cloud,  Mac Security,  Swift

Configure Amazon SNS for Mac and iOS APNs Development

Amazon SNS makes implementing Apple Push Notifications (APNs) a breeze. This might seem like a longer article but it’s really not as many steps as it seems (although buttons on web pages move around a lot so ymmv for specific words in button names). There’s a few main steps that we’ll go through: creating a cert in Keychain, generating a Push Notifications cert with the appropriate bundle ID and team ID, and adding an application instance. Notice that these are different for Mac and iOS so if doing both use iOS and if doing one for each, use the appropriate entry.

Create a Cert in Keychain

First, we’ll create a local certificate in the Keychain Access application. This is used to generate an aps.cer on the Apple certificates portal (and is basically a throwaway once we’re done with the process). To start, open Keychain Access and under the Keychain Access menu, select Certificate Assistant and then “Request a Certificate From a Certificate Authority…”

At the Certificate Assistant, choose Saved to disk” in the “Request is:” field. Provide a business email address and then provide a Common Name (e.g. App Name followed by Push Certificate). Click Continue.

When prompted for a place to save the certificate, choose a place that’s easy to select in the next few steps and then click Save.

Create a Push Certificate for the App on developer.apple.com

Next log into the Apple Developer Portal (developer.apple.com). Scroll to the footer of the page and click on “Certificates, IDs, & Profiles”.

At the Certificates, Identifiers, & Profiles Screen, click Certificates, and then click on the plus sign to create a new cert. There are a lot of types of certificates and for some developers there are a lot of apps so make sure these next steps match up properly. First, scroll down to the “Apple Push Notification service SSL (Sandbox & Production)” option in Services. This specifies that the cert will be used to send an APN (or hundreds of thousands of them). Click Continue.

Click on Choose File.

Select the certificate created in the previous section, which if formatted properly will appear in the dialog once selected. Click Continue.

Once the certificate is created, click on Download to download a .cer to the computer. Keep this file safe.

Once the certificate is downloaded, it will be a .cer but we need a .p12 to load into AWS (or a .p8 if doing their token-based flow). Double-click the cert to import it into Keychain Access and then control-click (or right-click if that’s your jam) on the cert and click on Export for the certificate. (alternatively, certs can be converted to a .pfx/certificate pair with the openssl command but this way is easier).

Select a place to export the certificate to and click Save.

Provide a password for the certificate (this will be used to unencrypt the .p12 on the AWS site).

Now it’s time to head over to the AWS console at http://aws.amazon.com to setup an SNS instance.

Setup AWS SNS

At the AWS Console, select the Simple Notification Service (or SNS for short) with an account that has access to setup a new service (one that potentially has a billing consequence). At the Amazon SNS screen, click Push Notifications and then “Create platform application” to setup a new instance of SNS (keep in mind that if there are multiple versions of the app like for iOS and Mac then new certs will need to be generated and this whole article repeated for each).

At the “Create platform application” screen, provide a name in the “Application name” (might wanna’ add iOS or Mac if there’s one of each) and then select “Apple iOS/VoIP/MacOS” in the “Push notification platform” field.

Select iOS or macOS in the “Push service” field and select Certificate (there’s a whole flow for Token-based stateless authentication but not really going there for this app). Click the Choose file box.

At the browse dialog, select the .p12 cert created earlier and then click on the Upload button.

Once there’s a green checkbox by the name, provide the certificate password in the password field and then (and this is important) click on the “Load credentials from file” button.

If the credential worked, the Certificate and “Private key” fields will each have the traditional BEGIN CERTIFICATE section followed by a big long string.

The ARN is then listed in the dialog (this one is hidden but it’s easy to copy and paste) along with the expiration date pulled from the cert that was imported. Admins can always use the Edit button to setup rates or CloudWatch integration for troubleshooting.

Now that there’s a cert and an ARN, check out Amazon’s GitHub to setup Swift Package Manager to point to https://github.com/aws-amplify/aws-sdk-ios-spm per https://github.com/aws-amplify/aws-sdk-ios or use the AWS Amplify app to bring in the SDK. Import AWSSNS into the AppDelegate.swift:

import AWSSNS

Then there are plenty of fields to look through and read the documentation about to be able to send APN messages to, as an example flow, all devices for a given user. CustomUserData is your friend there. The simplest next step is a hello world type of push alert. There are plenty of examples for that kind of thing on GitHub/google. While troubleshooting, https://github.com/qeude/Swush can be used to send directly, so it’s a nice option to bypass Amazon SNS and see if there’s something happening elsewhere in an app ecosystem.