Apple has offered iOS app developers more time to encrypt app communications. They deadline finishes at the end of this year. Back in June, the company has announced during its Worldwide Developers’ Conference that every app listed for the App Store needs to be capable of using the App Transport Security (ATS) feature starting with next year.
ATS represents an update which was first made available for iOS 9, determining apps to be connected to internet servers communicating through encrypted connections. This was an improvement previously introduced by developers to implement encrypted HTTPS. Thus, this would guarantee that there are used only ciphers and standard encryption protocols.
Even though now ATS is automatically enabled by iOS, app developers are still able to deactivate some of its features. What is more, they can also choose to eliminate it by using several exception settings. New research conducted by Appthority, a security company, has evaluated the top first two hundred apps which can be encountered on iOS devices.
The study proved that 97% of these apps had bypassed several ATS demands, weakening the recommended and the default configurations. Due to this research, Apple decided to incorporate ATC conformity as a request in the review process of their App Store. This process will start next year. The ATC compliance requires explanations for any occurring exceptions.
Nevertheless, the study enabled by Appthority proved that many app developers are not willing to adequately facilitate ATS in the apps they develop. On December 21, in an announcement, Apple officials stated that they established a deadline for all apps submitted to the App Store which will need to back up ATS until the end of 2016.
They argued that the time limit was rescheduled to buy them more time to prepare. The company is bound to give updates whenever a new deadline is established. Specialists argued that there may be numerous reasons which explain why app developers might not be prepared or even able to encrypt the traffic of all apps they have. For instance, there are several apps which incorporate third-party marketing, media hosting services or analytics. Thus, their use of HTTPS cannot be controlled by app developers.
Researchers from Appthority argued that since December 22 when ATS readiness indicated 3%, it managed to increase until now to approximately 5%.
Image courtesy of: flickr