Apple Discontinues UIWebview for iOS - As of December 31, UIWebView Will not Work

At Cardinal, we’re always making sure you don’t get surprised by outside updates that can impact your authentication flow. Read on to see what you can do to avoid these errors.

Summary

Apple has decided to replace one type of web control with another. Merchants can switch to the new control or change to a mobile SDK to ensure applications continue to work as expected. Apple will no longer allow applications on the App Store that include the UIWebview control. More details on timelines and potential solutions can be found below.

What changed and how was I affected?

Apple is no longer accepting new mobile applications that embed web content in a UIWebView control as of April, 2020. This control will be accepted in updates to existing applications until December, 2020.

Developers often use a UIWebView control when displaying HTML content in an iOS application. For example, when a customer adds items to their cart and begins the checkout process, this control may be used to provide a consistent checkout process between web and mobile applications. If this control is being used, it is important to note that it will not be accepted in new versions of the application by the App Store after December, 2020.

The replacement control, WKWebView, is designed to address some of the security concerns from the UIWebView control. One of the key differences is the behavior of a hidden web view. The WKWebView will not load a URL unless the web view is visible. This means that a hidden browser cannot run JavaScript to communicate with a backend or to collect data. If your application is collecting or using data from the device in a hidden UIWebView, this will no longer work after switching to a WKWebView and could result in higher challenge or step up rates during authentication.

What can be done to remedy the situation?

For your mobile application to be accepted by Apple, you will need to replace any UIWebViews with WKWebViews.

Option 1: Use the Cardinal Mobile SDK (CMSDK) for EMV® 3-D Secure (EMV 3DS) authentication

The Cardinal Mobile SDK is simple to integrate and is API-driven, so there would be no need for a web view to complete authentication. For EMV 3DS, using an SDK is the required method for authenticating a Card Not Present (CNP) transaction within a mobile application.

Option 2: Use WKWebView for 3-D Secure (3DS) 1.0 authentication

Since the web view is visible to the consumer, a WKWebView can be used. However, it is important to note that many regions and/or card networks strongly recommend EMV 3DS over 3DS 1.0. For more information on the payment networks’ transitions to EMV 3DS, see this listing of important dates.

Option 3: Discontinue use of Quick Authentication in mobile applications

Quick Authentication allows the application to send a Bank Identification Number (BIN) to Cardinal Centinel for use by the ACS in running additional risk analysis. The BIN is combined with data collected by the Method URL or the CMSDK to enable risk scoring. This functionality was meant to allow scoring similar to EMV 3DS, but in a 3DS 1.0 environment.

Because Quick Authentication relies on a hidden web view to collect data from the mobile device, WKWebView will not be useful for this purpose. The Cardinal Mobile SDK will no longer support Quick Authentication as of 12/31/2020, though it will continue to be supported for web browser transactions.

The recommended replacement is to run an EMV 3DS transaction where possible in a mobile application, or a 3DS 1.0 transaction where that is not possible.

Additional information

As we discussed, recent changes in Apple’s App Store policies may affect you. We have outlined a few possible solutions based on the most common situations. If you have any questions, let’s talk. We’re here to help. 

Visit https://www.cardinalcommerce.com/about/contact or call  +1.440.352.8444

You can also reference the sites below for more info on updates and what you need to know.

We’d like to thank our guest contributor, Brian Brotherton, for this blog packed full of useful information. Brian is a Sr. Technical Product Manager at Cardinal and a former developer turned huge supporter of all agile and lean methodologies. His spare time is spent with his wife, small boys, and making full use of our local parks for hiking and outdoor activities. Sidebar: Brian’s interest in technology started by watching science fiction! Stay tuned for more technical blogs in the near future!

 

All brand names, logos and/or trademarks are the property of their respective owners, are used for identification purposes only, and do not necessarily imply product endorsement or affiliation with Visa.

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC