Apple gives iOS app developers more time to encrypt communications

The iOS App Transport Security (ATS) will not become a requirement on Jan. 1, as previously announced

Apple gives iOS app developers more time to encrypt communications
Martyn Williams/IDGNS

Apple has backtracked on a plan to force iOS developers to encrypt their app communications by the end of the year.

The company had previously announced at its Worldwide Developers’ Conference in June that all apps submitted to the App Store will need support the App Transport Security (ATS) feature starting January 1st, 2017. It has not yet set a new deadline.

ATS is a feature first introduced in iOS 9 that forces apps to communicate with internet servers using encrypted HTTPS (HTTP over SSL/TLS) connections. It's an improvement over the third-party frameworks that developers previously used to implement HTTPS because it ensures that only industry-standard encryption protocols and ciphers are used.

Even if ATS is enabled by default in iOS, on a technical level app developers can disable some of its features or can opt out of it entirely through various exception settings that ATS makes available.

A recent study performed by security firm Appthority on the top 200 apps present on iOS enterprise devices showed that 97 percent of them bypassed at least some ATS requirements and weakened the default and recommended configuration.

Apple planned to include ATS compliance as a requirement in its App Store review process starting next year and to require reasonable justifications for any exceptions. However, as the Appthority study showed, many developers are unprepared to fully enable ATS in their apps.

"At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year," Apple said in an announcement on its developer site Wednesday. "To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed."

There are many reasons why developers might not be ready or even able to encrypt all of their apps' traffic. For example, many apps integrate with third-party advertising, analytics and media hosting services and the adoption of HTTPS by those services is not something that app developers can control.

As of December 22, the 3 percent ATS readiness figure among iOS apps had grown to only 5 percent, the Appthority researchers said Thursday in a blog post. "We assume that Apple, too, realized that an unacceptably high number of apps would fail to meet the ATS deadline unless it was extended."

The researchers believe that even if Apple hasn't abandoned its plans for full ATS compliance, this is not something that can be achieved very soon, which is probably why a new deadline hasn't been announced yet.

"In light of this new development, we recommend that enterprises track the state of apps’ ATS compliance and consider alternatives to apps that access sensitive corporate data and don’t secure their network connections using ATS," they said.

Copyright © 2016 IDG Communications, Inc.