When communicating over TLS, the client verifies the identity of the server using certificates. However, it is also possible for the server to verify the identity of the client using certificates as well for a more trusted communication channel. This mutual authentication is know as Mutual TLS (mTLS) and while it is a good security measure, it is a bit tricky to setup. The main problem is that the client must register itself with the server so that the server know how to verify the clients connecting to it....

Patients and Providers can access SMART (Substitutable Medical Applications, Reusable Technologies) applications like Apple’s Health app or open Electronic Health Record (EHR) software through FHIR (Fast Healthcare Interoperability Resources). This allows for the sharing of health data across multiple platforms via an open standard. For mobile applications, accessing health data for read and/or write access requires being registered with the particular FHIR instance (e.g. Cerner) and requesting the correct scopes. Once authorization has been granted, you use JSON Web Tokens to call specific endpoints for data....

Modern authentication workflows allows for users to leverage multi-factor authentication (MFA) and sometimes passwordless authentication for a more secure experience. If using a browser (e.g. Safari via ASWebAuthenticationSession), most of this is handled for your application via WebAuthn, but if you have a native application you must implement part of the workflow yourself via USB or NFC via the ISO 7816 standard. To use NFC on iOS devices (iOS 13+), Apple provides the CoreNFC framework....

ASWebAuthenticationSession uses a technology limited for Apple use called remote view controllers: <SFAuthenticationViewController 0x7f9d21082200>, state: appeared, view: <SFSafariView 0x7f9d21a04da0>, presented with: <_UIFullscreenPresentationController 0x7f9d21a04b10> | <SFBrowserRemoteViewController 0x7f9d21075c00>, state: appeared, view: <_UISizeTrackingView 0x7f9d1f5658e0> Additionally, you do not get access to the view controller created when you start an authentication session, rather, you only get the opaque session object to retain until authentication is complete. This leads to an interesting problem where the controller is being managed exclusively by Apple and it attempts to adapt its presentation to the application’s content and it chooses something that does not fit your needs....

In addition to TLS Pinning, you can also enforce that the certificate in use has not been revoked by checking the CRL or OCSP result for said certificate. To do this for NSURLSession, you need to add an additional SecPolicyRef to the SecTrustRef provided to you during the authentication challenge. The new policy needs to be created via SecPolicyCreateRevocation and can be tweaked depending on how strict you want to be....