APN Review
The Apple Push Notification Service (APN) is central to the remote notification feature. It is a reliable, safe and highly effective service for application developers to distribute information to iOS devices (and, indirectly, watchOS), tvOS and macOS.
When you first launch your application on a user device, the system automatically establishes an accredited, encrypted and permanent IP connection between your application and APN. This connection allows your application to configure so that it can receive notifications, as described in the "Configuring Remote Notification Support" section.
The other half of the connection for sending notifications - a permanent secure channel between the provider server and APN - requires setting up an online developer account in your account and using cryptographic certificates supplied by Apple. A provider is a server that you deploy and manage, configure to work with APN. Figure 1-1 shows the delivery path for remote notification.
Figure 1-1. Providing remote notification from the provider to the application 
By setting up push notifications on your providers and in your application, your providers can then send notification requests to APNs. The APN transmits the corresponding notification information data to each target device. Upon receipt of the notification, the system delivers the payload to the appropriate application on the device and controls user interaction.
If a notification for your application came with the device turned on, but when you start the application, the system can still display a notification. If the device is disconnected when the APN sends a notification, the APNs are held in the notification and try again later (for details, see the section "Quality of Service", "Save and Forward", and "Coalesced Notifications").
Supplier Responsibilities
Your provider servers have the following responsibilities for participating in APN:
- receiving through APN globally unique device tokens specific to the application and other relevant data from instances of your application on user devices. This allows the provider to know about each running instance of your application.
- Determination in accordance with the design of the notification system about the need to send remote notifications to each device.
- Creating and sending notifications for APN, each request containing useful notification information and delivery information; The APN then sends the appropriate notifications to the intended devices on your behalf.
For each remote notification request sent by the provider, it must:
- Create a JSON dictionary containing the notification payload as described in the “Creating the Remote Alert Payload” section.
- Add a payload, a globally unique device token, and other delivery information to an HTTP / 2 request. For information about device tokens, see Trust in connecting devices and devices to devices. For information on the HTTP / 2 request format and possible APN responses and errors, see the “Communicating with APN” section.
- Send an HTTP / 2 APN request, including cryptographic credentials in the form of a token or certificate, over a permanent secure channel.
- The installation of this secure channel is described in the Security Architecture section.
Using multiple providers
In fig. Figure 1-2 shows a view of a virtual network that APN allows you to use devices that work with your applications. To handle the notification load, you typically deploy several providers, each of which has its own permanent and secure connection to the APN. Each provider can then send notification requests targeted to any device for which the provider has a valid device token.
Figure 1-2 Pushing remote notifications from multiple providers to multiple devices
Quality of service, retention and forwarding and combined notifications
The Apple Push notification service includes a Quality of Service (QoS) component that acts as a store-and-forward. If the APN attempts to deliver a notification and the target device is disconnected, the APN saves the notification for a limited period of time and delivers it when the device becomes available again. This component stores only the most recent notification for each device and each application. If the device is offline, sending a notification request directed to that device discards the previous request. If the device remains offline for a long time, all its saved notifications in the APN are discarded.
To allow merging of similar notifications, you can include the collapse identifier in the notification request. Typically, when a device is connected to the network, each notification request sent to the APN results in a notification sent to the device. However, when the apns-collapse-id header key is present in the HTTP / 2 request header, APN combines the requests whose value for this key is the same. For example, a news service that sends the same headline twice can use the same collapse identifier value for both requests. The APNs then combine the two requests into one notification for delivery to the device. Read more about the apns-collapse-id key.
Security architecture
APNs provide end-to-end cryptographic verification and authentication using two levels of trust: trust trust and token trust.
Connection trust works between providers and APNs, as well as between APNs and devices.
Trust in device tokens runs end to end for each remote notification. This ensures that notifications are sent only between the start points (provider) and the end (device).
A device token is an opaque instance of NSData that contains a unique identifier assigned by Apple for a specific application on a specific device. Only APNs can decode and read the contents of the device token. Each instance of the application receives its unique device token when it registers using APN, and then must forward the token to its provider, as described in the "Setting up remote notification support" section. The provider must include the device token in each push notification request that targets the corresponding device; APN uses the device token to ensure that the notification is delivered only to the unique combination of applications and devices for which it is intended.
APNs can issue a new device token for various reasons:
- The user installs your application on a new device
- User restores device from backup
- User reinstalls operating system
- Other events defined by the system
As a result, applications must request the device token at startup, as described in the power of attorney for APN connections to the device and device tokens. For code examples, see Register for remote notifications.
To establish HTTP / 2-based TLS sessions with APNs, you must ensure that each of your providers has a common CA GeoTrust root certificate installed. If the provider is running macOS, this root certificate is in the keychain by default. On other systems, this certificate may require explicit installation. You can download this certificate from the Root Certificates GeoTrust website. Here is a direct link to the certificate.
Figure 1-3 illustrates the use of the HTTP / 2-based APNs API provider to establish trust and the use of JWT provider authentication tokens to send notifications.
Figure 1-3. Establishing and Using Token-Based Provider Trust 
As shown in Figure 1-3, the token-based provider trust works as follows:
Your ISP is requesting a secure connection to the APN using Transport Layer Security (TLS), represented by an arrow labeled “Start TLS” in the figure. APN then provides your provider with an APN certificate, represented by the next arrow in the figure (labeled "APN Certificate"), which then confirms your provider. At this point, the connection trust is established, and your provider server is turned on to send token-based push-push requests for APN. Each notification request sent by your provider must be accompanied by a JWT authentication token, shown in the figure as an arrow labeled "Notification push." APNs respond to every click shown in the figure, like an arrow labeled "HTTP / 2 response". For the specifics of the responses that your provider may receive for this step, see HTTP / 2 Response from APN.
Figure 1-4 illustrates the use of Apple's SSL certificate to establish trust between the provider and the APN. Unlike Figure 1-3, this figure does not display the push notification itself, but stops when a TLS (Transport Layer Security) connection is created. In the certificate-based trust scheme, push notification requests are not authenticated, but are checked using the attached device token.
Figure 1-4. Certificate-based vendor trust 
As shown in Figure 1-4, certificate-based vendor-to-APN trust works as follows:
Your ISP is requesting a secure connection to the APN using Transport Layer Security (TLS), represented by an arrow labeled “Start TLS” in the figure. APN then provides your provider with an APN certificate, represented by the next arrow in the figure (labeled "APN Certificate"), which then confirms your provider. Then, your provider must send the Apple service provider's certificate (which you previously received from your online developer account, as described in “Generate Universal Client APNs SSL Certificate” in Xcode Help) back to APN, presented as an arrow labeled “Certificate Provider” . APN then verifies your provider certificate, thereby confirming that the connection request was received from a legitimate provider and establishes your TLS connection. At this point, the connection trust is established, and your provider server is allowed to send certificate-based push notification requests for APN. Trust in connecting APN devices to the device and device tokens
The trust between the APN and each device is established automatically, without the participation of your application, as described in this section.
Each device has a cryptographic certificate and a private cryptographic key provided by the operating system during the initial activation of the device and stored in the device key fobs. During activation, APNs authenticate and verify the connection to the device based on the certificate and key, as shown in Figure 6-5.
Figure 1-5. Establishing trust between the device and the APN. 
As shown in Figure 1-5, APN trust in the device works as follows:
Trust negotiation begins when the device initiates a TLS connection with the APN, as shown in the upper arrow in the figure. APN returns the APN certificate to the device. The operating system validates this certificate, and then, as shown in the "Device Certificate" arrow, sends the device certificate to APN. Finally, as shown by the bottom arrow in the figure, APN verifies the device certificate, establishing trust. When a TLS connection is established between the APN and the device, applications on the device can register with the APN to receive their tokens for specific applications for remote notifications. For more information and code examples, see Register for remote notifications when setting up remote notification support.
After receiving the device token, the application must connect to the provider associated with the applications and send the token to it. This step is necessary because the provider must include the device token later when it sends a notification request to the APN, focusing on the device. The code you write to forward the token is also displayed in the Register section to receive deleted notifications.
If the user activates the device for the first time or the APNs issued a new device token, the process is similar and is shown in Figure 6-6.
Figure 1-6 Device Token Management 
The receipt and processing of the token of the device intended for the application works as follows:
Your application is registered using the APN for remote notifications, as shown in the upper arrow. If the application is already registered and the device token has not changed, the system will quickly return the existing token to the application, and this process proceeds to step 4.
If a new device token is required, the APN generates it using the information contained in the device certificate. It encrypts the token with the token key and returns it to the device, as shown in the middle arrow on the right. The system returns the device token back to your application by calling your application: didRegisterForRemoteNotificationsWithDeviceToken: delegation method. After receiving the token, your application (as part of the delegate method) should redirect it to your provider in binary or hexadecimal format. Your provider cannot send notifications to the device without this token. For more information, see “Register for Remote Notifications” in the “Configure Remote Notification Support” section.
IMPORTANT
Jokes APNs have a variable length. Do not print their size.
When your provider sends a push notification request to APN, it includes a device token that identifies a unique combination of devices and devices. This step is shown in the “token, payload” arrow between the provider and the APN in Figure 6-7. APN decrypts the token to ensure the authenticity of the request and determine the target device. If the APN determines that the sender and receiver are legal, it then sends a notification to the identified device.
Figure 1-7. Send a notification path from the provider to the device 
After the device receives a notification (and after the last step shown in Figure 1-7), the system will send a remote notification to your application.
Link: Apple Push Notification Service