Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Google offers 'short term fix' to help ad publishers bypass Apple's iOS 9 security protocol

Last updated

Google on Thursday informed developers of a five-line bit of code crafted to sidestep Apple's upcoming App Transport Security encryption feature in iOS 9 by creating HTTPS exceptions, which could in some cases block mobile ads from appearing.

The workaround was published to Google's official Ads Developer Blog in a post titled "Handling App Transport Security in iOS 9," a reference to Apple's upcoming privacy tool.

Apple's ATS standard is built into iOS 9 to restrict insecure and potentially nefarious code served via HTTP from infiltrating the operating system. Developers whose apps are not yet ATS-compliant could see their mobile ads blocked as a result of this tightened security, which in turn poses a threat to Google's money-making ad business.

Google said it strives to meet industry standard protocols, but can't guarantee compliance from third-party ad networks or custom code served through its own systems. Therefore, the company proposes publishers add an exception that sidesteps Apple's ATS encryption requirement to allow incoming non-HTTPS connections.

"To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully," writes Tristan Emrich, a member of Google's Mobile Ads Developer Relations team.

As noted by Re/code, the Internet search giant apparently received some flak after issuing the instruction set. In an update, Google attempted to clear the air about its intentions, explaining the post was meant to "outline some options" for developers who had asked about resource changes expected to come into effect with iOS 9.

"To be clear, developers should only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful. Apple has provided a tech note describing different approaches, including the ability to selectively enable ATS for a list of provided HTTPS sites," Emrich says.

Google still advocates for strong HTTPS protection, including ATS compliance, across its product line and is not suggesting against strong encryption. Indeed, the blog post notes developers should maintain ATS compliance on the backend or move over to the secure method as soon as possible.

Google is in a conundrum, as it still serves up a healthy supply of plain HTTP ads, proceeds of which are the company's lifeblood. In the end, it seems Google doesn't want its altruistic goals impinging on its bottom line.



81 Comments

🎁
anantksundaram 18 Years · 20391 comments

If true, how can Apple possibly allow Google to do something like this on its software!? What could Apple do other than to throw out Google altogether from iOS devices? (As a depressing aside, I have Ghostery on Mac OS web browser, and in the past few days, it has been blocking somewhere between 60-70 and sites/bots EVERY SINGLE time I go to the AppleInsider website. One of the worst sites in this regard.)

🎄
revenant 15 Years · 610 comments

bypassing security seems like something google knows quite a bit about.

🎄
ireland 18 Years · 17436 comments

Don't be evil. Unless... An advertising company, but look, their logo looks like those colourful fridge magnets!

🎅
sflocal 16 Years · 6139 comments

I finished reading Google's ATS handling.  It seems to only be limited apps that communicate using nonsecure HTTP connections.  I hate Google in general, but even their paper says that they want people to start upgrading their apps to use encrypted HTTPS connections, and if that is done, everything will be fine and no "workarounds" will be needed.  

Am I missing something?  It's more like Google is telling app developers to update their apps to be more current and secure.