December 23, 2016 by

Apple Backtracks on 2017 Mandate for HTTPS-Only Apps

Apple issued a mandate during its 2016 WorldWide Developer Conference, requiring developers of all iOS and OS X applications in Apple’s App Store to adopt ATS, or App Transport Security. Much like HTTPS, the protocol was to enhance the cybersecurity inherent in apps. The deadline was set as December 31st 2016. Now, Apple has delayed the deadline to a date unknown.

Having arrived in 2015, the App Transport Security (ATS) is a better security standard for networking in the Apple ecosystem. By default, it exists in both iOS, Apple’s mobile operating system and OS X, its desktop, laptop operating systems.

Essentially, ATS ensures that applications do not load resources over the legacy and vulnerable HTTP connection standard, which can be exploited by eavesdropping hackers. ATS ensure that resources are loaded through HTTPS.

Apple heralded ATS as an essential networking security feature.

“It improves privacy and data integrity by ensuring your app’s network connections employ only industry-standard protocols and ciphers without known weaknesses,” an Apple developer release read. “This helps instill user trust that your app does not accidentally leak transmitted data to malicious parties.”

However, a newly released note to developers sees the technology extend its deadline. While the reasons aren’t stated, it’s almost certainly because not all developers – perhaps even a majority – behind the hundreds of thousands of apps in the App Store, switched over to ATS.

The brief note, in its entirety, read:

App Transport Security (ATS), introduced in iOS 9 and OS X v10.11, improves user security and privacy by requiring apps to use secure network connections over HTTPS. At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year. To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed.

There is a marked effort by software giants like Apple and Google in pushing developers toward adopting and enabling HTTPS-only websites. Recently, the UK government’s websites switched over to HTTPS. Popular website Reddit also switched over to a HTTPS-only standard.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Apple Partners Allianz to Offer CyberCrime Insurance Perks

A new partnership between Apple, Cisco and insurance firm Allianz SE will see businesses using...

Read more arrow_forward

Happy New Year: Researcher Drops MacOS Zero-Day Root Access Kernel Exploit

To ring in the new year, a security researcher on New Year’s Day disclosed an unpatched security...

Read more arrow_forward

Apple Pushes Update to Fix Major Mac OS Vulnerability

Apple has issued an emergency patch after admitting to a major security flaw that enabled anyone to...

Read more arrow_forward