Google offers 'short term fix' to help ad publishers bypass Apple's iOS 9 security protocol

By AppleInsider Staff

Google on Thursday informed developers of a five-line bit of code crafted to sidestep Apple's upcoming App Transport Security encryption feature in iOS 9 by creating HTTPS exceptions, which could in some cases block mobile ads from appearing.

The workaround was published to Google's official Ads Developer Blog in a post titled "Handling App Transport Security in iOS 9," a reference to Apple's upcoming privacy tool.

Apple's ATS standard is built into iOS 9 to restrict insecure and potentially nefarious code served via HTTP from infiltrating the operating system. Developers whose apps are not yet ATS-compliant could see their mobile ads blocked as a result of this tightened security, which in turn poses a threat to Google's money-making ad business.

Google said it strives to meet industry standard protocols, but can't guarantee compliance from third-party ad networks or custom code served through its own systems. Therefore, the company proposes publishers add an exception that sidesteps Apple's ATS encryption requirement to allow incoming non-HTTPS connections.

"To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully," writes Tristan Emrich, a member of Google's Mobile Ads Developer Relations team.

As noted by Re/code, the Internet search giant apparently received some flak after issuing the instruction set. In an update, Google attempted to clear the air about its intentions, explaining the post was meant to "outline some options" for developers who had asked about resource changes expected to come into effect with iOS 9.

"To be clear, developers should only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful. Apple has provided a tech note describing different approaches, including the ability to selectively enable ATS for a list of provided HTTPS sites," Emrich says.

Google still advocates for strong HTTPS protection, including ATS compliance, across its product line and is not suggesting against strong encryption. Indeed, the blog post notes developers should maintain ATS compliance on the backend or move over to the secure method as soon as possible.

Google is in a conundrum, as it still serves up a healthy supply of plain HTTP ads, proceeds of which are the company's lifeblood. In the end, it seems Google doesn't want its altruistic goals impinging on its bottom line.