Apple Moves to Enforce Secure In-App Web Connections in 2017
Apps on iOS devices are about to become a lot more secure overall in the approaching new year, and it all has to do with the groundwork laid by Apple several years ago. Way back in iOS 9, Apple took the step of requiring a secure HTTP connection from apps requesting pages via the Internet. Known as App Transport Security, or ATS, this feature prevents apps from creating insecure connections to the web. These types of connections, as we know, pose a potentially severe security threat and increase the risk of falling victim to a “man in the middle” attack. However, until now, use of ATS has been entirely optional.
Starting on January 1, 2017, however, Apple will require all new and existing apps to conform to their ATS standards correctly. New creations submitted for review to the app store must take advantage of HTTPS connectivity, and current store residents will also be asked to bring their code up to date with the new requirements. While this could result in some initial hiccups, such as the web briefly being inaccessible via apps, the overall effect is one that is quite positive for the security of Apple’s end users.
The protective layer of security that HTTPS offers to users isn’t perfect, but it’s a huge step up from having no encryption at all. Apple’s standard ATS framework for connecting securely gives app developers a direct way to protect user web traffic. Previously, developers were forced to rely on more error-prone solutions that were less than ideal. Overall, enforcing ATS allows user-specific information to remain safe and encrypted.
How successful the implementation process will be remains to be seen. In one review of 200 popular apps on the store, more than eighty percent currently don’t fully comply with the ATS standard. There is even some concern from developers that they will not be able to transition their software in time. Whether Apple will widen exceptions or lengthen the compliance window is also unknown at present.
Despite the potential logistical issues, the move is overall a further sign of Apple’s commitment towards enhancing privacy for the end user. Non-compliant apps won’t immediately cease to work, however. Rather than instituting system-level controls, Apple will be turning a more watchful eye towards its review process, allowing for some flexibility as publishers bring their apps up to date.