:

Configuration with auth keys is recommended as they are the more current method for sending notifications to iOS


Benefits of Certificate Authentication

  • Limited access certificates. Each certificate is tied to one application in your developer account and environment (development/ production). This avoids putting all your eggs in one basket, if your token auth key is compromised, a threat actor can push notifications to all your applications.
  • Simpler Provider application logic. The provider (service which interacts with APNs) (either your own server or a service you use) can just use the TLS certificate, and authenticate, without needing to create JWTs, add headers to the request or find the correct App ID to use.

Benefits of Token Authentication

  • Simpler setup process: because you only have to download a .p12 and use it your application. Go into developer.apple.com, create a Push Notification Key. However, your application has to renew these tokens every hour. Creating a .p12 for TLS authentication is a little bit more involved.
  • Does not expire, so you can set it and forget it. Whereas TLS certificates expire in 1 year by default.

The question boils down to security vs. convenience.

  • Convenience (use token auth): It's convenient to create a key and forget (token auth), and you might use Firebase (or another service) to actually renew the tokens every hour, so you don't have much work to do.
  • Security (use TLS auth): Do you really want to share the same key between all your applications? What if you want to limit the scope of a Push Notification Service Provider (e.g. Firebase, Ably, Pusher), but don't trust giving them access to all your applications. In reality, you might just have 1 application, so it does not matter.

Does this kind of even security matter, or is it just more convenient to use Token Auth? I would say in most cases, go with Token auth.