Secure URL Transition for Streams & Podcasts

Nov 22, 2016

At this year’s Worldwide Developers Conference (WWDC), Apple announced that they will soon require all apps to pull their content through HTTPS links, and by 2017, will no longer support apps that fail to do so.

This requirement is set to go into effect January 1, 2017, and currently, many of our apps include podcast and station stream links from servers without SSL certificates. If we do not act, we run the risk of our apps not being functional, or updates being rejected. Further, if secure links (HTTPS) are not provided by Apple's hard deadline, noncompliant podcast and stream links will need to be removed from all apps to ensure ongoing functionality and updating in 2017.

While we might not have chosen the timing, the work of securing our URLs is a critical project for our entire network to address because:

  1. iTunes will soon require HTTPS for all podcasts
  2. We currently can’t use development platforms that already require HTTPS
  3. Secure URLs will allow tighter integration of donation functionality into our apps
  4. Secure URLs will improve security for our many users

To reach this ambitious goal, NPR will soon require secure URLs for all links included in our apps, and we will stop accepting new insecure (non-HTTPS) links by December 15, 2016. Among other things, that means that you will not be able to save new insecure streams or podcasts into StationConnect and you will not be able to make changes to your current URLs until they are HTTPS-compliant.

New links will pass through a validation script that will check both the prefix of the URL, and the prefix of any embedded URLs, such as live streams listed within playlist (.pls) files or the audio URLs included in your podcast feeds. Our goal is for all URLs in StationConnect to be secure.

How this impacts Digital Services products:
We’ve begun to both secure Digital Services products themselves, and to facilitate secure URL transition for our partner stations. Both the Station Analytics System and StationConnect are products that are already secure. And we are well underway to a secure Composer 2. If you already have transitioned your website to HTTPS, you will soon be able to incorporate Composer 2 seamlessly without browser warnings.

In the short term, there are two actions to be taken:

  1.  Podcast URLs: Contact your podcast provider to get an updated podcast URL. If you are a Core Publisher station who creates podcast URLs in Core Publisher, we will be providing a secure podcast URL for you.
  2. Streaming URLs: Contact your streaming provider to get an updated streaming URL.

Once you have these updated URLs, populate them in StationConnect. New or updated URLs that are non-HTTPS will not be accepted after December 15, 2016.

For those stations with iPhone apps:
After January 1, 2017, all of your apps’ network connections will need to be over HTTPS.

  • To allow non-secure links in the meantime, you need to add a new key in an app’s .plist file. Under App Transport Security, add ‘Allow Arbitrary Loads’ and set to YES.This new key will only work for compiling against iOS 9 and will NOT work after Jan 1, 2017.

  •  You should also avoid compiling against iOS 10 unless you are HTTPS throughout, as Apple has already begun pushing this requirement on the latest OS update.

We'll continue to update you as we work with our partners at Apple to make this migration as smooth and painless as we can.