Apple Delays Enforcement of Secure In-App Web Connections in 2017
Update: In response to developer concerns about meeting the ATS deadline, Apple has extended the timeframe for compliance. Click here to read more on the latest developments in this process.
—
Apps on iOS devices were about to become a lot more secure overall in the approaching new year, but Apple has pushed back its deadline in a late announcement. What’s this about, you might ask? Well, it all has to do with groundwork laid several years ago, way back in iOS 9. In that update, Apple took the step of requiring a secure HTTP connection from apps requesting pages via the Internet.
Known as App Transport Security, or ATS, this feature prevents apps from creating insecure connections to the web. These types of connections pose a potentially severe security threat and increase the risk of falling victim to a “man in the middle” attack. So far, though, using ATS has been entirely optional with numerous apps using exceptions to serve ads.
Until now, Apple intended to require all new and existing apps to conform to their ATS standards correctly starting January 1, 2017. New creations submitted for review to the app store would have to utilize HTTPS connectivity, and current store residents would also be asked to bring their code up to date with the new requirements. Many developers protested that this deadline was too soon and that a huge number of apps would not be ready and ATS-compliant.
A look through the App Store reveals that to be true. In one review of 200 popular apps across the store, more than 80% currently do not comply with ATS standards entirely. After receiving so much feedback about the strenuous transition process, Apple has agreed that the January 1 deadline was too soon. In a statement made through their Developer News site, Apple announced that it was indefinitely delaying the deadline to provide more time for compliance efforts. With the potential security benefits for the company’s end users, the provision of more time is a wise move.
The protective layer of security that HTTPS offers to users isn’t perfect, but it’s a huge step up from having no encryption at all. Apple’s ATS framework gives app developers a direct way to protect user web traffic. Previously, developers were forced to rely on more error-prone solutions that were less than ideal. Overall, enforcing ATS allows user-specific information to remain safe and encrypted.
Despite the logistical issues, the move towards ATS compliance is a further sign of Apple’s commitment to enhancing user privacy. (the “commitment to privacy” is a great / strong statement to end on.
Original sources:
http://www.pcworld.com/article/3147513/security/app-developers-not-ready-for-ios-transport-security-requirements.html
https://appdevelopermagazine.com/4664/2016/11/30/How-Apple’s-mandatory-iOS-App-Transport-
Update source:
http://appleinsider.com/articles/16/12/21/apple-extends-app-transport-security-deadline-into-2017