Apple to Start Requiring HTTPS for iOS Apps
You’re browsing the Internet, and you take a glance up at the address bar. What do you see? In most cases, the first characters in the URL of the website you are looking at will be “HTTPS.” HTTPS, or HTTP Secure, is the most secure version of Hypertext Transfer Protocol. This protocol allows for communication over a computer network, with said communications encrypted by either Transport Layer Security (TLS) or Secure Sockets Layer (SSL). On the Internet, HTTPS allows for private and safe exchange of data between a website and a user’s machine.
HTTPS is already standard on the web, but thanks to Apple, the protocol will soon be commonplace somewhere else: iOS apps. At this year’s Worldwide Developers Conference in June, Apple announced their intentions to require the majority of iOS apps to use HTTPS for secure network communications. App developers have until January 1st of next year to comply with the new requirement.
Apple’s move toward near-unanimous iOS app encryption isn’t surprising. A year ago, with the release of iOS 9.0, Apple unveiled App Transport Security (ATS). According to Apple, this feature “improves the privacy and data integrity of connections between an app and web services by enforcing additional security requirements for HTTP-based networking requests.” With ATS enabled, then, apps would only be able to connect with HTTPS-enabled websites. If apps tried to connect to sites or services lacking in HTTPS, the connections would fail—at least while ATS was enabled. The catch was that developers were free to switch off ATS for their apps if they wished to do so.
Starting in January 2017, app developers will no longer have the option to disable ATS. In other words, the majority of apps hosted on the App Store will only be able to connect to websites that use the HTTPS protocol.
For users, this change sounds like nothing if not good news. In the past, it’s been difficult to tell if the sites that apps sometimes send you to are legitimate and secure. With required ATS implementation, iOS apps will be able to offer more reliable security protection of user data, photos, passwords, and more.
However, as a report from Sophos Naked Security noted, this change could have an adverse impact on a fair number of developers. HTTPS-enabled websites are more expensive than regular HTTP sites, and since many developers are startups that have lower-cost sites, they don’t have HTTPS in place yet. Sophos also noted that some developers could be using “sites linked to devices or embedded hardware” that would be impossible to upgrade to HTTPS. Others, meanwhile, could be utilizing public databases and would, therefore, be unable to control whether or not their sites go HTTPS by January.
The Sophos report also noted that Apple doesn’t plan on requiring all iOS apps to use ATS, just most of them. It will be interesting to see which programs or developers get the exemption.